Firewall help

[Nostalgiia]

At my school we have a new firewall system, and its tricky, but i think the people who programmed it know very little about security which is hopefully going to help me out. its lightspeed content filtering system. when you try to go to a blocked page, you get an error message, access denied blah blah blah. well what do you know? in a fit of frustration, i decided i was going to do the whole javascript:void document editable=true injection and make myself feel better when i found something interesting:

a hidden form at the top left corner that leads to some encrypted url. so, i go to another blocked site, download the code for the access denied page, change the input from input from hidden to text and the action to an absolute reference (since im no longer in their directory).

i submit the form, which by the way the value is another encrypted subdirectory lol, another error page, error getting information from the server. a whole much of sql errors come up, and i think... hmm... what can i do with an .asp page thats returning sql errors??? 1' or '1'='1 and submit. bam, name of the config file (web.config) , the address of the router or modem, i'm not sure, and iformation on how to make changes to the config file. so far so good right? well when i try throw web.config after the blocked?alskdjfdk or whatever, i get another page that says remote access to this file is explicitly forbidden blah blah blah, and you have to be on the host computer to look at it.

when i went to the ip that it gave me, i think it was 10.0.0.14, it asked me for the admin name and pass, but i hadn't a clue how to get past here, it was windows asking for it, not the internet. i ran out of time today, but tomorrow i'm going to try the javascript:void(document.write.cookie="access=granted");alert:document.cookie; thing. if that doesnt work than i'll pretty much be out of ammo, are there any suggestions to be thrown my way? and also its an .aspx so asp injection resources? google hasn't been able to turn over this rock for me.

-- Thu Nov 18, 2010 8:10 pm --

i also tried getting medusa and hydra to run off my flash which are supposed to be able to crack admin passes from what i understand, but thats another story completely, and i'm having trouble getting them.

[sanddbox]

ROFL...some particularly funny snippets:

in a fit of frustration, i decided i was going to do the whole javascript:void document editable=true injection and make myself feel better

i submit the form, which by the way the value is another encrypted subdirectory lol

watttttt

it was windows asking for it, not the internet

Watttttt...again. By the way, that sounds like basic http authentication.

i ran out of time today, but tomorrow i'm going to try the javascript:void(document.write.cookie="access=granted");alert:document.cookie; thing

Someone takes the basic missions a little too seriously...also, it's document.cookie, not document.write.cookie.

i also tried getting medusa and hydra to run off my flash which are supposed to be able to crack admin passes from what i understand, but thats another story completely, and i'm having trouble getting them.

Lolskiddie.

Anyway, your overall understanding of these things is pretty weak. You have a lot of bad logic and a lot of times you're just regurgitating code/injections where they don't make sense. For example, editing the cookies is guaranteed to have no effect seeing as how the webpage doesn't auth via a basic "access=true/false" cookie. Your SQL injection was also not SQL injection - you got lucky and caused an error which gave you a few pieces of information, but it was unrelated to your sql syntax.

As to what you can do...you could try a few default admin passwords and you could try bruteforcing the login, but success is unlikely. Just use a proxy.

[Nostalgiia]

i am aware that my knowledge is pretty weak, i just started learning about exploits a few months ago. they block by catagory (*.blogspot.*, *.proxy.* etc.) and everything uncatagorized is blocked under the catagory of uncatagorized. it's really frustrating. and also i did try a few SELECT * commands but they all returned the same error, and i didn't feel it was necessary to put in my original post. could this be the 'x' in the .aspx extension, because (once again laugh) i have never seen this before.

-- Thu Nov 18, 2010 9:17 pm --

and as far as the value thing goes, in the source code, the value is set to /walskdjfkdla;sldkfjdkls... and it takes up like 4 lines in notepad. it returned the error getting info from system and i set the action of the form to that value and entered the 1' thing and got the same page.

-- Thu Nov 18, 2010 9:23 pm --

i would really like to get to the point where i possessed infinite knowledge, but that day isn't near, and, at least i think, until i can actually code and execute my own forms successfully with only having a limited amount of time to test my programs, that it isn't necessarily being a script kiddie to use a program if you get to a point in a hack that is beyond you knowledge, google is no help, and people in forums like these don't care enough to post something useful. i tried no name and pass: admin, i tried name: admin and no pass, i tried admin in both, i tried my principals network account name and tried guessing his password, combination of childrens names and whatnot, but no luck.