Pages:
Author

Topic: XAPO Script - Hacked - page 3. (Read 6092 times)

hero member
Activity: 504
Merit: 501
August 04, 2016, 04:27:52 PM
The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already
member
Activity: 132
Merit: 10
August 04, 2016, 04:24:52 PM
Ok guys, there is another hack that can be fixed by replacing this code in your index.php file not the one in style.


find this code
Code:
if($response->success){
      $view['main']['result_html'] = '

Congratulations you have won '.$amount.' Satoshis !!!

';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '

Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'

';

and replace with this


Code:
if($response->success){
   header('Refresh: 30;url=[b]change to your faucets url[/b]');
 $view['main']['result_html'] = '

Congratulations you have won '.$amount.' Satoshis !!!

';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '

Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'

';

This redirects back to your page after 30 seconds so that the captcha resets so that a imacro program cannot be programmed to just refresh and get credit every hour when they are sleeping. i would suggest do this immediately!  Make sure you put your faucet address where is says change to your faucet url.


@Gifted would it not be better if we wait til you have made a full new version with all the changes in it. As if we keep changing the code to what comes next seems alot of extra work on you also. Call them v1.1 and use the new v1.2 so we know it is the updated version.

Example: Yesterdays security updates
v1.1

Todays security update
v1.2

And every update could have ( v ) attached to it. Would it not seem better if you made the change and then just updated the name of the change. In the description you can tell or explain what is updated.

How much you want to bet that hackers read these post and see the code change and are already looking for counter measures to it. Personally I would think posting code that fixes a security measure should not be posted and kept inside your files so no one seems it. The only way they can get the fix is by downloading the newest Version in a update.

Just my thoughts   
hero member
Activity: 504
Merit: 501
August 04, 2016, 03:08:55 PM
Ok guys, there is another hack that can be fixed by replacing this code in your index.php file not the one in style.


find this code
Code:
if($response->success){
      $view['main']['result_html'] = '

Congratulations you have won '.$amount.' Satoshis !!!

';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '

Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'

';

and replace with this


Code:
if($response->success){
   header('Refresh: 30;url=[b]change to your faucets url[/b]');
 $view['main']['result_html'] = '

Congratulations you have won '.$amount.' Satoshis !!!

';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '

Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'

';

This redirects back to your page after 30 seconds so that the captcha resets so that a imacro program cannot be programmed to just refresh and get credit every hour when they are sleeping. i would suggest do this immediately!  Make sure you put your faucet address where is says change to your faucet url.
hero member
Activity: 504
Merit: 501
August 04, 2016, 02:25:41 PM
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  Wink


ok gifted, in holidays i try to improve admin panel, in specific way ip banning admin panel page
great, would love to see what you add
legendary
Activity: 3696
Merit: 4343
The hacker spirit breaks any spell
August 04, 2016, 01:25:09 PM
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  Wink


ok gifted, in holidays i try to improve admin panel, in specific way ip banning admin panel page
member
Activity: 132
Merit: 10
August 04, 2016, 04:48:35 AM
Thanks for bringing up the imacros thing...i just found another security problem but i dont want to share here untill its fixed

@Gifted have you considered trying out the Sandboxie Software. And asking if it can be incorporated into the script?

http://www.sandboxie.com/

I am just asking cause on one of my Wordpress sites I setup Woocommerce and conected it to Paypal Gateway. And I had to set it up using Sandboxie Software to make it Secure.
member
Activity: 132
Merit: 10
August 04, 2016, 04:38:00 AM
Where would he allow proxy servers at now that he has disabled them completey.
hero member
Activity: 504
Merit: 501
August 04, 2016, 04:32:19 AM
Thanks for bringing up the imacros thing...i just found another security problem but i dont want to share here untill its fixed
hero member
Activity: 504
Merit: 501
August 04, 2016, 04:28:47 AM
Check my faucet as well and let me know what you think about. http://viral-alert.com/xapo
@viralalert: its working for your page
member
Activity: 132
Merit: 10
August 04, 2016, 04:24:55 AM
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!

When I go there it just tells me that I am using a Proxy. And nothing else. But I am looking into the source page for it right now and this is what I am seeing on it under properties.

body
aLink:""
accessKey:""
attributes:NamedNodeMap
background:""
baseURI:"http://www.bitcoinamerica.com.br/faucet/"
bgColor:""
childElementCount:0
childNodes:NodeList[1]
children:HTMLCollection[0]
classList:DOMTokenList[0]
className:""
clientHeight:775
clientLeft:0
clientTop:0
clientWidth:1042
contentEditable:"inherit"
dataset:DOMStringMap
dir:""
draggable:false
firstChild:text
firstElementChild:null
hidden:false
id:""
innerHTML:"You are using a proxy!"
innerText:"You are using a proxy!"
isConnected:true
isContentEditable:false
lang:""
lastChild:text
lastElementChild:null
link:""
localName:"body"
namespaceURI:"http://www.w3.org/1999/xhtml"
nextElementSibling:null
nextSibling:null
nodeName:"BODY"
nodeType:1
nodeValue:null
offsetHeight:759
offsetLeft:0
offsetParent:null
offsetTop:0
offsetWidth:1026
onabort:null
onbeforecopy:null
onbeforecut:null
onbeforepaste:null
onbeforeunload:null
onblur:null
oncancel:null
oncanplay:null
oncanplaythrough:null
onchange:null
onclick:null
onclose:null
oncontextmenu:null
oncopy:null
oncuechange:null
oncut:null
ondblclick:null
ondrag:null
ondragend:null
ondragenter:null
ondragleave:null
ondragover:null
ondragstart:null
ondrop:null
ondurationchange:null
onemptied:null
onended:null
onerror:null
onfocus:null
onhashchange:null
oninput:null
oninvalid:null
onkeydown:null
onkeypress:null
onkeyup:null
onlanguagechange:null
onload:null
onloadeddata:null
onloadedmetadata:null
onloadstart:null
onmessage:null
onmousedown:null
onmouseenter:null
onmouseleave:null
onmousemove:null
onmouseout:null
onmouseover:null
onmouseup:null
onmousewheel:null
onoffline:null
ononline:null
onpagehide:null
onpageshow:null
onpaste:null
onpause:null
onplay:null
onplaying:null
onpopstate:null
onprogress:null
onratechange:null
onrejectionhandled:null
onreset:null
onresize:null
onscroll:null
onsearch:null
onseeked:null
onseeking:null
onselect:null
onselectstart:null
onshow:null
onstalled:null
onstorage:null
onsubmit:null
onsuspend:null
ontimeupdate:null
ontoggle:null
onunhandledrejection:null
onunload:null
onvolumechange:null
onwaiting:null
onwebkitfullscreenchange:null
onwebkitfullscreenerror:null
onwheel:null
outerHTML:"You are using a proxy!"
outerText:"You are using a proxy!"
ownerDocument:document
parentElement:html
parentNode:html
prefix:null
previousElementSibling:head
previousSibling:head
scrollHeight:775
scrollLeft:0
scrollTop:0
scrollWidth:1042
shadowRoot:null
spellcheck:true
style:CSSStyleDeclaration
tabIndex:-1
tagName:"BODY"
text:""
textContent:"You are using a proxy!"
title:""
translate:true
vLink:""
webkitdropzone:""
__proto__:HTMLBodyElement
hero member
Activity: 504
Merit: 501
August 04, 2016, 04:23:25 AM
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  Wink


@Gifted,
I know I don't contribute much to this topic other than stirring things up.

I was looking at some backend app's that can actually steal the information and download it into CSV files and they can program their Bot to work. I am wondering if you have looked into ( iMacros ) for Chrome and Firefox as I just got them to see if they can in anyway effect your Script. Not sure how to use them but adding them and the Free Proxy List from Chrome it may be possible for them to find backdoors.

Again I am new to this and am trying to fully understand the script so i can use it.

iMacros for Chrome #1:


Free Proxy List for Chrome:


iMacros for Firefox #1:


iMacros for Firefox #2:


yes, this is very possible to use you can read more about it here. its very usefull gambling but could maybe be used in faucets http://www.howtogeek.com/113789/how-to-automate-repetitive-web-browser-tasks-with-imacros/
legendary
Activity: 2688
Merit: 2297
August 04, 2016, 04:21:11 AM
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!
says im on  a proxie and im not

Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone  Huh Huh Huh
Code:
 
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}
 
$proxy_headers = ARRAY(  
     'HTTP_VIA',  
     'HTTP_X_FORWARDED_FOR',  
     'HTTP_FORWARDED_FOR',  
     'HTTP_X_FORWARDED',  
     'HTTP_FORWARDED',  
     'HTTP_CLIENT_IP',  
     'HTTP_FORWARDED_FOR_IP',  
     'VIA',  
     'X_FORWARDED_FOR',  
     'FORWARDED_FOR',  
     'X_FORWARDED',  
     'FORWARDED',  
     'CLIENT_IP',  
     'FORWARDED_FOR_IP',  
     'HTTP_PROXY_CONNECTION'  
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}
 
?>

and with other script, any proxy can enter on the faucet..  Huh Huh well.. I go to sleep and try again tomorrow
full member
Activity: 266
Merit: 100
August 04, 2016, 04:19:36 AM
Check my faucet as well and let me know what you think about. http://viral-alert.com/xapo
hero member
Activity: 504
Merit: 501
August 04, 2016, 04:18:28 AM
#99
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!
says im on  a proxie and im not
legendary
Activity: 2688
Merit: 2297
August 04, 2016, 03:49:53 AM
#98
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!
member
Activity: 132
Merit: 10
August 04, 2016, 03:46:29 AM
#97
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  Wink


@Gifted,

I know I don't contribute much to this topic other than stirring things up.

I was looking at some backend app's that can actually steal the information and download it into CSV files and they can program their Bot to work. I am wondering if you have looked into ( iMacros ) for Chrome and Firefox as I just got them to see if they can in anyway effect your Script. Not sure how to use them but adding them and the Free Proxy List from Chrome it may be possible for them to find backdoors.

Again I am new to this and am trying to fully understand the script so i can use it.

iMacros for Chrome #1:


Free Proxy List for Chrome:


iMacros for Firefox #1:


iMacros for Firefox #2:

hero member
Activity: 504
Merit: 501
August 04, 2016, 02:44:44 AM
#96
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  Wink
legendary
Activity: 3696
Merit: 4343
The hacker spirit breaks any spell
August 04, 2016, 02:13:46 AM
#95
@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.
what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php Smiley
hero member
Activity: 504
Merit: 501
August 04, 2016, 02:01:36 AM
#94
LOL, so this extension in chrome kills my code https://chrome.google.com/webstore/detail/enable-right-click/hhojmcideegachlhfgfdhailpfhgknjm/related


So i need a different approach   Undecided Undecided Undecided Undecided Undecided
hero member
Activity: 504
Merit: 501
August 04, 2016, 01:22:34 AM
#93
make sure you allow ctr+v so they can paste the address  (i have modified it here below) list of commands to disable http://anti-code.com/devtools-cheatsheet/

Here is the modified code :  
Code:
/////////make sure java script is on//////




//////////F12 disable code////////////////////////



// -->





Pages:
Jump to: