Ryokotsusai Posted September 6, 2007 Share Posted September 6, 2007 Hi, I was wondering if anyone out there has some free time and could attack my site for me, it is not anywhere near 100% yet ( maybe closer to 10% ) and only 2 scripts have any access to the database, the login in the top corner (when your not logged in) and the registration page. I would like to know about any possible exploits that you can come up with, and feel free to do anything short of deleting the database (if possible) there are only 3 empty tables anyway link: http://www.gravityws.com thanks Link to comment Share on other sites More sharing options...
thedarkwinter Posted September 6, 2007 Share Posted September 6, 2007 for a start... your login script is seriously flawed: if you type a random username and password, the login fails, but if you type a random username and not password, it logs you in! Link to comment Share on other sites More sharing options...
agentsteal Posted September 6, 2007 Share Posted September 6, 2007 Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain ">code. Full Path Disclosure: There is Full Path Disclosure if the PHPSESSID cookie is set to an invalid value. Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/www/gravityws.com/admin/config.php on line 15 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/www/gravityws.com/admin/config.php:15) in /home/www/gravityws.com/admin/config.php on line 15 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/www/gravityws.com/admin/config.php:15) in /home/www/gravityws.com/admin/config.php on line 15 Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Null User: You can register a null password. Null User: You can register a null username. Link to comment Share on other sites More sharing options...
Ryokotsusai Posted September 7, 2007 Author Share Posted September 7, 2007 I fixed the index pages in the directories the login script is what i get for trying to make something while dead tired, but that no longer allows blank logins the full path thing i think i took care of, but now it wont connect to the database... let me try and figure this one out... Link to comment Share on other sites More sharing options...
Ryokotsusai Posted September 7, 2007 Author Share Posted September 7, 2007 fixed, please continue testing Link to comment Share on other sites More sharing options...
Crew-Portal Posted September 8, 2007 Share Posted September 8, 2007 I tried: Username: INSERT INTO database USERS `'` Password: OR "= This step normally confuses the hell outta the database and logs you in. But in your script it didnt log me in! Great job! Security Check is Well Done! Link to comment Share on other sites More sharing options...
Ryokotsusai Posted September 8, 2007 Author Share Posted September 8, 2007 This one isn't fixed: If you try to register with ">code in the fields the code runs on the page. ok i think i took care of that, or at least i can't get it to do that anymore Link to comment Share on other sites More sharing options...
deadimp Posted September 9, 2007 Share Posted September 9, 2007 I tried registering, but it said that there was a database problem. For the directory indexes, you can still tell if it's a real directory by checking on the page status. Have you tried sending a 404 status in the header? Link to comment Share on other sites More sharing options...
Ryokotsusai Posted September 10, 2007 Author Share Posted September 10, 2007 I tried registering, but it said that there was a database problem. Sorry, it is back now For the directory indexes, you can still tell if it's a real directory by checking on the page status. Have you tried sending a 404 status in the header? no, i hadn't thought of that Link to comment Share on other sites More sharing options...
deadimp Posted September 10, 2007 Share Posted September 10, 2007 I logged in, or at least it said it thought I logged in, and the only thing that really changed was the header (the login section disappeared). After that, I couldn't figure what else had changed (though I know that's not the point of all this at the moment). I couldn't figure out how to log out, so I used another browser to screw around some. The login gives different messages for different passwords that I try, so I'm not sure what could be causing that. I'm not that much of a hacker in the sense of network security, so I'm not sure what else to try. Link to comment Share on other sites More sharing options...
Ryokotsusai Posted September 10, 2007 Author Share Posted September 10, 2007 logged in with an account or by other means? Link to comment Share on other sites More sharing options...
deadimp Posted September 11, 2007 Share Posted September 11, 2007 Just with an account. Link to comment Share on other sites More sharing options...
Recommended Posts