Topic: [Hack-A-Thon: Round 2 ended] Hack my site (Read 24353 times)
Let me know if you sent any BTC to the cheaperinbitcoins.com website to test out the shopping cart and you want your btc back. last time i checked balance was 0 but I haven't checked the offline account at all yet. Let me know before the 1st of September, I'm wiping everything for the beta
Set bonus value to .5BTC since I haven't heard any bug reports lately.
From the looks of the database, I just need to validate email addresses and I'm golden 
SQL injection in qty parameter of cart.php?
If you send a single quote (') for the qty parameter,
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
you don't get the error:
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
If you send a single quote (') for the qty parameter,
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
I will give 0.30BTC for some one to successfully exploit this suggestion.
As a note I have only granted the following privileges scince the beginning of this hack-a-thon "SELECT,UPDATE,INSERT,DELETE"
Looks like i forgot to reset prices back to .01BTC I'll change that so everyone can continue to test the shopping cart system and the refund system. Please PM if you you deposit money as I haven't made an admin panel that will notify me of such things and must to manual lookups.
Is it OK to go after the database server itself?
I won't kill it.
I won't kill it.
I encourage you to extract database information and provide a pastebin on it
Something like that includes bonus rewards
Nitpicking...
Apache/2.2.17 (Ubuntu)
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
PHP/5.3.5-1ubuntu7
Your PHP version is being displayed in HTTP response.
Cookie was not marked as HTTPOnly
HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
register_password form field in login.php allows autocomplete
disable autocomplete
Apache MultiViews option is enabled
This vulnerability can be used for locating and obtaining access to some hidden resources.
Say when...
Apache/2.2.17 (Ubuntu)
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
PHP/5.3.5-1ubuntu7
Your PHP version is being displayed in HTTP response.
Cookie was not marked as HTTPOnly
HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
register_password form field in login.php allows autocomplete
disable autocomplete
Apache MultiViews option is enabled
This vulnerability can be used for locating and obtaining access to some hidden resources.
Say when...
Is it OK to go after the database server itself?
I won't kill it.
I won't kill it.
login.php is transmitting the password over regular HTTP.
Which reminds me to setup the SSL certs on the new server. Thanks mate!
1) login.php is transmitting the password over regular HTTP.
2)I'm still able to insert Javascript/Perl/PHP/SQL into your database
And you should be able to watch some of the things I'm doing right now... I'm giving your forms a workout.
2)I'm still able to insert Javascript/Perl/PHP/SQL into your database
And you should be able to watch some of the things I'm doing right now... I'm giving your forms a workout.
On it. Trying a few other angles this go around...
Hack-A-Thon is a go
I've patched up some things and edited some stuff, let me know if you find anything this time. After this round I plan on doing some discussions with those that have offered the help to get right down to PHP security.
I've patched up some things and edited some stuff, let me know if you find anything this time. After this round I plan on doing some discussions with those that have offered the help to get right down to PHP security.
I know i said hack-a-thon would start at 12am today but I haven't uploaded new files. So I'm doing that right now....should only be 30 minutes then hack-a-thon will resume
Thanks for the bounty!
SQL injection in qty parameter of cart.php?
If you send a single quote (') for the qty parameter,
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
you don't get the error:
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
If you send a single quote (') for the qty parameter,
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().
Use PHP exceptions to check form input and handle any errors (ie. try/catch). You can even extend the exception class to your liking. I am willing to help you with this if need be.
Yes I'll definably needs some assistance with escaping.
PM'ing
SQL injection in qty parameter of cart.php?
If you send a single quote (') for the qty parameter,
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
you don't get the error:
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
If you send a single quote (') for the qty parameter,
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().
Use PHP exceptions to check form input and handle any errors (ie. try/catch). You can even extend the exception class to your liking. I am willing to help you with this if need be.
I will be requesting payment addresses today, while i fix up the new server. Round 2 starts at 12am pacific standard time and will go on as long as it must
SQL injection in qty parameter of cart.php?
If you send a single quote (') for the qty parameter,
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
you don't get the error:
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
If you send a single quote (') for the qty parameter,
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().
Take a look at some of the email addresses that were submitted. Was able to submit and it accept full php statements. Which means I can implant code snippets in the database for later use.
Ie. You do a JOIN with First Name last name to display on page. You will begin assembling code snippets for me.
You need conditionals to test for exactly the type data that will be submitted in each form field and most importantly escape anything and everything being submitted to you in forms. And lastly, escape everything.
Ie. You do a JOIN with First Name last name to display on page. You will begin assembling code snippets for me.
You need conditionals to test for exactly the type data that will be submitted in each form field and most importantly escape anything and everything being submitted to you in forms. And lastly, escape everything.
Apparently the product images don't work on the live server, only on my local one. This should be fixed next round.
Server is being taken down..... I'm switching servers. This may take at least 24 hours.
Server is being taken down..... I'm switching servers. This may take at least 24 hours.
Jump to: