Jump to content

A php tool for WoW

kaliza

By kaliza
in Beta Test Your Stuff!

 Share

Recommended Posts

agentsteal Newbie

agentsteal

Posted
Posted

Admin Access:

The password box contains your password.

 

Array:

http://www.pidbaq.com/raids/raids.php?raid[]

 

Cross Site Scripting:

http://www.pidbaq.com/raids/raids.php?action=view&raid=<marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

http://www.pidbaq.com/raids/raids.php?decision=delete&raid='><marquee><h1>vulnerable</marquee>

 

Includes Directory:

http://www.pidbaq.com/raids/

 

Log:

http://www.pidbaq.com/raids/action_log

Link to comment
Share on other sites
kaliza Newbie

kaliza

Posted
  • Author
Posted

HEY HEY!!! it was one of my first php code i ever did lol ! i mean u don't even wanna see the source, its really bad, but i put admin log in info because it is a demo site, i am demoing it for www.curse.com, its a simple tool to keep track of people who show up to events within games. and the action_log is meant for debugging purposes.

 

btw how do u block the folder view?

one more thing, how do to block so if a person refreshes the page it wont insert another query. like a double post.

 

and ty for your help.

Link to comment
Share on other sites
lemmin Member

lemmin

Posted
Posted

Disallowing directory browsing is done using server settings. Simply placing a default file in the directory would stop most people, but some browsers or software would probably still allow listings.

 

The simplest way to stop refresh from adding another query would be to use post instead of get. Other than that, you can check stuff server side like whether it already exists or not. I think you might be able to use the server variable 'HTTP_REFERER' to make sure it came from the correct page. If the user can come form multiple places, instead of checking to make sure they came from a certain page, check to make sure they don't come from a url that includes the get values that input data.

Link to comment
Share on other sites
teng84 Member

teng84

Posted
Posted

Disallowing directory browsing is done using server settings. Simply placing a default file in the directory would stop most people, but some browsers or software would probably still allow listings.

 

The simplest way to stop refresh from adding another query would be to use post instead of get. Other than that, you can check stuff server side like whether it already exists or not. I think you might be able to use the server variable 'HTTP_REFERER' to make sure it came from the correct page. If the user can come form multiple places, instead of checking to make sure they came from a certain page, check to make sure they don't come from a url that includes the get values that input data.

use the header file and redirect the user

Link to comment
Share on other sites
mattd8752 Member

mattd8752

Posted
Posted

If your redoing it I suggest using the armory and just asking for their user name and server (or server could be defined by the admin).

 

I did something like this @ http://wow.mattdsworld.com/read.php?name=NAME&realm=REALM

 

Obviously you have to replace NAME and REALM with your name and realm.  If you want to see the source for that you can email mrfg2006@gmail.com (I probably won't remember to check back on this topic).

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.