Hack-a-thon: round 1 will close at the end of 18th 11:59 pm
Payments will be provided at that time i will be pm soon for bitcoin addresses.
Topic: [Hack-A-Thon: Round 2 ended] Hack my site - page 2. (Read 24353 times)
Here is some code I used to use whenever I have a page that connects to the DB....I put this code in my PHP include that is at the top of the page before any other code is run.
Maybe someone else can verify it will help....
if(!get_magic_quotes_gpc())
{
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
It's just a quick and dirty way to escape everything as it comes in...but you should still escape stuff just before it hits the DB too.. or use prepared statements helps a lot.
Edit: Also note that this function won't escape HTML entities '<>'... you should escape those just prior to being displayed on screen.
Maybe someone else can verify it will help....
Code:
if(!get_magic_quotes_gpc())
{
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
It's just a quick and dirty way to escape everything as it comes in...but you should still escape stuff just before it hits the DB too.. or use prepared statements helps a lot.
Edit: Also note that this function won't escape HTML entities '<>'... you should escape those just prior to being displayed on screen.
Oh... I also put some strange inputs in account details for some test accounts I made. Take a look in your back end pages that list your user accounts. Look through your users' account details for any HTML or javascript that hasn't been escaped properly.
I was attempting to check but I can't seem to gain access to my database at all at this point.
Oh... I also put some strange inputs in account details for some test accounts I made. Take a look in your back end pages that list your user accounts. Look through your users' account details for any HTML or javascript that hasn't been escaped properly.
SQL injection in cateId parameter - showcategory.php
Add ' to the end of the cateId,
and you get another (very helpful and informative) mysql database error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY `id` DESC LIMIT 0,10' at line 1
Now if you just change the way the app handles that error and simply don't send the details back to the user, WE STILL KNOW THE VULN IS THERE, so that won't work, you need to really fix it.
I've gotta go, but maybe tomorrow I'll post some more if everyone else didn't already get to everything.
Add ' to the end of the cateId,
Code:
GET /showcategory.php?cateId=25' HTTP/1.1
and you get another (very helpful and informative) mysql database error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\' ORDER BY `id` DESC LIMIT 0,10' at line 1
Now if you just change the way the app handles that error and simply don't send the details back to the user, WE STILL KNOW THE VULN IS THERE, so that won't work, you need to really fix it.
I've gotta go, but maybe tomorrow I'll post some more if everyone else didn't already get to everything.
SQL injection in qty parameter of cart.php?
If you send a single quote (') for the qty parameter,
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
you don't get the error:
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
If you send a single quote (') for the qty parameter,
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00'
***SNIP HEADERS ***
qty=1%00'
you get a mysql database error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4
If you use two single quotes instead:
Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***
qty=1%00''
***SNIP HEADERS ***
qty=1%00''
you don't get the error:
Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html
So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.
So is this some kind of php extension that's checking for sql injection characters like the single quote?
Did you develop the shopping cart in-house, or is it "third-party" software?
Can you show us the code?
While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.
I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.
I can run my own javascript on your site!Put this in the search... Hello
Then after it searches, put your mouse over the word Hello... the numbers 666 will pop up in a javascript alert box.
I tried to check out.. and I got this error:
"Fatal error: Uncaught BitcoinClientException:
Probably just means your bitcoind is down...
oh..BTW...what is your validation rules for zip Code? I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.
perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."
I have started the bitcoin daemon so there should be no more bitcoin client exceptions errors."Fatal error: Uncaught BitcoinClientException:
- : Connect error: Connection refused (111) thrown in on line 0"
Probably just means your bitcoind is down...
oh..BTW...what is your validation rules for zip Code? I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.
perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."
I'll count the /register.php error.
About your zip code question, I will in the future be able to ship internationally but at the moment I'm starting small and only shipping in the USA once I start to get the hang of things I'll look into a shipping internationally. Thanks!
Use zip code 96001 if you need a usa zip code
valid formats should be 00000-0000
While in any category, such as "http://www.cheaperinbitcoins.com/showcategory.php?cateId=25", the "Grid" and "List" icon links are broken.
Grid:
List:
Sitemap link is 404 also.
Grid:
Code:
Not Found
The requested URL /listing_4.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
The requested URL /listing_4.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
List:
Code:
Not Found
The requested URL /listing_3.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
The requested URL /listing_3.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
Sitemap link is 404 also.
yeah that will count since those were supposed to be finished in the final product.
Payments will be awarded at the end of the week (end of round 1)
Chrome 14.0.835.35. Item title goes behind BTC price. I believe the offending div is "s_item_clearfix". Repeats on many other items.
Are you looking for layout quirks like that also, or only security holes?
Are you looking for layout quirks like that also, or only security holes?
Looking for security holes.
Just as a note some products have only been imported from XML files there is still work to be done on the titles as well as the descriptions;
While in any category, such as "http://www.cheaperinbitcoins.com/showcategory.php?cateId=25", the "Grid" and "List" icon links are broken.
Grid:
List:
Sitemap link is 404 also.
Grid:
Code:
Not Found
The requested URL /listing_4.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
The requested URL /listing_4.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
List:
Code:
Not Found
The requested URL /listing_3.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
The requested URL /listing_3.html was not found on this server.
Apache/2.2.14 (Ubuntu) Server at www.cheaperinbitcoins.com Port 80
Sitemap link is 404 also.
Chrome 14.0.835.35. Item title goes behind BTC price. I believe the offending div is "s_item_clearfix". Repeats on many other items.
Are you looking for layout quirks like that also, or only security holes?
Are you looking for layout quirks like that also, or only security holes?
I tried to check out.. and I got this error:
"Fatal error: Uncaught BitcoinClientException:
Probably just means your bitcoind is down...
oh..BTW...what is your validation rules for zip Code? I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.
perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."
"Fatal error: Uncaught BitcoinClientException:
- : Connect error: Connection refused (111) thrown in on line 0"
Probably just means your bitcoind is down...
oh..BTW...what is your validation rules for zip Code? I'm in Canada, and our postal codes have letters in them....if you're going to ship international, allow letters in zip code plz.
perhaps just a slight oversite: Your link on the top menu to register is broken.
"The requested URL /register.php was not found on this server."
Servers back up 
Okay apperently i was on a bad node. So lets see how this good node works. Continue the testing!!! FULL STEAM AHEAD!!!
Okay apperently i was on a bad node. So lets see how this good node works. Continue the testing!!! FULL STEAM AHEAD!!! 
Any hosting suggestions?
I have several dedicated servers on Worldstream with 1 year+ uptime. Can't really say how fast their technical support is because luckily i never needed to use it. But their sales support is allright, at least during the week and on dutch work hours
Your mileage may vary, ofcourse
yea... just tried.. it's down... no joy.
If you want to try something where you have full control of your server, try linode.
I used them before and really like the platform.
They have a bunch of different linux distros you can install and have full root access.
http://www.linode.com/
Their basic plan is $19.95 per month and gives you 20 GB of disk space....not sure if thats enough...how many GB is the blockchain these days? The basic plan should be good enough for most start-up websites, but I'm not sure how much resources bitcoind would use on it.
I heard someone else say they were running bitcoind on there...but not sure what plan he is under.
If you want to try something where you have full control of your server, try linode.
I used them before and really like the platform.
They have a bunch of different linux distros you can install and have full root access.
http://www.linode.com/
Their basic plan is $19.95 per month and gives you 20 GB of disk space....not sure if thats enough...how many GB is the blockchain these days? The basic plan should be good enough for most start-up websites, but I'm not sure how much resources bitcoind would use on it.
I heard someone else say they were running bitcoind on there...but not sure what plan he is under.
Server back up, It will be a moment before bitcoin daemon is back up Thanks for your patience.
EDit: apache2 wont boot, it has come to my attention i need a new host this is just rediculas. Any hosting suggestions?
Yeah Having too many problems with this host Hack-A-thon held off until tomorrow I'm getting a different host.
EDit: apache2 wont boot, it has come to my attention i need a new host this is just rediculas. Any hosting suggestions?
Yeah Having too many problems with this host Hack-A-thon held off until tomorrow I'm getting a different host.
Its stuck in restart, I just submitted a ticket
Yea... both http and https sites are down for me too. 
Ill PM you my findings in the morning, lol if im able to connect to the server.
Jump to: