Hack My Site!

Discuss the many weaknesses of browser security and ways to mitigate the threat

Hack My Site!

Post by 3vilp4wn on Thu Mar 07, 2013 6:17 pm
([msg=74392]see Hack My Site![/msg])

Hi there!
I just made a small site to practice/learn PHP, and was wondering if it had any vulns.

The URL is http://evil.x10.mx

Proof that the site is mine and some info about the site: http://evil.x10.mx/proof.txt


And here's a login you can use:
Username: "3NH"
Password: "WooWoo!"

I think that the shoutbox may be vulnerable to XSS, but I'm not sure.

Good Luck!

EDIT:
Please don't bruteforce the login.
I saw someone trying to do that. Not only did it clog up the server and logs, but it failed.
Thanks.

EDIT 2:
I got TOS'd :cry:
I'm looking for a new host, I'll let you know when I find one...
Last edited by 3vilp4wn on Wed Mar 13, 2013 6:56 pm, edited 2 times in total.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: Hack My Site!

Post by 0phidian on Fri Mar 08, 2013 12:35 am
([msg=74395]see Re: Hack My Site![/msg])

I'll have to look at this later. This site is hosted right, so were attacking the site not the server itself?
User avatar
0phidian
Poster
Poster
 
Posts: 243
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Hack My Site!

Post by 3vilp4wn on Fri Mar 08, 2013 12:43 am
([msg=74396]see Re: Hack My Site![/msg])

0phidian wrote:This site is hosted right, so were attacking the site not the server itself?


Yes, attack the site, not the server.

I just found a vuln in my own site. If an article has a ' (single-quote) in it's name, it crashes the article display system. Haven't exploited it yet...

EDIT:

Fixed it!
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: Hack My Site!

Post by 0phidian on Fri Mar 08, 2013 1:13 am
([msg=74397]see Re: Hack My Site![/msg])

Found an exploit. :geek:
puting ../ at the begining of an article title will place it in a lower directory http://evil.x10.mx/hi-3NH.txt

EDIT:
trying to add dirs gives me this:
Code: Select all
Warning: fopen(articles/hi/hi/hi/hellos-3NH.txt) [function.fopen]: failed to open stream: No such file or directory in /home/evilx10m/public_html/article.php on line 7

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/evilx10m/public_html/article.php on line 8

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/evilx10m/public_html/article.php on line 9

Warning: Cannot modify header information - headers already sent by (output started at /home/evilx10m/public_html/article.php:7) in /home/evilx10m/public_html/article.php on line 10


-- Fri Mar 08, 2013 1:14 am --

Well, I got to get back to studying trig, I'll try more later.
Last edited by 0phidian on Fri Mar 08, 2013 1:17 am, edited 2 times in total.
User avatar
0phidian
Poster
Poster
 
Posts: 243
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Hack My Site!

Post by 3vilp4wn on Fri Mar 08, 2013 1:14 am
([msg=74398]see Re: Hack My Site![/msg])

Thanks! I'll work on fixing it :)

EDIT: fixed!
EDIT: Fixed better :) now replaces "/" with "".
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: Hack My Site!

Post by 0phidian on Fri Mar 08, 2013 1:13 pm
([msg=74406]see Re: Hack My Site![/msg])

These aren't so much exploits as bugs, but...
There is nothing stoping me from overrighted an article with the same name.

Using characters that are not allowed in unix filenames like "<>|:&" does not give an error when submitting but clicking the link to the article will 404.

Using an article title that is over 255(including the "-3NH", so 251) characters will produce error code probably since unix filesystem does not allow filenames over that length.

-- Fri Mar 08, 2013 1:26 pm --

I noticed that you seem to write everything(except the passwords, hopefully anyways) to text files like 'shout.txt'. So I was wondering is the username and password stuff just in the php code or do you use any SQL?
User avatar
0phidian
Poster
Poster
 
Posts: 243
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Hack My Site!

Post by 3vilp4wn on Fri Mar 08, 2013 7:00 pm
([msg=74410]see Re: Hack My Site![/msg])

0phidian wrote:These aren't so much exploits as bugs, but...
There is nothing stoping me from overrighted an article with the same name.

Using characters that are not allowed in unix filenames like "<>|:&" does not give an error when submitting but clicking the link to the article will 404.

Using an article title that is over 255(including the "-3NH", so 251) characters will produce error code probably since unix filesystem does not allow filenames over that length.


Yeah, I'm planning to switch the article system to a whitelist of chars you can use instead of a blacklist. I didn't know about the 255 char one, I'll try to fix it...

As for overwriting, it's meant to do that. all the articles have a postfix of "-username.txt", so only people with the same username can overwrite the articles.

0phidian wrote:I noticed that you seem to write everything(except the passwords, hopefully anyways) to text files like 'shout.txt'. So I was wondering is the username and password stuff just in the php code or do you use any SQL?


No SQL. I use the php $_SESSION variable and check it whenever you try to post anything.
As for the login, the variables are in the php script it's self, making it very hard (impossible) to get at.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: Hack My Site!

Post by 0phidian on Fri Mar 08, 2013 8:46 pm
([msg=74416]see Re: Hack My Site![/msg])

I havent got the pasword for 3vilp4wn yet, but the site is vulnerable to dictionary/brute force attacks on the login page. To prevent this you should record the number of failed logins from an IP address and lock them out temporaraly(maybe and hour or so) after so many failed attempts.

EDIT: My bad didnt see the please dont bruteforce part. It would still be good try to protect against it rather than relying on your users to use strong passwords.

-- Fri Mar 08, 2013 9:21 pm --

The login page should probably use ssl(https) so if someones sniffing packets the users creditials wont be in plain text.
User avatar
0phidian
Poster
Poster
 
Posts: 243
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Hack My Site!

Post by 3vilp4wn on Sat Mar 09, 2013 5:12 pm
([msg=74430]see Re: Hack My Site![/msg])

0phidian wrote:I havent got the pasword for 3vilp4wn yet, but the site is vulnerable to dictionary/brute force attacks on the login page. To prevent this you should record the number of failed logins from an IP address and lock them out temporaraly(maybe and hour or so) after so many failed attempts.


True, I should do that. I'll probably have a file with each IP that logs in, and set a cron job to delete it every half hour or so. I just thought of a better idea. I'll add a 5 second server-side delay before it logs you in. That'll limit bruteforcing to 1/5 of a password per second :D

0phidian wrote:EDIT: My bad didnt see the please dont bruteforce part.


Haha, I added the "no bruteforce" part *because* I saw someone bruteforcing in the logs.

0phidian wrote:The login page should probably use ssl(https) so if someones sniffing packets the users creditials wont be in plain text.


I would, but I'm using a freehost, and it doesn't support ssl :cry:

0phidian wrote:Using characters that are not allowed in unix filenames like "<>|:&" does not give an error when submitting but clicking the link to the article will 404.

Fixed.

-- Sat Mar 09, 2013 6:17 pm --

3vilp4wn wrote:
0phidian wrote:I havent got the pasword for 3vilp4wn yet, but the site is vulnerable to dictionary/brute force attacks on the login page. To prevent this you should record the number of failed logins from an IP address and lock them out temporaraly(maybe and hour or so) after so many failed attempts.


True, I should do that. I'll probably have a file with each IP that logs in, and set a cron job to delete it every half hour or so. I just thought of a better idea. I'll add a 5 second server-side delay before it logs you in. That'll limit bruteforcing to 1/5 of a password per second :D


Ok, now it waits 5 seconds before logging you in. That'll stop bruteforcing without making life *to* inconvenient for users.

-- Sun Mar 10, 2013 12:21 am --

I added an AJAX/PHP chat script :)
It shouldn't any more vulnerable then the shoutbox, but hey, you never know :)
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: Hack My Site!

Post by WallShadow on Sun Mar 10, 2013 7:57 am
([msg=74438]see Re: Hack My Site![/msg])

I took a stab at it, found some stuff you might wanna look at; here are my notes on it:

1. article name doesn't filter out <>()''""; , that's why the articles are messed up right now bad. i couldn't figure out how to perform XSS with it, but someone more skilled probably could.
2. server doesn't reply when sending an article with a hex encoded null byte in the name. it actually took me a while to realize this because when sending it, FF manually filtered %00 to %2500 for whatever reason.
3. directory listing isn't disabled on the /articles/ directory, i'm guessing that it's not disabled at all anywhere, change it for future purposes.
4. errors shown in viewarticle.php when an invalid article name is entered. there shouldn't be any php errors shown, just 'sorry, we had an error' and an error code, then store the real error in a log file, or simply check if the file exists first and say 'file does not exist'. the error also reveals the path to some stuff, don't do that.
5. articles should have word break enabled inside them so that a long word doesn't go out of the box just like my ugly XSS attempt.
6. finally, the chat box is waaaaaaaaaaaaaaaaaay too easy to spam.

- WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests