talor123 Posted July 12, 2008 Share Posted July 12, 2008 sort of same deel as my last post... if anyone has the time , could you give a shot at trying obtain password for this account on my website. no need to go overboard.. ive already tryed to use php injections like the include function n all that.. i cant get it so far... http://talor.freehostia.com/ username: betty again.. if you find any faults on my site .. please tell me... thank you Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/ Share on other sites More sharing options...
DeanWhitehouse Posted December 9, 2008 Share Posted December 9, 2008 If you want some serious testing go to http://www.hellboundhackers.org/ and get one of them to test it Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/#findComment-710822 Share on other sites More sharing options...
darkfreaks Posted December 9, 2008 Share Posted December 9, 2008 your variables aren't sanitized properly use this: <?php function clean($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); // or return $var; if running PHP4 return filter_var($var,FILTER_SANITIZE_STRING); } ?> Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/#findComment-710930 Share on other sites More sharing options...
darkfreaks Posted December 10, 2008 Share Posted December 10, 2008 <?php //**********loops all $_POST variables and cleans them automatically*************/// if(get_magic_quotes_gpc()) { //clean XSS/SQL injection function clean($var) { $var=strip_tags(trim(mysqli_real_escape_string($var)));//changed $text to $var my bad $var=htmlspecialchars($var,ENT_QUOTES); return $var; } array_walk_recursive($_POST,'clean'); } ?> Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/#findComment-711918 Share on other sites More sharing options...
Hinty Posted December 19, 2008 Share Posted December 19, 2008 I cant get your password but can log in as betty md5 hash ur cookie variables Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/#findComment-719658 Share on other sites More sharing options...
Rushyo Posted January 11, 2009 Share Posted January 11, 2009 "md5 hash ur cookie variables" Unsalted it wouldn't offer any viable protection as is, since the user could just md5 the username he wanted. admin -> 21232f297a57a5a743894a0e4a801fc3 Link to comment https://forums.phpfreaks.com/topic/114416-hack-website-user/#findComment-734903 Share on other sites More sharing options...
Recommended Posts