Page 1 of 1
Hack the Shoutbox
Posted: Fri Oct 24, 2003 11:34 am
by wldkos
Sorry for not asking you squirrle first off, but I Have read the code many times for the shoutbox and I think there might be some security problems with it. (not obvious ones, but it is php were talking about)
So here is the game, providing it's cool with red... Hack the shoutbox, I said HACK, not crack. Let's see what we can find from this program.
Archived topic from Iceteks, old topic ID:1507, old post ID:12741
Hack the Shoutbox
Posted: Fri Oct 24, 2003 4:36 pm
by Red Squirrel
Hack the Shoutbox
Posted: Mon Oct 27, 2003 1:03 am
by wldkos
yes, and let me know asap
Archived topic from Iceteks, old topic ID:1507, old post ID:12840
Hack the Shoutbox
Posted: Tue Oct 28, 2003 6:53 pm
by Red Squirrel
Have you tried anything yet?
Archived topic from Iceteks, old topic ID:1507, old post ID:12875
Hack the Shoutbox
Posted: Tue Oct 28, 2003 8:30 pm
by wldkos
Red Squirrel wrote: Have you tried anything yet?
Not besides getting it to load outside of the Iframe... Im wondering if it will parse linux commands and how I can put them into there... this would be a much bigger problem for me, Im thinking...
Archived topic from Iceteks, old topic ID:1507, old post ID:12880
Hack the Shoutbox
Posted: Tue Oct 28, 2003 9:32 pm
by Red Squirrel
I don't think it would work. Basically, what it does is turn the POST data into plain text, fixes it so " is " etc... (by default when you send data it does it the other way) and once it's fixed like that, it also changes < to the actual html code for < and does the same with > so that alone removes all possibility to parse html, then the next step is to change a few characters to other things, so turns to <b> etc... So it's not [ turns to < but rather specific tags.
Archived topic from Iceteks, old topic ID:1507, old post ID:12888
Hack the Shoutbox
Posted: Tue Oct 28, 2003 9:49 pm
by wldkos
So, i need to learn some php and cracking, a lot more then, eh?
Archived topic from Iceteks, old topic ID:1507, old post ID:12890
Hack the Shoutbox
Posted: Tue Oct 28, 2003 10:03 pm
by Red Squirrel
Yep most likely. But you have the code so that can help.
Archived topic from Iceteks, old topic ID:1507, old post ID:12891
Hack the Shoutbox
Posted: Fri Oct 31, 2003 11:32 am
by wldkos
I just thought of something. Is it possible for me to make a chat.php, but filled with malicious code, and then download your forum page, and execute the code locally but with the full url to the chat.php on your site? We did this on the hackthissite.org test and something similar worked.
Archived topic from Iceteks, old topic ID:1507, old post ID:12996
Hack the Shoutbox
Posted: Fri Oct 31, 2003 11:51 am
by rovingcowboy
Hack the Shoutbox
Posted: Fri Oct 31, 2003 3:17 pm
by Red Squirrel
wldkos wrote: I just thought of something. Is it possible for me to make a chat.php, but filled with malicious code, and then download your forum page, and execute the code locally but with the full url to the chat.php on your site? We did this on the hackthissite.org test and something similar worked.
You could easly do that, heck, you can even chmod stuff with php so before doing anything to a file you just chmod it via php. A php script could easly be written to delete all files in a directory, or do other stuff.
But the thing is, it has to be ON the server. And getting it on is the thing. But the easiest way for this would be through social engeneering.
"hey check out this new script, install it and run it"
Bang.
Archived topic from Iceteks, old topic ID:1507, old post ID:13005
Hack the Shoutbox
Posted: Sat Nov 01, 2003 12:42 pm
by Chris Vogel
Red Squirrel wrote: But the easiest way for this would be through social engeneering.
"hey check out this new script, install it and run it"
Bang.
I should think Red wouldn't fall for that.
A lot of people would though.
Hacking sometimes takes more than computer knowledge I would imagine.
Archived topic from Iceteks, old topic ID:1507, old post ID:13036
