Page 1 of 1

Ok, now what...

PostPosted: Thu May 29, 2008 5:18 am
by Crystal_Bearer
Firstoff, I'd like to lay some ground rules for posting in this thread. I mean, I'm making it, so I think I'm entitled. Spoilers should be enforced FAR more strictly here. That means NO listing files or directories. If you need to/want to know something, ask general topic questions; you can even make up an example if you want. Just remember... leave the site up and clean. It's a good thing to let everyone learn a thing or two.


I've found the login page, but I'm not sure how to use it. I'm not going to post where anything is (mainly for site security... although it really wasn't very hard to find...), but I personally am unfamiliar with this method of login (php with js referencing). I'm assuming the use of js injection but the login references the code from a child dir. I hate to say that I'm over my head here, but I wonder if anyone has any advise. You can either leave it here, or in a pm depending on the nature of the advise. Thank you.

Re: Ok, now what...

PostPosted: Fri Jun 06, 2008 12:43 pm
by jetbackwards
Something to definitely consider is the fact that the site developed by coders who know rather a lot about web security - if they know how to exploit something, they know how to prevent it being exploited...

A year or two back an ex-developer uploaded the site source code to the internet so people could get at it and i know of no big hacks since then. Just look at the (frankly tiny) size of the hall of fame! Stuff is pretty secure.

I would be especially surprised if the login was insecure... though i suppose the only way to ensure security is to test it!

Re: Ok, now what...

PostPosted: Fri Jun 06, 2008 1:29 pm
by Nines
You'd be surprised.. The login is secure though.

I've found a hole that could potentially get admin access to the site.. I wasn't able to exploit it though, even though I know it's vulnerable so I've submitted it anyway and I'll give some more details when it's patched. :)

Re: Ok, now what...

PostPosted: Sat Jun 07, 2008 10:55 am
by djpitagora
jetbackwards wrote:Something to definitely consider is the fact that the site developed by coders who know rather a lot about web security - if they know how to exploit something, they know how to prevent it being exploited...

A year or two back an ex-developer uploaded the site source code to the internet so people could get at it and i know of no big hacks since then. Just look at the (frankly tiny) size of the hall of fame! Stuff is pretty secure.

I would be especially surprised if the login was insecure... though i suppose the only way to ensure security is to test it!

exactly! look at the hof? Does that look secure to you? Imagine if it was an online banking site...hacked several times...not good :) Even the best make mistakes. In such a big project it's inevitable! Keep looking.

Re: Ok, now what...

PostPosted: Sun Jun 08, 2008 2:27 am
by Nines
Haha, last night Stenoplasma and I managed to use CSRF on the forums to get Administrator access to the site :)

HoF #3 :)

Re: Ok, now what...

PostPosted: Tue Jun 10, 2008 6:45 pm
by StenoPlasma
:D

Re: Ok, now what...

PostPosted: Wed Jun 18, 2008 10:32 pm
by crazycoolzac1
I found www.a***.h**********.*** which (i think) contains a security hole. I'm trying to figure out how to use firebug or another one of my programs can help me. If anyone knows what I'm talking about PM me and we'll talk.

Re: Ok, now what...

PostPosted: Thu Jun 19, 2008 2:43 am
by pitagora
crazycoolzac1 wrote:I found http://www.a***.h**********.*** which (i think) contains a security hole. I'm trying to figure out how to use firebug or another one of my programs can help me. If anyone knows what I'm talking about PM me and we'll talk.

if you are referring to the ad portal (admin.hackthissite) go get the source code (it's an open source application) and see if there is something you can exploit.

Re: Ok, now what...

PostPosted: Sun Jul 19, 2009 2:19 am
by evin674
Hint, if you know how to, set up a gateway and send a connection through, start IP Flooding the site, if closes the Proxy security and then your in the file directory. Although i wont go from there, as it is illegal XD

Re: Ok, now what...

PostPosted: Tue Jan 12, 2021 2:59 pm
by ctrl See
<img src="http://url.to.file.which/not.exist" onerror=alert(This is a bug );>

-- Tue Jan 12, 2021 9:04 pm --

ctrl See wrote:<img src="http://url.to.file.which/not.exist" onerror=alert(This is a bug );>


Im just trying lol this is the best place for it right? We are supposed to find a bug so im trying

[img]<img src="http://url.to.file.which/not.exist" onerror=alert(This is a bug );>[/img onerror=alert("This is a bug");]

<img src="http://url.to.file.which/not.exist" onerror=alert("This is a bug");>

-- Tue Jan 12, 2021 9:05 pm --

"'

-- Tue Jan 12, 2021 9:06 pm --

"; <img src="http://url.to.file.which/not.exist" onerror=alert("This is a bug");>; "