IRL pen-testing.
Hey guys, I'm working on a site, and I've coded all of it myself, so it isn't too fancy. Anyway, I was wondering if anyone wanted to help me try to find/fix security holes? I have found 2 (write to a file that executes php! HUGE problem!) and am in the process of fixing them, but I'm sure you could find more. Please note, it is the WHOLE site, not just the part that says "Are you here to see if you can hack into my site?" (I quickly threw that together for the noobs at my school to try to hack… They failed, lol.)
Anyway, the site is http://brian.escdev.info, and just assume that I gave you the password "Kisara". There is an admin password, but I'll let you try to find that.
Thanks for all your help, it is very appreciated! :)
Edit: I'm sorry, but trying to log in with an empty password string isn't going to do anything. I get an email saying Someone tried to log in using the password: "" but that is about it. The add password page just notifies me so I can manually put it in. Remembr I gave you the password Kisara. It saves it to a cookie, and checks the cookie on every page.
Edit 2: GOOD JOB GUYS! Someone managed to log out of a non-existant user! Please provide info? :D
Edit 3: HOLY CRAP GUYS!!!! I just got emailed 1260 error reports?!!?! WHY???? D:
Edit 4: I've dealt with the over 1,000 sms messages about those hotmail messages, but now you guys are getting close to the admin password (which is pretty easy to guess), here's some help for you. My name is Brian. Go guess it. Also, I've disabled emails, but it still writes all errors to a php page. Have fun :)
Edit 5: At 8:21 today, (Wed, June 23, 2010) someone managed to get rid of their referer, date + time, and ip, leaving their possible malicious code untracible (for me) and I would like to congratulate you. That is put through a php post form to an email, never touching any other language. Good job :)
jghgjb790 wrote: Hey guys, I'm working on a site, and I've coded all of it myself, so it isn't too fancy. Anyway, I was wondering if anyone wanted to help me try to find/fix security holes? I have found 2 (write to a file that executes php! HUGE problem!) and am in the process of fixing them, but I'm sure you could find more. Please note, it is the WHOLE site, not just the part that says "Are you here to see if you can hack into my site?" (I quickly threw that together for the noobs at my school to try to hack… They failed, lol.)
Thanks, it does look fun to poke around with. I poked at it for a few minutes, tomorrow when I have more time I will do it more.
Likely someone who knows a bit more about more advanced topics will be better equipped and beat me to the punch though. :|
There's no absurdly gaping holes at least (imo). :)
Yeah, I JUST (literally, in the past 2 minutes) tried to make all submit forms sanitize the input. Before, it was entirely possible to execute php on the page where I moderate submissions. For example, you could have posted a picture with the description being
<?php
$f=fopen("/index.html","w");
fwrite($f,"<h1>YOU HAVE BEEN HACKED!!!!</h1>")
;fclose($f);
?>
and then the next time I viewed the submissions (available to me online) it would have overwritten the entire homepage. I think I've sanitized the input, but you may want to play around with it.
Edit 1: I've fixed my php code, it was a problem in the one script that I found online, of course eyeroll. Anyway, I've sanitized the input from the pic submit form and the admin alert form.
Edit 2: I highly doubt you could use that (removed from my post) form to read anything because it puts the file name in img tags, and I'm pretty sure there are no client side scripts to view a servers file. Anything else that you want to test, please go ahead, I don't mind getting spammed as long as it is for the good of the site.
Here is a XSS which bypasses that filter you made:
http://brian.escdev.info/pictures.php?pic=../icons/apache_pb2_ani.gif( onLoad=document.location=1337%20a
Explanation how to bypass the filter:
- The image causes the img tag to load properly, i do this so i can use the onLoad event later.
- The "(" character gets evaded by your filter by 2 single quotes "'('", these single quotes made it possible for me to escape from the src property.
- At the end i needed a whitespace so the Javascript wouldn't fail.
Here is a hint on building your own filter against XSS: Think about what characters you will need, not what characters you will exclude. Be sure to filter out these: '"<>&#!-=(){}; If you need any of these, be sure that there can't be a XSS crafted out of it. When you filter something don't replace it with other content, especially not with quotes ;).
Here is a link to the XSS, HBH is replacing "onEvent" with "onblockedEvent*", I wonder how many people were saved by this from being XSSED -.-'. http://tinyurl.com/39shht5
- Aw, man.:angry: Thanks, I would never have thought of that. I fixed it, no more quotes. Will underscores do any harm? Here's a list of the replaced strings:"'
Aw, man.:angry: Thanks, I would never have thought of that. I fixed it, no more quotes. Will underscores do any harm? Here's a list of the replaced strings: " '
!
& and ( ) || or –> <!–
php javascript < > [ ] { }
Anything to add?
As i said earlier, you should make a list of characters which you may use, not which you may not use (Google for "regular expressions php" and i am sure you will find useful information there). Be sure when you filter that the actual purpose of the code is intact, at the moment "." will be filtered and replaced with "DOT" while this character can't do any harm. Don't filter out underscores, it's pointless.
Sessions and a database. Alright, I'll try my best to get everything working, but I have absolutely no experience with that, but I have to learn sometime :)
Edit 1: Okay, I talked to the owner of the server (I don't own the server, but I know the person who does) and they won't let me use a database. So, I figured I could just create a file for every user and chmod them. Now, the sessions I understand, and I'm working on moving the whole site over to using them. No more cookie usage for me. I'll update whenever possible.
Edit 2: Moved EVERYTHING over to sessions, but I haven't tested everything. The login form requires a username now, so the user is Kisara (capital K) and the password is password. Good luck :)
Edit 3: I was just asked to post some of the injections, attacks, etc, so here they are:
- injecting javascript in the picture submit form. That was dumb of me. I forgot to filter the input. :(
- Again, javascript injection. I filtered the input, but made a horrible mistake. I thought it would create an error in any script if I put a quote in front of all characters that I didn't want. FAIL, someone managed to close the image tag and add a js script.
- Of course, changing the cookie and logging out scared me. Non-existant user? Nope, altered "user" data.
- And the picture viewing one can be read a few posts above. Thanks for the help :)
Edit 4): -sigh- The php won't let you use caps for some reason (?!?) so the username is kisara with no caps. I'll try to fix it, but try both just to make sure. Thanks!
Sorry for the date, but I just wanted to update that my website is now located at http://todaystopsite.site90.net and that it has changed dramatically. This, unfortunately, means that there will be plenty of new security problems. Thanks for any replies.
Here is a XSS vulnerability: http://todaystopsite.site90.net/login2.php $_POST["user"]
You can trigger another XSS by creating a username containing client side scripting. http://todaystopsite.site90.net/login.php Log in with: user:<blink> passwd:b
Here is a LFI but you can't escape from the directory for as far as I tried: http://todaystopsite.site90.net/pictures.php?pic=banner.png
Jelmer de Hen wrote:
You can trigger another XSS by creating a username containing client side scripting. Log in with: user:<blink> passwd:b
Although that isn't TECHNICALLY an XSS (from how I define it - a way to get information by sending a link or writing script to a viewable document, more of an "easter egg" if you will), I will try to fix it.
Jelmer de Hen wrote: Here is a LFI but you can't escape from the directory for as far as I tried: http://todaystopsite.site90.net/pictures.php?pic=banner.png
I realize that you can view the banner through that, but really, can't you view the banner anyway? And I already saw that, if you have "../" anywhere in the "pic" variable, it tells you to stop trying, in a kind of cruel way.
Edit 1: How did you know my name? And sorry I didn't add that in before, in order to create a user, you must input my name, which is Brian. Remember to capitalize the first letter. :)
Edit 2: FYI, I use a flat file database for storing users. I know this isn't the safest way, but I encrypt the **** out of those passwords.
I think I found something. It's not very dangerous and I'm not sure if I can call it an exploit. Here it is: http://tinyurl.com/23mjf7t
Queried the login page with bbcode injection.
Used this:
[table=border='1' cellspacing='0' cellpadding='0' width='100%'][tr=bgcolor='#ffffff'][td=width='*' onmouseover='javascript:alert(String.fromCharCode(88,83,83))']XSS[/td][/tr][/table]
and got this error:
User _OPENARRAY_table=border="1" cellspacing="0" cellpadding="0" width="100%"_CLOSEARRAY__OPENARRAY_tr=bgcolor="_POUND_ffffff"CLOSEARRAY__OPENARRAY_td=width="*" onmouseover="javascript:alert_bracket_String.fromCharCode_bracket_88,83,83_bracket__bracket"CLOSEARRAY_XSS_OPENARRAY_slashtd_CLOSEARRAY__OPENARRAY_slashtr_CLOSEARRAY__OPENARRAY_slashtable_CLOSEARRAY not found. Please check your caps lock key and try again**