Bitcoin Forum
December 10, 2016, 08:47:11 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Poll
Question: From the looks of things so far would you trust purchasing from Cheaper In Bitcoins?
Yes more then likely
Yes, sure I'll try it out
Yes, but nothing pricey
Deffinatly not
Deffinatly not, the website developer was really neglagent

Pages: « 1 2 [3] 4 »  All
  Print  
Author Topic: [Hack-A-Thon: Round 2 ended] Hack my site  (Read 5221 times)
phorensic
Hero Member
*****
Offline Offline

Activity: 630



View Profile
August 18, 2011, 04:28:39 AM
 #41

While in any category, such as "http://www.cheaperinbitcoins.com/showcategory.php?cateId=25", the "Grid" and "List" icon links are broken.

Grid:
Code:
Not Found

The requested URL /listing_4.html was not found on this server.

Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80

List:
Code:
Not Found

The requested URL /listing_3.html was not found on this server.

Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80

Sitemap link is 404 also.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 04:48:09 AM
 #42

Chrome 14.0.835.35.  Item title goes behind BTC price.  I believe the offending div is "s_item_clearfix".  Repeats on many other items.




Are you looking for layout quirks like that also, or only security holes?

Looking for security holes.

 Just as a note some products have only been imported from XML files there is still work to be done on the titles as well as the descriptions;
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 04:49:44 AM
 #43

While in any category, such as "http://www.cheaperinbitcoins.com/showcategory.php?cateId=25", the "Grid" and "List" icon links are broken.

Grid:
Code:
Not Found

The requested URL /listing_4.html was not found on this server.

Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80

List:
Code:
Not Found

The requested URL /listing_3.html was not found on this server.

Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80

Sitemap link is 404 also.

 yeah that will count since those were supposed to be finished in the final product.
Payments will be awarded at the end of the week (end of round 1)
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 04:52:34 AM
 #44

I tried to check out.. and I got this error:

"Fatal error: Uncaught BitcoinClientException:
  • : Connect error: Connection refused (111) thrown in on line 0"

Probably just means your bitcoind is down...


oh..BTW...what is your validation rules for zip Code?  I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.

perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."


I have started the bitcoin daemon so there should be no more bitcoin client exceptions errors.

I'll count the /register.php error.

About your zip code question, I will in the future be able to ship internationally but at the moment I'm starting small and only shipping in the USA once I start to get the hang of things I'll look into a shipping internationally. Thanks!

Use zip code 96001 if you need a usa zip code

valid formats should be 00000-0000
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 04:57:34 AM
 #45

Tongue  I can run my own javascript on your site!

Put this in the search...  <a href=#  onmouseover=alert(666);return true>Hello</a>

Then after it searches, put your mouse over the word Hello... the numbers 666 will pop up in a javascript alert box.






Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
DannyM
Sr. Member
****
Offline Offline

Activity: 275



View Profile
August 18, 2011, 05:18:12 AM
 #46

SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
DannyM
Sr. Member
****
Offline Offline

Activity: 275



View Profile
August 18, 2011, 05:32:46 AM
 #47

SQL injection in cateId parameter - showcategory.php

Add ' to the end of the cateId,

Code:
GET /showcategory.php?cateId=25' HTTP/1.1

and you get another (very helpful and informative) mysql database error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY `id` DESC LIMIT 0,10' at line 1

Now if you just change the way the app handles that error and simply don't send the details back to the user, WE STILL KNOW THE VULN IS THERE, so that won't work, you need to really fix it.

I've gotta go, but maybe tomorrow I'll post some more if everyone else didn't already get to everything.



indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 05:38:57 AM
 #48



 Grin

Oh...  I also put some strange inputs in account details for some test accounts I made.  Take a look in your back end pages that list your user accounts.  Look through your users' account details for any HTML or javascript that hasn't been escaped properly.


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 05:52:21 AM
 #49



 Grin

Oh...  I also put some strange inputs in account details for some test accounts I made.  Take a look in your back end pages that list your user accounts.  Look through your users' account details for any HTML or javascript that hasn't been escaped properly.



I was attempting to check but I can't seem to gain access to my database at all at this point.
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 18, 2011, 05:55:46 AM
 #50

Here is some code I used to use whenever I have a page that connects to the DB....I put this code in my PHP include that is at the top of the page before any other code is run.

Maybe someone else can verify it will help....

Code:

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET);
  $_POST = array_map('mysql_real_escape_string', $_POST);
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
 
   $_GET = array_map('stripslashes', $_GET);
   $_POST = array_map('stripslashes', $_POST);
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET);
   $_POST = array_map('mysql_real_escape_string', $_POST);
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

It's just a quick and dirty way to escape everything as it comes in...but you should still escape stuff just before it hits the DB too.. or use prepared statements helps a lot.

 
Edit: Also note that this function won't escape HTML entities '<>'...  you should escape those just prior to being displayed on screen.


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 03:55:13 PM
 #51

Hack-a-thon: round 1 will close at the end of 18th 11:59 pm
Payments will be provided at that time i will be pm soon for bitcoin addresses.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 07:01:19 PM
 #52

Apparently the product images don't work on the live server, only on my local one. This should be fixed next round.

Server is being taken down..... I'm switching servers. This may take at least 24 hours.
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 18, 2011, 09:37:15 PM
 #53

Take a look at some of the email addresses that were submitted.  Was able to submit and it accept full php statements.  Which means I can implant code snippets in the database for later use.

Ie. You do a JOIN with First Name last name to display on page.  You will begin assembling code snippets for me. Smiley

You need conditionals to test for exactly the type data that will be submitted in each form field and most importantly escape anything and everything being submitted to you in forms.  And lastly, escape everything.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 10:23:21 PM
 #54

SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.

From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 10:24:56 PM
 #55

I will be requesting payment addresses today, while i fix up the new server. Round 2 starts at 12am pacific standard time and will go on as long as it must
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 18, 2011, 10:30:38 PM
 #56

SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.

From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().

Use PHP exceptions to check form input and handle any errors (ie. try/catch).  You can even extend the exception class to your liking.  I am willing to help you with this if need be.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 18, 2011, 10:57:18 PM
 #57

SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.

From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().

Use PHP exceptions to check form input and handle any errors (ie. try/catch).  You can even extend the exception class to your liking.  I am willing to help you with this if need be.

Yes I'll definably needs some assistance with escaping.

PM'ing
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 19, 2011, 01:49:31 AM
 #58

Thanks for the bounty!


Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 19, 2011, 07:07:00 PM
 #59

I know i said hack-a-thon would start at 12am today but I haven't uploaded new files. So I'm doing that right now....should only be 30 minutes then hack-a-thon will resume
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 19, 2011, 07:18:13 PM
 #60

Hack-A-Thon is a go Cheesy

I've patched up some things and edited some stuff, let me know if you find anything this time. After this round I plan on doing some discussions with those that have offered the help to get right down to PHP security.
Pages: « 1 2 [3] 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!