Bitcoin Forum
December 07, 2016, 08:24:19 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Poll
Question: From the looks of things so far would you trust purchasing from Cheaper In Bitcoins?
Yes more then likely
Yes, sure I'll try it out
Yes, but nothing pricey
Deffinatly not
Deffinatly not, the website developer was really neglagent

Pages: « 1 2 3 [4]  All
  Print  
Author Topic: [Hack-A-Thon: Round 2 ended] Hack my site  (Read 5218 times)
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 19, 2011, 10:05:01 PM
 #61

On it. Trying a few other angles this go around...  Wink
1481142259
Hero Member
*
Offline Offline

Posts: 1481142259

View Profile Personal Message (Offline)

Ignore
1481142259
Reply with quote  #2

1481142259
Report to moderator
1481142259
Hero Member
*
Offline Offline

Posts: 1481142259

View Profile Personal Message (Offline)

Ignore
1481142259
Reply with quote  #2

1481142259
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481142259
Hero Member
*
Offline Offline

Posts: 1481142259

View Profile Personal Message (Offline)

Ignore
1481142259
Reply with quote  #2

1481142259
Report to moderator
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 19, 2011, 10:52:07 PM
 #62

1) login.php is transmitting the password over regular HTTP. 

2)I'm still able to insert Javascript/Perl/PHP/SQL into your database

And you should be able to watch some of the things I'm doing right now... I'm giving your forms a workout.  Grin
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 19, 2011, 10:57:17 PM
 #63

login.php is transmitting the password over regular HTTP.

Which reminds me to setup the SSL certs on the new server. Thanks mate!
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 19, 2011, 10:59:47 PM
 #64

Is it OK to go after the database server itself?

I won't kill it.  Grin
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 19, 2011, 11:40:56 PM
 #65

Nitpicking...

Apache/2.2.17 (Ubuntu)
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

PHP/5.3.5-1ubuntu7
Your PHP version is being displayed in HTTP response.

Cookie was not marked as HTTPOnly
HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

register_password form field in login.php allows autocomplete
disable autocomplete

Apache MultiViews option is enabled
This vulnerability can be used for locating and obtaining access to some hidden resources.

Say when...  Grin



Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 19, 2011, 11:48:05 PM
 #66

Is it OK to go after the database server itself?

I won't kill it.  Grin

I encourage you to extract database information and provide a pastebin on it Cheesy

Something like that includes bonus rewards
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 20, 2011, 01:10:44 AM
 #67

Looks like i forgot to reset prices back to .01BTC I'll change that so everyone can continue to test the shopping cart system and the refund system. Please PM if you you deposit money as I haven't made an admin panel that will notify me of such things and must to manual lookups.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 20, 2011, 02:08:02 AM
 #68

SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.

I will give 0.30BTC for some one to successfully exploit this suggestion.

As a note I have only granted the following privileges scince the beginning of this hack-a-thon "SELECT,UPDATE,INSERT,DELETE"
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 20, 2011, 03:13:27 AM
 #69

From the looks of the database,  I just need to validate email addresses and I'm golden Wink
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 21, 2011, 05:01:00 PM
 #70

Set bonus value to .5BTC since I haven't heard any bug reports lately.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
August 22, 2011, 03:48:52 AM
 #71

Let me know if you sent any BTC to the cheaperinbitcoins.com website to test out the shopping cart and you want your btc back. last time i checked balance was 0 but I haven't checked the offline account at all yet. Let me know before the 1st of September, I'm wiping everything for the beta
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!