hack my site nucleocide.net

My website is http://www.nucleocide.net. I had a problem with a hacker before and I'm trying to iron out all the kinks (I wrote the tiny CMS myself). I'm requesting that my fellow hackers attempt to hack my site by simply posting a news item on the front page. In order to do so you'll either need to login as an admin or somehow escalate your permissions. On the news post just mention your HBH name and how you did so. I'd like to limit this to injections and try not to do anything too deep and piss off my websites host.

This is just a learning experience, please don't do anything mean. I'm not sure if this violates any rules set forth by HBH and if so I'll drop this post. I'll provide any form of proof requested so that you know the site is mine.

I don't know much about mysql hacking, but I got this error by inputing an ' into the username:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/nucleo/nucleocide.net/includes/auth.php on line 14
 
Login failed for user: &*92;.
Try Again```

 I dunno if you could use that as a way of getting in, but it might help,

NC

xss: http://www.nucleocide.net/?s=foobar&#39;&quot;&gt;> <script>alert(document.cookie)</script>

Howd u fuckit up?

Click on the users link. The format is fucked up there.

I found another xss but I think he didn't fix the previous one. But anyway http://www.nucleocide.net/?s=%3Cscript%3Ealert(document.cookie)%3C/script%3E

in the gallery section, you can still use html tags.

Yeah, iframes are fucking it up a bit. Thats what i used as my detials to mess the user page!

I'm pretty sure I've fixed ass XSS holes. Feel free to keep looking.

Nope the XSS holes are still there

bots :P

this is getting more difficult.. i dont see anyway to login as you B)

you can do this:

http://www.nucleocide.net/?s=&lt;script&gt;alert(document.cookie)&lt;/script>

It's the easiest way to see if there's an XSS hole. Why http://www.nucleocide.net/?s=lol ">> <script>alert(document.cookie)</script> ?

When you're logged in what's this: http://www.nucleocide.net/?s=profile&r ? you can delete your account? You can't do it in the menu :(

The scan lines are ugly. Lower the opacity.

I'm loving the scan lines!

Neo_Chalchus wrote: I don't know much about mysql hacking, but I got this error by inputing an ' into the username:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/nucleo/nucleocide.net/includes/auth.php on line 14
 
Login failed for user: &*92;.
Try Again```

 I dunno if you could use that as a way of getting in, but it might help,

NC

Yea, that usually means its prone to the simplest attacks.