Hacking a Homemade forum..

Not so much a question as a request for someone to try and hack my Admin Control Center. I want someone to login and be able to be an "admin" And change my site:)

maybe u should.. um.. give us ur site?

thats fine, but please give us proof it is your own site, otherwise i'll have to remove the thread.

but could turn out to be a cool challenge.

sorry, I just about that:

http://programmer-scripts.com/NextGenBoard/

It says I am undercover noob… in title

Also Please note that The forum isnt done yet. I need to test the security of the board:) Only the register, login, logout, and Admin Control Center are done, as in mostly done:P I can edit security a lot…

I would change the register part, cause there are 2 confirmation boxes but they are also just plain text in the source, and are thus easy bait for bots and so. Change them to those random picture things :)

otherwise i wouldn't know what's the use of them

looks like a nice forum :)

ok.. i'v found 2 users with admin rights.. Michael & lev so what now… am i supposed to explore that site and brute force the admin panel or what.. if its a challenge y not give us a clue..

Yah, quite easy. I have to use GD then, and that is a pain in meh arse. I will eventually though

edit: Try to hack it, Just do whatever. Brute force, ect. I just wanted to know if anyone could hack it, by any means.

^^ If he knew how it could be exploited, he wouldn't of asked.

Exactly, I want to make this secure as possible.

i think it is… but without lev registered usin onlylev@hotmail.com.... if someone gets to hack that mail.. im sure there would be his/her pass in the mail… nah nah nah dont blame me im not tryin on that…

Sweet! I hoped that would be the case:D I really want to make this forum good. I am trying to make it a "Paid" script, as in you spend $10-20 on a complete forum:P. Secure I hope it will be:).

u can make the forum as secure as possible but what if ur mail gets hacked.. its nothin related to ur forum.. and im sure there would be ur pass in the mail..

Yah, bad thing. I am going to talk to lev about it..

most of it is down except one page :/

i think there is a way u can hide ur mail ;)

What do you mean down? It may be that someone hacked it… Or you logged in;)

edit: Working on User Control Panel:D

Flake, what you've said is pretty irrelevant.

Yes, he could have his email hacked. So? This has NOTHING to do with the forum itself. I don't know why you would bring it up. Likely, anyone adminstrating the forums probably wouldn't keep an email with their password in it, so again, no relevance.

Any errors, well check to see how horrible the forum is here:

http://www.programmer-scripts.com/Document1/

sorry for double post, but if you cant hack the site, even though you see its entire source right now, then w00t. It will be teh uber bestest!

Okay, I found a possable exploit. The "anti-bot" system you have on the signup forums don't work. A bot could easily bypass that because of the fact that the anti-bot codes end up in the source of the webpage in raw data. Let me explain this exploit.

Lets say someone creates a bot program to, for what ever reason, create a large amount of accounts. Let's say thousands in attempt to flood your server.

Example (theory):

This is pure theory. I have no tested it, it is based off my knowlage.

A bot program connects to port 80 and uses the GET method to return HTML for the register page. The bot then reads the returned data (the HTML source of that page) and because the generated anti-bot codes are posted on the page source in regular string format (raw, text, what ever you want to call it), it can simply get the anti-bot codes right off the returned data! It can then input the rest of the data (e-mail, user, password, etc.) and use the returned anti-bot codes to submit it.

In simple words, the anti-bot codes are visible in the source of the webpage… Which in theory (based off my knowlage), can be exploited.

Please anyone correct me if I have made any mistakes or have explained anything poorly.

Hope this helps!

P.S. I also sugguest you only have one anti-bot input. It would make it look a little more professional.

I have known about this "exploit" for a while;). I just said that to code in GD and advanced PHP image codes is very complex:). I will do it later in development, as the board is no-where near complete. If you cant find any other "expliots" then woot!

I dont know how many people have figured out the Admin COntrol Centers Location, but: http://www.programmer-scripts.com/NextGenBoard/ACC/ Hack it:P. Try and do something:) Oh dear! The documentation is here: http://www.programmer-scripts.com/Document1/

yeah. The D is capital. Forum screwing up.. Sorry:)

Ah yes, it is. Hmmm, just an idea. This may ligthen things up a bit, because I can not disagree with you when you say it is complex.

What if you a PHP script that displayed an image and set a variable for the anti-bot code… Then for each image loaded there would be a different code, and it would check the string vairable that was assigned when the image was loaded and compare it to the input field.

For example:

AD426CKE5.gif : code=5c532f84m4a DVCV1CA52.gif : code=v367svr63adv

And so on…

So if it randomly set AD426CKE5.gif as the image for the anti-bot code, the picture would display the text "5c532f84m4a" and check to make sure the user has entered that text in the input field. Make sure the image file name and the actual text it displays (anti-bot code too) are different, or the bot could "leach" right off the file name it's self!

Just an idea.

Hope this helps as well!

The actual method I would be using is that The gd image has random amounts of characters. Then each character is inputed into the standard "Images/GD.gif", and then they are outputed. Then the possibility is assigned to a variable, and the variable is set into a database. Then the next page checks if the variable, the field, and if the user inputed is the same:). Some bots are made to keep trying:P They could be easily coded to repeat until one possibility is listed.

Ah, that's true. You could make some kind of thing that limits the logins per minute. You know, that kind of thing. ;) Or you can make it so 3 wrong passwords and you have to wait three minute before logging in again. Anything like that should stop, if not cripple in some way, a bot.

Yah, I agree, and that isnt too heavy on coding for me:). But I want to keep this forum from blubbering to death:P. So That means I have to NOT make the database's huge. Then again, when this entire forum is "Done", It will become a Beta:P. Then I have to add, delete, correct, modify, and all that fun stuff to the code:)

Major update. Change themes, ect! Then you can also make a thread. thread.php is in the works, and soon beta one will be up!

Almost here everyone! I need someone to actually try and hack it! I am updating everything, but it might be a while! Code is becoming commented, and I need you to hack it!

working on it undercovernoob ;) all those login request are probably me nailing your login :P

i managed to delete a few user accounts, by inputting a load of XSS attempts, profile.php?id= doesnt go over 11 any more, even though there are more.

WilleH, I'm not sure what you mean.

Explain the XSS you used, as it wouldn't exactly be XSS if you're deleting SQL data.

i tried loads of XSS variants including:

';alert('XSS')//\';alert('XSS')//";alert('XSS')//\";alert('XSS')//></SCRIPT>!–<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=%26{} <SCRIPT>alert("XSS")</SCRIPT> \";alert('XSS');// <META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');>

a="get"; b="URL(\""; c="javascript:"; d="alert('XSS');\")"; eval(a+b+c+d);

<? echo('<SCR)'; echo('IPT>alert("XSS")</SCRIPT>'); ?>

I know these arent SQL commands, but somehow one of these or some of the others i tried has screwed something up, because after i register with some of these as usernames im not given a user ID.

Go to: http://www.programmer-scripts.com/NextGenBoard/index.php then it shows the newest user, click on it, the profile?id= doesnt contain a value, as if ive not been given an ID. It says they have 18 users, yet there arent any ?id= over 11. i registered with an account called willeh and my id was over 11, and i could view my profile. But, after i entered some of the above combinations i was then unable too.

Just some thoughts,

Will.