Author

Topic: HELP NEEDED!! (0.5 btc bounty) (Read 1584 times)

full member
Activity: 168
Merit: 100
Firstbits: 175wn
June 06, 2012, 04:20:14 PM
#17
You can get a list of ip addresses for a ton of tor exit nodes like this:
Code:
curl http://exitlist.torproject.org/exit-addresses | grep -o -e "ExitAddress [^ ]*" | sed "s/ExitAddress //" > ipban.txt

If you run this in a bash terminal, it'll download a list of tor exit nodes from the tor project, format it in a nice, easy to use format, and save it to a file named ipban.txt.
You might want to set up, eg. a cron job to run this and update the file every once and a while.

Then, you just need to make your script deny anyone with one of these ip addresses. Then, nobody can access your site over tor.

This is what that command gives me at the moment:
http://pastebin.com/0iM6GrkM
member
Activity: 70
Merit: 10
June 06, 2012, 06:31:18 AM
#16
Thank you for this.. I`m gonna fix it Wink
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
June 05, 2012, 07:57:45 PM
#15
Two vulnerabilities:
1. The user can change the countdown value via firefox extension or Chrome's developer console
2. The user can request a CAPTCHA, then send a POST request directly to the server.
vip
Activity: 756
Merit: 503
June 05, 2012, 07:36:40 PM
#14
Script to block Tor exit nodes: https://unixd0rk.livejournal.com/128269.html

You can get CSV of Tor exit node here: http://torstatus.blutmagie.de/
full member
Activity: 182
Merit: 100
June 05, 2012, 07:30:50 PM
#13
That is a pretty big hole...Is there a way to move the timer out of java?
member
Activity: 61
Merit: 10
June 05, 2012, 03:59:58 PM
#12
I've noticed that the timer was purely in javascript, so it was easy to override that with a Firefox extention that allows the user to execute any javascript.
full member
Activity: 182
Merit: 100
June 03, 2012, 08:25:52 PM
#11

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

I think you can find a list if you download the tor software.
hero member
Activity: 576
Merit: 514
June 01, 2012, 02:41:28 PM
#10
Or he could just use rbls provided by sorbs, spamhaus and efnet.
hero member
Activity: 700
Merit: 507
June 01, 2012, 02:37:51 PM
#9
I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..


Code:
function IsTorExitPoint(){
if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") {
return true;
} else {
return false;
}
}
function ReverseIPOctets($inputip){
$ipoc = explode(".",$inputip);
return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0];
}

Does that one work for you?
member
Activity: 70
Merit: 10
June 01, 2012, 02:16:47 PM
#8
I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..
member
Activity: 70
Merit: 10
June 01, 2012, 12:47:14 PM
#7
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again..
hero member
Activity: 576
Merit: 514
June 01, 2012, 11:54:47 AM
#6
Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.
member
Activity: 70
Merit: 10
June 01, 2012, 11:45:53 AM
#5
I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley
member
Activity: 70
Merit: 10
June 01, 2012, 11:13:02 AM
#4
I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
hero member
Activity: 560
Merit: 500
Ad astra.
June 01, 2012, 11:01:35 AM
#3
I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)
hero member
Activity: 576
Merit: 514
June 01, 2012, 09:28:28 AM
#2
Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.
member
Activity: 70
Merit: 10
June 01, 2012, 09:02:25 AM
#1
Someone tries to cash me out.. There is a bug on my site and someone did try to steal my coins. He was able to order coins every 20 seconds via different proxies an with many different btcaddresses. If anyone can help me or will find this error, I would be very thankful. There is also a bounty on it (0.5)!

Edit: www.fiveminutecoin.com
Jump to: