Hack the Shoutbox

Firewalls, routers, servers, switches, SANs, PBXes, security and related topics
Locked
wldkos
Posts: 830
Joined: Mon Feb 24, 2003 12:19 pm

Hack the Shoutbox

Post by wldkos »

Sorry for not asking you squirrle first off, but I Have read the code many times for the shoutbox and I think there might be some security problems with it. (not obvious ones, but it is php were talking about)

So here is the game, providing it's cool with red... Hack the shoutbox, I said HACK, not crack. Let's see what we can find from this program.

Archived topic from Iceteks, old topic ID:1507, old post ID:12741
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:

Hack the Shoutbox

Post by Red Squirrel »

Yep, go for it, see what you can find. If there's any problems I'll fix them swifly. :evilsquirrel: :tempted: :firedevil: :evil luser: :hmmm: :antichrist:

Archived topic from Iceteks, old topic ID:1507, old post ID:12756
Honk if you love Jesus, text if you want to meet Him!
wldkos
Posts: 830
Joined: Mon Feb 24, 2003 12:19 pm

Hack the Shoutbox

Post by wldkos »

yes, and let me know asap ;)

Archived topic from Iceteks, old topic ID:1507, old post ID:12840
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:

Hack the Shoutbox

Post by Red Squirrel »

Have you tried anything yet?

Archived topic from Iceteks, old topic ID:1507, old post ID:12875
Honk if you love Jesus, text if you want to meet Him!
wldkos
Posts: 830
Joined: Mon Feb 24, 2003 12:19 pm

Hack the Shoutbox

Post by wldkos »

Red Squirrel wrote: Have you tried anything yet?
Not besides getting it to load outside of the Iframe... Im wondering if it will parse linux commands and how I can put them into there... this would be a much bigger problem for me, Im thinking...

Archived topic from Iceteks, old topic ID:1507, old post ID:12880
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:

Hack the Shoutbox

Post by Red Squirrel »

I don't think it would work. Basically, what it does is turn the POST data into plain text, fixes it so " is " etc... (by default when you send data it does it the other way) and once it's fixed like that, it also changes < to the actual html code for < and does the same with > so that alone removes all possibility to parse html, then the next step is to change a few characters to other things, so turns to <b> etc... So it's not [ turns to < but rather specific tags.

Archived topic from Iceteks, old topic ID:1507, old post ID:12888
Honk if you love Jesus, text if you want to meet Him!
wldkos
Posts: 830
Joined: Mon Feb 24, 2003 12:19 pm

Hack the Shoutbox

Post by wldkos »

So, i need to learn some php and cracking, a lot more then, eh?

Archived topic from Iceteks, old topic ID:1507, old post ID:12890
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:

Hack the Shoutbox

Post by Red Squirrel »

Yep most likely. But you have the code so that can help. :P

Archived topic from Iceteks, old topic ID:1507, old post ID:12891
Honk if you love Jesus, text if you want to meet Him!
wldkos
Posts: 830
Joined: Mon Feb 24, 2003 12:19 pm

Hack the Shoutbox

Post by wldkos »

I just thought of something. Is it possible for me to make a chat.php, but filled with malicious code, and then download your forum page, and execute the code locally but with the full url to the chat.php on your site? We did this on the hackthissite.org test and something similar worked.

Archived topic from Iceteks, old topic ID:1507, old post ID:12996
User avatar
rovingcowboy
Posts: 1504
Joined: Wed Dec 18, 2002 10:14 pm

Hack the Shoutbox

Post by rovingcowboy »

nope this is a hack prove box your not going to get it hacked no matter how hard you try :D :banana: :awesome:

Archived topic from Iceteks, old topic ID:1507, old post ID:12999
roving cowboy/ keith
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:

Hack the Shoutbox

Post by Red Squirrel »

wldkos wrote: I just thought of something. Is it possible for me to make a chat.php, but filled with malicious code, and then download your forum page, and execute the code locally but with the full url to the chat.php on your site? We did this on the hackthissite.org test and something similar worked.
You could easly do that, heck, you can even chmod stuff with php so before doing anything to a file you just chmod it via php. A php script could easly be written to delete all files in a directory, or do other stuff.

But the thing is, it has to be ON the server. And getting it on is the thing. But the easiest way for this would be through social engeneering.

"hey check out this new script, install it and run it"
Bang.

:biglaugh:

Archived topic from Iceteks, old topic ID:1507, old post ID:13005
Honk if you love Jesus, text if you want to meet Him!
Chris Vogel
Posts: 5140
Joined: Fri Jan 10, 2003 1:14 am

Hack the Shoutbox

Post by Chris Vogel »

Red Squirrel wrote: But the easiest way for this would be through social engeneering.

"hey check out this new script, install it and run it"
Bang.

:biglaugh:
I should think Red wouldn't fall for that. :P A lot of people would though. :evilsmile: Hacking sometimes takes more than computer knowledge I would imagine.

Archived topic from Iceteks, old topic ID:1507, old post ID:13036
Locked