Jump to content

Hack this Upload Site

Warptweet

By Warptweet
in Beta Test Your Stuff!

 Share

Recommended Posts

dsaba Advanced Member

dsaba

Posted
Posted

I wonder if he's reading this thread... because that too would also be a security threat.

I almost envy you a little bit warpweet, figuring out how he hacked your site would be fun.. but more so when I find out how and setup a trap for him. :)

 

I edited c992.php into a remote IP tracker.

I don't even get that sentence.

 

Found this:

http://l0pht.by.ru/$hell$cripts/c992.php

 

helraizer Regular Member

helraizer

Posted
Posted

I edited c992.php into a remote IP tracker.

I don't even get that sentence.

 

I think what he meant is that only the person who placed c992.php would access it, so if the OP edited it to captcher the user's IP address, he'd catch the person who placed it (IP wise).

 

He kinda foiled his own plan there by telling everyone on here about it, thus getting more people to access it.

Warptweet Advanced Member

Warptweet

Posted
  • Author
Posted

Lol, sillies. I deleted that script and replaced it with an IP tracker. It has no effect on my site.

 

When my site was FIRST hacked, he hid that file there. That was the origin of all the problems. I hope I'm safe... for now.

Also, even if he/she does manage to upload the script again, he/she won't know the location. Nobody gets to know the location of files anymore :P

Daniel0 Advanced Member

Daniel0

Posted
Posted

A couple of bugs...

 

I picked a random file from my desktop and uploaded it (p.patch), however, when downloading it it's renamed to uploadpoints. Also, the link to it from "My Files" is broken.

 

When logging in the menu on the right is still as though you were logged out until you go somewhere else. It's a bit confusing. Same goes for logging out.

ev5unleash Member

ev5unleash

Posted
Posted

Dude, Are you using a host? Or your own server? I think you might want to upgrade Apache. I'm just saying no one has hacked my site so easily (http://www.ev5unleash.com) with Apache 2, PHP, MySQL with the latest updates.

 

I know Apache has log files so I'm sure from your cPanel you can look at the log and see exactly what this hacker is doing to get into this site.

whiteboikyle Regular Member

whiteboikyle

Posted
Posted

Uhmm i have an upload script that uploads to direct files with register/login.. it would probably be way more secure then using your MySQL. Contact me Via aim whiteboikyle69. I mean its still in beta since i am still working on it.. But it is way more  secure!

corbin Regular Member

corbin

Posted
Posted

No it wouldn't be WBK.

 

Warp's site allows uploads of any kind.... If you allow direct access to all kinds of file types, you're asking for problems... (Unless of course, you made Apache serve all content in user directories as static....)

 

MySQL was not vulernable in this situation.

 

MySQL is very secure when rational precations are taken... Why does everyone keep hating on it in this thread?!

 

Dude, Are you using a host? Or your own server? I think you might want to upgrade Apache. I'm just saying no one has hacked my site so easily (http://www.ev5unleash.com) with Apache 2, PHP, MySQL with the latest updates.

 

I know Apache has log files so I'm sure from your cPanel you can look at the log and see exactly what this hacker is doing to get into this site.

 

What I did...

"telnet warptweet.com 80

HEAD / HTTP/1.1

Connection: close

 

"

 

Response:

"HTTP/1.1 200 OK

Date: Wed, 18 Jun 2008 05:58:21 GMT

Server: Acenet Inc

X-Powered-By: PHP/5.2.5

Connection: close

Content-Type: text/html

 

 

 

Connection to host lost."

 

No idea what Acenet is... He's not even using Apache, and his PHP version is pretty much up to date.

 

Also, Apache had no relation to this problem at all... (Well, it did, but not directly... Apache could've been configure to not parse foreign PHP files, but it could also have been fixed with PHP, and in this case, he's not even using Apache...)

 

 

 

Sorry, it just annoys me when people throw out random advice.

 

 

 

 

Edit:  My bad on the "not even using Apache" part....

 

It seems that Acenet, Inc. is a hosting provider....  I thought maybe it was some lesser known webserver.....

Warptweet Advanced Member

Warptweet

Posted
  • Author
Posted

Yes, my host is ace-host.net. An awesome company, support is often answered within 5 minutes.

 

Anyways, they aren't the problem. And as you no longer get to know the direct location of a file that can be dangerous, it's of almost no risk to me. Basically everyone variable used in my site (not many, the site is as simple as possible) uses mysql escape string now.

FIREBALL5 Newbie

FIREBALL5

Posted
Posted

Alright, in that case, sign me up. [beta] my upload site!

 

*url removed*

 

EDIT: Please do not create a new account just to beta test. Please go to the login page and login as a guest.

 

Edit by Daniel0: As Stephen said, create a new topic. I've removed your URL to prevent hijacking the topic.

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.