Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

HBH Penetration Testing Challenge


HBH Penetration Testing Challenge


<img src='http://i6.photobucket.com/albums/y222/hack4u/header.jpg' width='80%'> HBH Members have been asked to penetration test a new cms for a corporate web designer. Anyone is welcome to try and could be a bit of fun trying your skills on a real life website.

He thinks its pretty secure already but wants a few of your top dogs to take a look at it. If you find anything that could used dangerously, then email: nucleocide@yahoo.com

Comments
What_A_Legend's avatar
What_A_Legend 17 years ago

well i started looking around and the only thing so far they may want to change is on the sign up page it shows the arrays bit cant find an exploit yet

SySTeM's avatar
SySTeM 17 years ago

Well I can screw up the shoutbox layout, you should really use word wrapping ;)

bl4ckc4t's avatar
bl4ckc4t 17 years ago

seems fairly secure other than SM's idea. I like how in the images folder they say, "honestly is there anything useful in the images section?" like they have something hidden in there hehe

ghost's avatar
ghost 17 years ago

nucleocide check emails

ghost's avatar
ghost 17 years ago

yeah the chat-section lay-out can be messed up easily (that's what you meant, right system?)

http://www.deeva.info/hellbound/?s=chat

ghost's avatar
ghost 17 years ago

Yeah the array in the register section was accidentally left in when I was debugging… It might have added some insight to a potential hole. Taken down now.

I'll prolly implement a css overflow to catch long text verses word wrapping, just my prefered methodology.

No inputs are checked for length, something I've never done in any sites. I'm lazy lol.

ghost's avatar
ghost 17 years ago

Oh, and thx to Mr. Cheese for adding my site on hbh :').

SySTeM's avatar
SySTeM 17 years ago

Yea I do spyware, also, it screws up the homepage too, because it echo's the current posts, you should really use the php wordwrap() function, much easier, or just do a php string length check ;)

SySTeM's avatar
SySTeM 17 years ago

Also, if you want me to do that lemme know, I'm bored and I have an urge to code…

ghost's avatar
ghost 17 years ago

Shouldn't there be a verification image for the registration ? Otherwise it can get spam really easily.

ghost's avatar
ghost 17 years ago

Just like the suggestionbox. I can spam it with an certain URL and F5..

ghost's avatar
ghost 17 years ago

Thanks for letting me know wordwrap is a PHP function, I honestly did no know of it's existance. However no thanks on the offer to have you make the changes. I have not implemented any limitations such as string length, account creation, or time invervals between any input. I was just being lazy. The site will eventually require a credit card to register so that is not too much of an issue.

I am currently just looking for vulnerabilities/injections, not simple bugs. Thanks so far for all your help! BTW I sent the link to HackThisSite too, just to see which site is better at hole finding :).

ghost's avatar
ghost 17 years ago

nucleocide, who at HTS did you send it to? I'm wondering becuase I run the forums for that site and I haven't yet heard about this. Feel free to email/msn me as sakaru@gmail.com

SySTeM's avatar
SySTeM 17 years ago

Hmm, I'm still waiting for HTS to contact me about the blind mysql injection hole I found in their site…

ghost's avatar
ghost 17 years ago

getting on their IRC always works well… or email it to me.

ghost's avatar
ghost 17 years ago

can some1 make this damm banner a little smaller..

ghost's avatar
ghost 17 years ago

lol nice 1 system thought theyd patched up their system by now??

SySTeM's avatar
SySTeM 17 years ago

Gah they deleted my bug report of it, and they still haven't fixed it or notified me about it -_-

ghost's avatar
ghost 17 years ago

i fixed the banner

ghost's avatar
ghost 17 years ago

Okay, I gave it a quick test.