Cory94bailly Posted February 25, 2009 Share Posted February 25, 2009 http://etsoldiers.com/massattack/index.php Yes, there is an admin panel.. But it is secure (with a session).. Please tell me anything! XSS, mysql injection, full url shown.. *(I doubt it will show full url @ anything because I made a small script that has it so only my IP sees errors..) If you do find a bug or something, please don't abuse it, tell me Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 25, 2009 Author Share Posted February 25, 2009 Test accounts: User- Username: demo Password: demo Admin- Username: admin Password: admin I re-enabled the admin panel for testing purposes.. For testing purposes (and the fact that sendmail isn't working..), users get auto activated.. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 25, 2009 Author Share Posted February 25, 2009 Wooh, I just realized in school that I forgot to enable to check if the user is an admin for the admin panel.. Fixing Btw thanks, 82.28.21.159 for the attempted dos.. Link to comment Share on other sites More sharing options...
Maq Posted February 25, 2009 Share Posted February 25, 2009 You might want to look at SQL Inject Me (you can download it as a firefox plugin). On your registration page it says you have 27 failures for SQL Injections. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 25, 2009 Author Share Posted February 25, 2009 You might want to look at SQL Inject Me (you can download it as a firefox plugin). On your registration page it says you have 27 failures for SQL Injections. Yeah I realized that after I posted and it won't let me edit..! Thanks, I'll (try to) fix it Link to comment Share on other sites More sharing options...
fry2010 Posted February 26, 2009 Share Posted February 26, 2009 if you want people to hack it how come you give login details? Link to comment Share on other sites More sharing options...
fry2010 Posted February 26, 2009 Share Posted February 26, 2009 This page has interesting file at the top called thumbs.db I cant access it but somone with more skills probably could. Dont know if it contains sensitive data but im guessing as its a .db file it probably does. here is link http://etsoldiers.com/massattack/images/ Link to comment Share on other sites More sharing options...
fabrydesign Posted February 26, 2009 Share Posted February 26, 2009 This page has interesting file at the top called thumbs.db I cant access it but somone with more skills probably could. Dont know if it contains sensitive data but im guessing as its a .db file it probably does. here is link http://etsoldiers.com/massattack/images/ Microsoft Frontpage automatically generates those in every folder with images, I think. Link to comment Share on other sites More sharing options...
fry2010 Posted February 26, 2009 Share Posted February 26, 2009 oh right. fair enough. Its a connection of some type though. Link to comment Share on other sites More sharing options...
Coreye Posted February 26, 2009 Share Posted February 26, 2009 Cross Site Scripting(XSS): When you register and have code in your username it will execute on the page that says: ">code, to login you must first check your emails for an activation email. Cross Site Scripting(XSS): If you have code in your username it will execute on the side panel. Welcome, ">code Today is: Thursday, February 26th Link to comment Share on other sites More sharing options...
jackpf Posted February 26, 2009 Share Posted February 26, 2009 Uhh....your site's a bit vulnerable to html injection xD [attachment deleted by admin] Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 27, 2009 Author Share Posted February 27, 2009 if you want people to hack it how come you give login details? 1.) I want people to see if I can be hacked. 2.) Find anything that is vulnerable when they are logged in and stuff.. This page has interesting file at the top called thumbs.db I cant access it but somone with more skills probably could. Dont know if it contains sensitive data but im guessing as its a .db file it probably does. here is link http://etsoldiers.com/massattack/images/ Thats nothing, it was a hidden file on my desktop with nothing in it and I accidently uploaded it.. Cross Site Scripting(XSS): When you register and have code in your username it will execute on the page that says: ">code, to login you must first check your emails for an activation email. Cross Site Scripting(XSS): If you have code in your username it will execute on the side panel. Welcome, ">code Today is: Thursday, February 26th Woop, I guess I have to do a few more checks for code and stuff.. Uhh....your site's a bit vulnerable to html injection xD Yep, I'll work on it Link to comment Share on other sites More sharing options...
jackpf Posted February 27, 2009 Share Posted February 27, 2009 Htmlspecialchars() dude. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 27, 2009 Author Share Posted February 27, 2009 I'm having some trouble... I can put something like <img src="u"> into the register form but in my mysql db, it shows up as <img src=	 as you can see, theres no letter U in that.. Here's my code for login & register.. $username = mysql_real_escape_string($_POST['username']); $oldarray = array("\\", "\"", "\'", "/", "<", ">"); $newarray = array("\", """, "'", "&92;", "<", ">"); $username = strtolower(str_replace($oldarray,$newarray,$username)); My code really needs some help but I don't want to spam and make a new post in PHP Help.. Can somebody make me like a clean() function or something? Link to comment Share on other sites More sharing options...
jackpf Posted February 28, 2009 Share Posted February 28, 2009 You're putting unnescesary effort into this- Just use htmlspecialchars() and/or strip_tags() They basically remove all html entities from a string. If you use both of them, it's unfeasible for someone to inject html into your page. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 28, 2009 Author Share Posted February 28, 2009 You're putting unnescesary effort into this- Just use htmlspecialchars() and/or strip_tags() They basically remove all html entities from a string. If you use both of them, it's unfeasible for someone to inject html into your page. I tried that but it literally takes them out, I want it to show the user's actual name they registered with on the pages, not something like " img src a ".. I want to escape them (\) but it seems that will execute them.. Link to comment Share on other sites More sharing options...
jackpf Posted February 28, 2009 Share Posted February 28, 2009 htmlspecialchars is does exactly that! All it does is replace the html entity with special symbols that aren't executed as html. It displays the text they typed in rather than executed html. Go on, try it. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 28, 2009 Author Share Posted February 28, 2009 Ok, I fixed that foolishness.. New user account (I reset everything..): User- Username: user Password: user Admin- Username: admin Password: admin Please find any other problems with it Link to comment Share on other sites More sharing options...
Coreye Posted February 28, 2009 Share Posted February 28, 2009 Cross Site Scripting (XSS): You can submit ">code when adding news through the admin panel. Link to comment Share on other sites More sharing options...
Cory94bailly Posted February 28, 2009 Author Share Posted February 28, 2009 Cross Site Scripting (XSS): You can submit ">code when adding news through the admin panel. Is that necessarily a bad thing? Only admins/moderators can post news.. I suppose I should put in a small bbcode mod.. For the new panel, can any 'bad' code be put in? Like php or something? Link to comment Share on other sites More sharing options...
jackpf Posted March 1, 2009 Share Posted March 1, 2009 Not if it's being echoed. Like, you couldn't call any functions or anything. Well...I don't think you could. Link to comment Share on other sites More sharing options...
alphanumetrix Posted March 12, 2009 Share Posted March 12, 2009 i tried some basic injection methods. it seems pretty secure. Link to comment Share on other sites More sharing options...
Yesideez Posted April 7, 2009 Share Posted April 7, 2009 Thumbs.db is a cached representation of images inside a folder created by Windows to help speed up thumbnail images appearing when browsing folders. You can turn this cache feature off which will prevent the cache files appearing by the control panel but those already there won't be deleted. Link to comment Share on other sites More sharing options...
Recommended Posts