Hack My Site :D

Discuss the many weaknesses of browser security and ways to mitigate the threat

Re: Hack My Site :D

Post by DrRoach on Fri Oct 18, 2013 2:44 pm
([msg=77746]see Re: Hack My Site :D[/msg])

Hey I had a look at your site and as of yet this is nothing, (I think) but you have a mysql injection vulnerability on your site. Your site went down as I was exploring this but I managed to get a list of your sites tables but couldn't get any further as your site went down. PM me if you want to know more about it :)
DrRoach
Poster
Poster
 
Posts: 155
Joined: Fri Feb 22, 2013 6:53 pm
Blog: View Blog (0)


Re: Hack My Site :D

Post by mShred on Sat Oct 19, 2013 2:18 pm
([msg=77763]see Re: Hack My Site :D[/msg])

Damn that's upsetting. The site is down right when I wanted to look into it.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1686
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Hack My Site :D

Post by Goatboy on Sun Oct 20, 2013 1:44 pm
([msg=77773]see Re: Hack My Site :D[/msg])

Just a friendly reminder, but just because someone says you are free to test their site's security does not make it legal. In this case the site is hosted on a server that *is not owned* by Kataclysmic. And due to this post from another thread:

Kataclysmic wrote:Check back on the 20th. Host shut me down because of SQLi attempts by people :P


I have reason to believe the hosting company takes security threats fairly seriously. So for the legal safety of those involved, think twice before you start throwing apostrophes in random input boxes.

For the sake of posterity I am going to quote Kata's first post and the "Welcom HTS" comment in the site's source code. In case anyone comes a-knockin' on your door with a warrant, you can point to this thread as your intent. That doesn't make it a Get Out Of Jail Free card, but if it is documented that we are trying to help him improve his security as a group, there's a good defense or at least mitigating factor in there.

October 16, 2013:
Kataclysmic wrote:Alright so first off there is a comment on the home page that says <!-- Welcome HTS --> You may hack this site. However I would prefer that no one attempts anything on the feedback page because I would then have to manually delete all posts on the page. If you do find something please let me know! Thanks everyone.

P.S.
If you would like if you do manage to hack this site
let me know and I can add something in the news section about it and mention your name or you can stay anonymous.


Proof of ownership:
Code: Select all
<html>
<head>
<!-- Welcom HTS -->
<title>LawOfCode | Home</title>


Now you may think I am being paranoid here, but having been through the legal system I can say for certain that they will use anything and everything against you. Businesses have an understandable concern for the code their clients execute, and it is in their best interests to prosecute. You may not agree with it, but from a business standpoint it's a great idea.

Establishing a "Cover My Ass" document such as this provides the court with exactly the sort of thing you should ideally have in a contract in a pentest. You want to have the scope, target, duration, etc etc spelled out in plain English so that if the company tries to claim you stepped out of bounds, you have a piece of paper they signed that says otherwise.

Now obviously this is not an official contracted pentest, this is just someone who has a site and wants us to test it. Now there could be people out there who mean to do harm, but we are not those people. We are legitimately interested in improving the security of our members, and testing our own knowledge at the same time. This should not be punished, but at the same time you need to be careful with this sort of thing.

On a closing note, just in case this post ever does become relevant, I'd like to emphasize that this site is here to teach and improve, not deceive and corrupt. Yes the techniques discussed can be used for malicious purposes, but security is a double-edged sword. Without teaching people how to properly defend themselves, the current state of the Internet would be a vastly different landscape.

And as always, question everything and trust no one.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2785
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Hack My Site :D

Post by Kataclysmic on Mon Oct 21, 2013 12:41 am
([msg=77789]see Re: Hack My Site :D[/msg])

-Ninjex- wrote:
Kataclysmic wrote:Can't change those :/ host is fgt.


True and false. True: "host is fgt", False: "Can't change those"

create a .htacess file in the public_html directory.
Inside the .htacess file add this:
Code: Select all
Options -Indexes


You could also create a custom 404 error message and add a redirect to it with something like:
Code: Select all
ErrorDocument 404 /foo/bar.php

Thanks for the tip. Got a new host in the end though. Long story short they didn't like this thread as it slowed the mysql queries. No joke the reason was "Abuse (Slow MySQL Queries)"

-- Wed Oct 23, 2013 12:56 am --

mShred wrote:Damn that's upsetting. The site is down right when I wanted to look into it.

It is back up now if you want to check.
http://lawofcode.com
What will you learn?
Kataclysmic
New User
New User
 
Posts: 27
Joined: Wed Oct 09, 2013 10:15 pm
Blog: View Blog (0)


Previous

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests