l33thackers.freehostia.com

Hey demon_king,

sorry but i really didn't feel like sending a pm since it just takes up space in my in-box, but just to re-cap where you left off..

ive started a hacker site and i just wanted you to join. here is the link:

l33thackers.freehostia.com

ill see you there

Thank you for inviting me to your site, not bad for your first try.

But i couldn't help to notice how many security vulnerabilities i was able to come across. you should really try to secure your site from SQL injections among other things.

You should fix this asap, someone could gain access after a few minutes and have access to all the articles, member list, settings.

Just be glad i was able to tell you before this information got out to everyone on the internet.

just a design note, i would suggest you try to come up with a better slogan, like after you log in and the home page says

L33t Hackers! The site that will show you how hackers get in and how to keep them out

Your Welcome

edit: why aren't there more challenge categories? just basic, realistic, and javascript?

wtf?

Well he just told a complete conversation in public. Thats all.

ps. i checked out the site, damn there is a lot of sql vuln. in this site.

shadowls wrote: Well he just told a complete conversation in public. Thats all.

ps. i checked out the site, damn there is a lot of sql vuln. in this site.

lol… indeed there is, there are other besides SQL

when in doubt, check the source

Haha, man its pretty mean just putting the site here and saying it has vulnerabilities in it.

oh come on,

with a slogan like " The site that will show you how hackers get in and how to keep them out"

how could you not?

Yeah even basic SQL injection works. Directory's aren't hidden. Mainly the site is a piece of shit. Like you can edit the cookies to show you logged in as anybody you like and they aren't even encrypted. Its coded by a three year old (assumption). This site would practically give away information to someone computer-illiterate just browsing it. So add it all up and you get: Insecure.

well this might not turn out to be a tragedy after all, I'm talking to demon_king about how he can secure his website more.

Hate to point out the most basic of exploits, but

admin

and basic SQL injections work.

Dude, ever heard of markupmysql_real_escape_string()?

Apparently someones working on the security because now you get an error when you login with sql or just random user and pass. However still vulnerable.

K_I_N_G wrote: Apparently someones working on the security because now you get an error when you login with sql or just incorrect.

way to go demon_king, 1 exploit patched.. keep up the good work

This site failed before it began.

<SCRIPT>alert(String.fromCharCode(89,111,117,83,117,99,107))</SCRIPT>

Put this in the user/pass, login, go back, and click the link to the home page.

Owned.

Feralas wrote: This site failed before it began.

[quote]<SCRIPT>alert(String.fromCharCode(89,111,117,83,117,99,107))</SCRIPT>

Put this in the user/pass, login, go back, and click the link to the home page.

Owned.[/quote]

you can also try the same with cookies;)

Edit:lol wouldn't have expected that wrong login info would get written in to the cookies as well :D sry for repeating the same exploit

clone4 wrote: [quote]Feralas wrote: This site failed before it began.

[quote]<SCRIPT>alert(String.fromCharCode(89,111,117,83,117,99,107))</SCRIPT>

Put this in the user/pass, login, go back, and click the link to the home page.

Owned.[/quote]

you can also try the same with cookies;)[/quote]

Man, some hard core encryption on them their cookies… not.

Was this site coded by monkeys?

yea you really need to have a better filter then it adding slashes. and try encrypting the cookies with something other than hex.

you can easily bypass the login just put abc in the username and pass box and then you get the error saying it doesn't exist but then you click back and click on home and your logged in as abc

The site could use a major revamping in terms of security. You can login as anybody you want (including valid users) and you can even delete their profile if you wanted to. You don't even need SQL injections.

This must be one of the lamest attempts to make a hacking site ever :angry:

the basic challenges don't make sense to me there more like riddles not hacking challenges :right:

Horrible, horrible coding.

Do not code a hacking challange site . . then encourage people who hack to come do the challanges.

In less you are positive it is secure!

Also just a hint re-think the design and the name also.

hey that stuff about the 'damn kids' sounds odd…

http://www.mithral.com/~beberg/manifesto.html ring a bell?

What_A_Legend wrote: Do not code a hacking challange site . . then encourage people who hack to come do the challanges.

In less you are positive it is secure!

Also just a hint re-think the design and the name also.

While not trying that site persay, its impossible to be 100% secure.

hence

http://www.hellboundhackers.org/hof.php

all the exploits reported on HBH

No matter what new improvements or adjustments are made, nothing can be hack PROOF

stdio wrote: [quote]What_A_Legend wrote: Do not code a hacking challange site . . then encourage people who hack to come do the challanges.

In less you are positive it is secure!

Also just a hint re-think the design and the name also.

While not trying that site persay, its impossible to be 100% secure.

hence

http://www.hellboundhackers.org/hof.php

all the exploits reported on HBH

No matter what new improvements or adjustments are made, nothing can be hack PROOF[/quote]

True, but there is difference between fairly secure and shitty coded… And site with hacking challenges will usually attract people to test the site itself, so it's essential to have at least little secure 'base' of the site ( like login not vulnerable on 'OR'1'='1…:) etc )