Jump to content

Hack this :)


eXeCuTeR

Recommended Posts

Full Path Disclosure when you visit toxic.local-host.co.il.

 

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 94
Link to comment
Share on other sites

Dude, something happened there.

 

]http://toxic.local-host.co.il/index.php?act[]

 

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 343

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 346

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 354

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 362

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 370

 

Warning: Illegal offset type in /home/toxic14/domains/toxic.local-host.co.il/public_html/index.php on line 370

 

 

Link to comment
Share on other sites

Full Path Disclosure:

http://toxic.local-host.co.il/index.php?a[]

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 353

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 356

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 364

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 372

 

Warning: preg_match() expects parameter 2 to be string, array given in /home/toxic14/domains/toxic.local-host.co.il/public_html/genosecurity/geno.php on line 380

 

Warning: Illegal offset type in /home/toxic14/domains/toxic.local-host.co.il/public_html/index.php on line 370

Link to comment
Share on other sites

Don't even need the /index.php lol

 

toxic.local-host.co.il?a[]

 

And in case you don't know why stuff like this is a problem.. well at the very least it's buggy/annoying, and it could potentially be a huge security problem. It's immediately obvious from the errors that your username is probably toxic14.. or maybe genosecurity. Knowing this will make a brute force login attack much easier/faster, for starters.

Link to comment
Share on other sites

How could I secure this?

 

A code I made and therefore use is:

 

<?php
if (stristr($_SERVER['PHP_SELF'], "'") || stristr($_SERVER['PHP_SELF'], '"') ||
stristr($_SERVER['PHP_SELF'], '<') || stristr($_SERVER['PHP_SELF'], '>') ||
    stristr($_SERVER['PHP_SELF'], '/')) {
    echo "No XSS today, thank you"; //or any other message
?>

 

 

That stops anyone from adding XSS to the $_GET variables in the URL of the site.

 

Sam

Link to comment
Share on other sites

helraizer,

 

where should one paste this code, means, in which file and folder...

 

Anuj

 

 

That would go in the page that you have the $_GET variables in. So if it's index.php?a[] then the code would go in index.php

 

if it's search.php?q[] then the code would go in search.php

 

Sam

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.