Hack my site, receive bitcoins

johnnyfla123

Sr. Member

Offline

Activity: 252
Merit: 250

Re: Hack my site, receive bitcoins

June 19, 2013, 09:49:29 PM

#21

Quote from: n4ru on June 19, 2013, 09:00:38 PM

Quote from: johnnyfla123 on June 19, 2013, 06:51:32 PM

Quote from: n4ru on June 19, 2013, 06:40:09 PM

I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.

if he was using the form then he used sql injection which i provided the fix above for.

no new data in the database asking with permanently modifying the page says otherwise.

Is apache the only other potential beach?

Ive dealt with apache holes in the past. Most professional hosts have those blocked as its really easy to block the holes. The problem i saw with your website and what you are describing is that he jsut sql injected. I cannot recreate what he did exactly but if you look up sql injections you will see a boatload of different ones that can be used to gain super/root access to database's etc. I believe he just used a simple sql injection. my script i provided you with just looks for sql injection like codes put it. it logs the string they used, the ip, and a few other things in a .txt named [WEB]SQL_Injection.txt. and example of logs are here:

Quote

IP: 142.68.145.165
Method: COOKIE
Value: {"distinct_id": "75dde009-e9fe-4dd3-a685-b758925f480f","$initial_referrer": "$direct","$initial_referring_domain": "$direct"}
Script:
Time: Sunday 20th 2012f May 2012 03:48:52 PM
==================================

this guy tried to send that value to inject something into my game servers website database. failed as you an see. logs it for you to do w/e with. whati do with the ips is i just ban them from my game, websites, etc which is really easy to do. If you like to have some fun you can use his ip to find out were he lives, sniff the ip for open ports, security holes so that then you can put a "suprise" on his computer. i don't condone doing this just and example

i put this on anything that has any contact with my database. also your config files on your website * i didnt sniff your site* but you should block access to stuff that a normal user should not have access to using .htaccess. cpanel also has a feature to do this for you. im old school so i write my .htaccess by hand.

codingagency.com anonymous and offshore vps and webhosting!

papaminer

Sr. Member

Offline

Activity: 462
Merit: 250

Free World

Re: Hack my site, receive bitcoins

June 19, 2013, 09:52:02 PM

#22

it probably your little 10yr old sister... who knows user/pass Tongue

j/k

฿: 1L7dSte4Rs4KyyxRCgrqSWYtkXdAb4Gy1z

MORE INFO ABOUT ME: BTC

johnnyfla123

Sr. Member

Offline

Activity: 252
Merit: 250

Re: Hack my site, receive bitcoins

June 19, 2013, 10:25:09 PM

#23

Quote from: papaminer on June 19, 2013, 09:52:02 PM

it probably your little 10yr old sister... who knows user/pass Tongue

j/k

lol could be :x

codingagency.com anonymous and offshore vps and webhosting!

johnnyfla123

Sr. Member

Offline

Activity: 252
Merit: 250

Re: Hack my site, receive bitcoins

June 19, 2013, 10:55:39 PM

#24

Quote from: n4ru on June 19, 2013, 09:00:38 PM

Quote from: johnnyfla123 on June 19, 2013, 06:51:32 PM

Quote from: n4ru on June 19, 2013, 06:40:09 PM

if he was using the form then he used sql injection which i provided the fix above for.

no new data in the database asking with permanently modifying the page says otherwise.

Is apache the only other potential beach?

apache doesn't look like it is a potential issue unless you are using stock apache. lol if you are using cpanel or plesk for the webhost then it should be fine. the only i found was the sql. running a sniffer on your site brought up no holes in security for me at least. : P the only way he could of gotten access to the database is 1 if you have remote login. and 2 if you didnt have slq protected inputs. which you fixed i guess.

codingagency.com anonymous and offshore vps and webhosting!

Inedible

Hero Member

Offline

Activity: 700
Merit: 500

What doesn't kill you only makes you sicker!

Re: Hack my site, receive bitcoins

June 19, 2013, 11:00:49 PM

#25

I think the point everyone is missing is that the PHP file was altered.

Not something that's easy to do from the database.

If this post was useful, interesting or entertaining, then you've misunderstood.

🏰 TradeFortress 🏰

Bitcoin Veteran
VIP
Legendary

Offline

Activity: 1316
Merit: 1043

👻

Re: Hack my site, receive bitcoins

June 19, 2013, 11:02:11 PM

#26

Do you use eval() anywhere?

td204

Newbie

Offline

Activity: 31
Merit: 0

Re: Hack my site, receive bitcoins

June 19, 2013, 11:08:42 PM

#27

Just as a sanity check; the screenshot you provided, is this what you actually saw yourself?
Or is this what the 'hacker' provided you with?

I did some checks on your website, but there is nothing really compromised as far as I can see.
I did manage to register on your website and inject some code into scan.php
e.g.: http://198.12.67.18/test/scan.php?code=%22%22%3ETroolol%3Ca

By some source-code reviewing I saw you had used a login-script you downloaded somewhere ("Registration/Login Form by html-form-guide.com"). By downloading the package I found out which php-files exist in your directory (or existed) and managed to register myself as user "test".

Didn't spend a lot of time, but maybe the code is vulnerable somewhere. The package I downloaded seems okay.. did you get an older version?

vit1988

Sr. Member

Offline

Activity: 313
Merit: 250

i ♥ coinichiwa

Re: Hack my site, receive bitcoins

June 19, 2013, 11:10:44 PM

#28

Well... the form is vulnerable to XSS (and screenshot looks like, too) as single quotes in inputs are not escaped... but that alone would not gain him database credentials. did he really modify some files or only made it look like they were modified?

Can you provide the php source code? A code rewiew would be easier than blind guessing.

Proof for XSS:
enter

Code:

' onfocus='alert(1337)

as user (or pass) and click on the input field afterwards. Could also be used in a similar way to inject images/html code into the website or steal cookies.

◇ BTC Jackpot

████████████████████

C^O^I^NICH^I^WA

Faster than "the world's fastest bitcoin dice" ◇
█████████████████████████████ [∷] [∴] [ : ] [ • ] ███████████████████████████████

n4ru (OP)

Sr. Member

Offline

Activity: 350
Merit: 250

Re: Hack my site, receive bitcoins

June 20, 2013, 05:11:27 AM
Last edit: June 20, 2013, 06:28:42 AM by n4ru

#29

Quote from: Inedible on June 19, 2013, 11:00:49 PM

I think the point everyone is missing is that the PHP file was altered.

Not something that's easy to do from the database.

This.

Quote from: TradeFortress on June 19, 2013, 11:02:11 PM

Do you use eval() anywhere?

No.

Quote from: td204 on June 19, 2013, 11:08:42 PM

That is what I saw and everyone else visiting my site.

Quote from: vit1988 on June 19, 2013, 11:10:44 PM

Code:

' onfocus='alert(1337)

as user (or pass) and click on the input field afterwards. Could also be used in a similar way to inject images/html code into the website or steal cookies.

He blind hacked it in minutes without source access, so I am offering the bounty for the same thing. td204 is right in that I am using that 3rd party form for logins, so you can look for it and see the source.

🏰 TradeFortress 🏰

Bitcoin Veteran
VIP
Legendary

Offline

Activity: 1316
Merit: 1043

👻

Re: Hack my site, receive bitcoins

June 20, 2013, 09:00:14 AM

#30

Quote

He blind hacked it in minutes without source access, so I am offering the bounty for the same thing.

What? You know that you pay 0.05 BTC regardless, so why not make it faster by (privately) releasing the source?

Also, check access logs.

vit1988

Sr. Member

Offline

Activity: 313
Merit: 250

i ♥ coinichiwa

⇾ Re: Hack my site, receive bitcoins

June 20, 2013, 09:09:43 AM

#31

Quote from: n4ru on June 20, 2013, 05:11:27 AM

Did you get my PM? It's not the 3rd party part, it's (at least) your custom save script.

◇ BTC Jackpot

████████████████████

C^O^I^NICH^I^WA

Inedible

Hero Member

Offline

Activity: 700
Merit: 500

What doesn't kill you only makes you sicker!

Re: Hack my site, receive bitcoins

June 20, 2013, 09:34:58 AM

#32

Quote from: n4ru on June 20, 2013, 05:11:27 AM

I can understand why you're doing this as it recreates the environment that the hacker had but if you give everyone a copy of your source it'll

a) prevent duplication of effort
b) make it easier for people to debug
c) other bugs might be identified for you
d) will get you a much better response as you're only providing $5 for what amounts to penetration testing

If this post was useful, interesting or entertaining, then you've misunderstood.

bernard75

Legendary

Offline

Activity: 1316
Merit: 1003

Re: Hack my site, receive bitcoins

June 20, 2013, 12:35:19 PM

#33

Can somebody check my site for a bounty?
PM me.

buyer

Newbie

Offline

Activity: 56
Merit: 0

Re: Hack my site, receive bitcoins

June 21, 2013, 01:52:45 AM

#34

I'll check both your sites, but your bounty is low... checking now....

buyer

Newbie

Offline

Activity: 56
Merit: 0

Re: Hack my site, receive bitcoins

June 21, 2013, 02:06:55 AM
Last edit: June 21, 2013, 02:36:55 AM by buyer

#35

dear OP. turn off your website. it's bad.

back in a couple.

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately. I've only completed 5% of my scan.

I think I found your problem.

sending report via PM

grue

Legendary

Offline

Activity: 2058
Merit: 1431

Re: Hack my site, receive bitcoins

June 21, 2013, 02:44:36 AM

#36

Quote from: buyer on June 21, 2013, 02:06:55 AM

short version:
You have more than 30 vulnerabilities including a severe one that you need to address immediately. I've only completed 5% of my scan.

This sounds like those "your computer has 9001 viruses! click here for free security scan" ads.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI

n4ru (OP)

Sr. Member

Offline

Activity: 350
Merit: 250

Re: Hack my site, receive bitcoins

June 21, 2013, 03:07:51 AM

#37

Quote from: buyer on June 21, 2013, 02:06:55 AM

Actually, you didn't find anything but the already existing XSS that I knew about... using Web Vulnerability Scanner.

buyer

Newbie

Offline

Activity: 56
Merit: 0

Re: Hack my site, receive bitcoins

June 21, 2013, 03:37:51 AM
Last edit: June 21, 2013, 03:53:19 AM by buyer

#38

lol, oh ok... so the 49 vulnerabilities including 25 serious ones mean nothing.
why are you asking for help if you obviously know it all and can't learn a thing?
my assessment of your high school coding is worth thousands.

jackass

here's the report I sent the idiot op, don't waste your time tryng to earn his pittance offer

http://s3.postimg.org/rnegf0m6n/Untitled.jpg

Quote from: buyer on June 21, 2013, 02:41:01 AM

I hit your server 25,000 times. You have serious vulnerabilities as listed in this image:
http://postimg.org/image/rnegf0m6n/

06.20 20:04.24, Started scanning http://http:80//198.12.67.18/test:80/ ...
06.20 20:04.24, Start URL : http://http:80//198.12.67.18/test:80/
06.20 20:04.24, Scanning Mode : Heuristic
06.20 20:04.24, Server banner: Unknown
06.20 20:04.25, Crawling started, URL: http://http//198.12.67.18/test:80/
06.20 20:04.26, Unable to detect custom 404 pattern automatically.
06.20 20:04.26, Some crawling options will be automatically disabled.
06.20 20:04.26, Processing file /198.12.67.18/test:80
06.20 20:04.27, Analyzing client side JavaScripts
06.20 20:04.27, Analyzing file: http://http/198.12.67.18/test:80/
06.20 20:04.27, Script analysis done
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 1)
06.20 20:04.27, Processing file /198.12.67.18/test:80 (variation 2)
06.20 20:04.27, Searching for possible site errors.
06.20 20:04.27, Searching for aspect alerts.
06.20 20:04.27, Crawling done.
06.20 20:04.27, Scanning started.
06.20 20:05.20, Finished scanning.
06.20 20:05.20, Flush file buffers.
06.20 20:05.41, Started scanning http://198.12.67.18:80/test:80/ ...
06.20 20:05.41, Start URL : http://198.12.67.18:80/test:80/
06.20 20:05.41, Scanning Mode : Heuristic
06.20 20:05.41, Server banner: Apache 2.x
06.20 20:05.41, Crawling started, URL: http://198.12.67.18/test:80/
06.20 20:05.42, Apache mod_negotiation filename bruteforcing
06.20 20:05.42, Error page Web Server version disclosure
06.20 20:05.43, Searching for possible site errors.
06.20 20:05.43, Searching for aspect alerts.
06.20 20:05.43, Crawling done.
06.20 20:05.43, Scanning started.
06.20 20:05.45, Apache httpd Remote Denial of Service
06.20 20:06.00, CSRF testing finished.
06.20 20:06.00, Finished scanning.
06.20 20:06.00, Flush file buffers.
06.20 20:06.47, Started scanning http://198.12.67.18:80/ ...
06.20 20:06.47, Start URL : http://198.12.67.18:80/
06.20 20:06.47, Scanning Mode : Heuristic
06.20 20:06.47, Server banner: Apache 2.x
06.20 20:06.47, Crawling started, URL: http://198.12.67.18/
06.20 20:06.49, Processing file /
06.20 20:06.49, Apache mod_negotiation filename bruteforcing
06.20 20:06.49, Error page Web Server version disclosure
06.20 20:06.51, Analyzing client side JavaScripts
06.20 20:06.51, Analyzing file: http://198.12.67.18/
06.20 20:06.51, Script analysis done
06.20 20:06.51, Processing file / (variation 1)
06.20 20:06.51, Processing file / (variation 2)
06.20 20:06.51, Searching for possible site errors.
06.20 20:06.51, Searching for aspect alerts.
06.20 20:06.51, Crawling done.
06.20 20:06.51, Scanning started.
06.20 20:06.51, Apache httpd Remote Denial of Service
06.20 20:07.08, Possible sensitive files
06.20 20:07.12, Possible sensitive directories
06.20 20:07.15, Possible sensitive directories
06.20 20:07.53, Restart crawling
06.20 20:07.53, Processing file /test.php
06.20 20:07.53, Processing file /phpmyadmin
06.20 20:07.53, Processing file /test
06.20 20:07.53, Processing file /index.php
06.20 20:07.54, Processing file /test
06.20 20:07.54, Processing file /phpmyadmin
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /test/basic.css
06.20 20:07.54, Processing file /test/login.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 1)
06.20 20:07.54, Processing file /phpmyadmin/themes
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 2)
06.20 20:07.54, Password type input with auto-complete enabled
06.20 20:07.54, User credentials are sent in clear text
06.20 20:07.54, Processing file /phpmyadmin/index.php (variation 4)
06.20 20:07.54, Processing file /phpmyadmin/themes/original
06.20 20:07.54, Processing file /phpmyadmin/themes/original/img
06.20 20:07.54, Processing file /phpmyadmin/phpmyadmin.css.php
06.20 20:07.54, Processing file /phpmyadmin/Documentation.html
06.20 20:07.55, Processing file /phpmyadmin/Documentation.html (variation 1)
06.20 20:07.56, Processing file /phpmyadmin/print.css
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 1)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 3)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Processing file /test/style/fg_membersite.css
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /test/scripts/gen_validatorv31.js
06.20 20:07.56, Processing file /test/style
06.20 20:07.56, Processing file /test/login.php (variation 1)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /test/UPC.ttf
06.20 20:07.56, Processing file /phpmyadmin/themes
06.20 20:07.56, Processing file /phpmyadmin/themes/original
06.20 20:07.56, Processing file /phpmyadmin/phpmyadmin.css.php (variation 2)
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/themes/original/img
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 7)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, User credentials are sent in clear text
06.20 20:07.56, Broken links
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 5)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Processing file /phpmyadmin/index.php (variation 9)
06.20 20:07.56, Password type input with auto-complete enabled
06.20 20:07.56, Session token in URL
06.20 20:07.56, Processing file /phpmyadmin/changelog.php
06.20 20:07.57, Processing file /phpmyadmin/docs.css
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation 6)
06.20 20:07.57, Processing file /phpmyadmin/index.php (variation Cool

06.20 20:07.57, Processing file /phpmyadmin/translators.html
06.20 20:07.57, Broken links
06.20 20:07.57, Processing file /phpmyadmin/license.php
06.20 20:07.57, Processing file /test/scripts
06.20 20:08.06, Processing file /test/style
06.20 20:08.06, Processing file /test/scripts
06.20 20:08.08, Processing file /phpmyadmin/setup
06.20 20:08.08, Analyzing client side JavaScripts
06.20 20:08.08, Analyzing file: http://198.12.67.18/phpmyadmin/
06.20 20:08.08, Analyzing file: http://198.12.67.18/test/login.php
06.20 20:08.08, Script analysis done
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 11)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 10)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Processing file /phpmyadmin/index.php (variation 12)
06.20 20:08.08, Password type input with auto-complete enabled
06.20 20:08.08, Searching for possible site errors.
06.20 20:08.08, Searching for aspect alerts.
06.20 20:08.08, Session Cookie without HttpOnly flag set
06.20 20:08.08, Session Cookie without Secure flag set
06.20 20:08.08, Crawling done.
06.20 20:08.08, Scanning started.
06.20 20:08.18, Cross Site Scripting (verified)
06.20 20:35.33, Cross Site Scripting (verified)
06.20 20:35.33, Possible username or password disclosure
06.20 20:35.37, Possible server path disclosure (Unix)
06.20 20:35.37, Possible username or password disclosure
06.20 20:35.38, Error message on page
06.20 20:35.39, Email address found
06.20 20:35.40, Email address found
06.20 20:35.40, Possible server path disclosure (Unix)
06.20 20:36.09, Possible sensitive directories

n4ru (OP)

Sr. Member

Offline

Activity: 350
Merit: 250

Re: Hack my site, receive bitcoins

June 21, 2013, 03:48:10 AM

#39

Quote from: buyer on June 21, 2013, 03:37:51 AM

Quote from: buyer on June 21, 2013, 02:41:01 AM

Running an app you downloaded is so serious bro. Especially when it finds the one "serious" vuln that I already knew about.

Skid' on out of here.

buyer

Newbie

Offline

Activity: 56
Merit: 0

Re: Hack my site, receive bitcoins

June 21, 2013, 03:56:37 AM

#40

Gee if you see the problem why are you still allowing hackers full access to your buddies server? nm, you clearly know what you are doing. Roll Eyes

Pages: « 1 [2] All

Bitcoin Forum > Economy > Marketplace > Services > Hack my site, receive bitcoins

« previous topic next topic »