Hack website user....

[talor123]

sort of same deel as my last post...

if anyone has the time , could you give a shot at trying obtain password for this account on my website.

no need to go overboard..  ive already tryed to use php injections like  the  include  function n all that.. i cant get it so far...

 

 

http://talor.freehostia.com/

 

username: betty

 

 

 

again.. if you find any faults on my site .. please tell me... thank you

[DeanWhitehouse]

If you want some serious testing go to http://www.hellboundhackers.org/ and get one of them to test it

[darkfreaks]

your variables aren't sanitized properly use this:

 

<?php

function clean($var){

$var=mysql_real_escape_string(trim(strip_tags($var)));
$var=htmlspecialchars($var,ENT_QUOTES);
// or return $var; if running PHP4
return filter_var($var,FILTER_SANITIZE_STRING); 
}
?>

[darkfreaks]

<?php
//**********loops all $_POST variables and cleans them automatically*************///
if(get_magic_quotes_gpc())
{
//clean XSS/SQL injection
function clean($var) {

$var=strip_tags(trim(mysqli_real_escape_string($var)));//changed $text to $var my bad
$var=htmlspecialchars($var,ENT_QUOTES);
return $var;
}

array_walk_recursive($_POST,'clean');
} 
?>

[Hinty]

I cant get your password but can log in as betty

 

md5 hash ur cookie variables

[Rushyo]

"md5 hash ur cookie variables"

 

Unsalted it wouldn't offer any viable protection as is, since the user could just md5 the username he wanted.

 

admin -> 21232f297a57a5a743894a0e4a801fc3