Possibly a Vulnerable Site

[jackjackkiwi]

Im really new at this site site and first of all I have no intention and I'm am not suggesting that any malicious activity be done to the site I am about to mention, I am asking for strictly educational purposes.

Site edited out

At the bottom of each page it has errors and when you try to sign up it also returns with an error that looks like it could be vulnerable. I was just wondering if I am on to something or being totally mislead.

[WallShadow]

I'm surprised no one's bothered to look into this yet. As for the error, it's an error in the php file which adds a the document's footer. It's not a vulnerability in any sense as I see it. maybe you can toy around with it if it reads any variables before the error, but I doubt it. What I found to be interesting is the sign in. when placing single quotes into it, it returns the following:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'test'' at line 1

( 'test being the thing that I entered )

Anyone else have anything interesting?

[centip3de]

Some things I found:

When on the register page, and attempting to login:
1. You won't login
2. The URL bar then contains your user/pass (Edited out)

When attempting to register at all:
1. You get a parse error (Parse error: syntax error, unexpected '<' in /home/freeking/public_html/login.php on line 25)

When attempting to login:
1. If you try to use a simple SQL injection (x'='x) you won't get a wrong username or password error, in fact, nothing happens at all
2. Same thing happens with using 'admin' for both a username and password

[WallShadow]

Now that you mention it cent, your right, nothing happens, unless the quote is the first character you put into the username field

[centip3de]

More things I found:

All accounts are created:
1. Before I thought you would just get that error and would not be registered. However, if you go back to the site, and login with the user/pass combo you registered with before the error, it will log you in. Leading me to believe that there was an error in the redirection/automatic loging in portion of the PHP code.

Possible XSS:
1. If you register with a name, like <script> alert("t") </script>, you'll get the error, but if you follow the steps I talked about above, it works. Though it doesn't show your name, the CSS is all off a bit, and at the top left there is a (" ';} "). (Note: I signed up with this account, so you can login with the username "<script> alert("t") </script>" and password "jill" if you'd like (without quotes, of course).)

2. On further inspection, in the source code, there is a welcome section in the HTML. It looks like this:

Code: Select all


<td>
                 Welcome <b>Username</b>
               </td>



However, when using the above username (<script> alert("t") </script>), the script tags will be added to the HTML, thus, making it look like this:

Code: Select all

<td>
                 Welcome <b><script> alert("t") </script></b>
               </td>


But, no message box ever appears, making it appear as if the Javascript isn't executed.

3. After realizing this, I got the idea to try to make a username with an <a href> tag, to see if I could use it as a link, it worked. (Username: <a href="www.asdf.com">t</a> Pass: jill). In fact, I could click on the link as well. However, it then attempted to take me to "Edited out", kinda messing it up, but the fact that with some fancy coding XSS is still possible remains. But, they did implement a way to stop XSS... Sort of. You're only allowed to use 30 characters, making longer injections/possible links harder. And, every link is appended to "Edited out", so it ruins that option too. I am certain though, that someone, with much more knowledge than me, could find a way around this.

[WallShadow]

I've determined that the a possible SQL injection vulnerability is only available on Edited out page, only in the username field of the top right login form:



entering

'anything

will give you:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'anything'' at line 1

(note that is not a double quote, that is 2 single quotes)



entering

' OR '1'='1'

returns:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1



entering

' OR '1'='1

seems to to absolutely nothing >.<



entering

1' AND non_existant_table = '1

returns:

Unknown column 'non_existant_table' in 'where clause'



entering

' OR username IS NOT '1

returns:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1



entering

' OR '1'='1';--

returns:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--'' at line 1



I'm utterly confused, I've never actually done anything with SQL injection besides 1 mission here.

[LoGiCaL__]

Unfortunately even for educational purposes we still can't go and test out sites without permission. So I had to remove the links from the forums.