EvilZone
Hacking and Security => Hacking and Security => : misiusiak August 02, 2012, 09:37:17 PM
-
Hey guys. I have a world of warcraft server and i just found a new programmer who is also good at security things. It's very important for me to make my site 100% safe from hacking. Actually i have some backups so it doesn't matter but i won't have it for all the time. So, I said to the developer (with security skills) to make the site, the server and especcially database safe. He did some work and he said that it is very safe right now and there is no way to get passwords to db etc. Can you check if it really is?
I made some scripts which connects to realmd database which i am worried about most (of course i dont give you password or login yet:) )
I wonder what you can do:)
Please DO NOT destroy the site or the server completly.
Please let me know when you change something. Sometimes its hard to guess it and my database can get messy.
Show your skills and give me some clues what can I do to make the site safer. (of course if it's not safe already)
If it's a wrong section, please move the topic.
Of course the site: www.tinkertown-gaming.net (http://www.tinkertown-gaming.net)
-
SQLi ? http://www.tinkertown-gaming.net/?page=realm&id=%27HELLLLLLO
-
yup http://www.tinkertown-gaming.net/?page=realm&id=%27OR%20%271%27=%271 (http://www.tinkertown-gaming.net/?page=realm&id=%27OR%20%271%27=%271)
will select all ids from the db , your passwords are not safe
tell the 'developer (with security skills)' you dont need the db password because the script he was suposed to secure lets users execute sql commands on the server (while its connected to the db) silly billy
also remove the CORE footer , if someone realy wanted to get in they could just look at the source (thats not very secure) and find an exploit
-
well honestly i am not a hacker and i dont get it exactly.
what does the link u gave do?
-
just imagine i have your database password
i can execute sql commands on your db. plus its open source so i dont even need to figure out where the password are stored,i just look at the source
just tell the developer to check id and make sure its sql safe
-
well i think you cant cuz there is an info Invalid Realm Id.
-
what do you mean
http://www.tinkertown-gaming.net/?page=realm&id=%27%20OR%20bubzuru%20LIKE%20%27%What%20?%
iv not got the time to look at the source and make an injection but im sure someone will
-
well i think you cant cuz there is an info Invalid Realm Id.
Well we can SQL inject your site if you don't believe us (Im not saying i would)? Otherwise just tell your "It security guy" that there is a SQLi vuln and he should know how to deal with it.
Though i must say, that it is kind off weird that i can't find the IP of the website.
-
Well we can SQL inject your site if you don't believe us (Im not saying i would)? Otherwise just tell your "It security guy" that there is a SQLi vuln and he should know how to deal with it.
Though i must say, that it is kind off weird that i can't find the IP of the website.
thats because the website is on cloud flare
-
Thanks guy for the clues. I will definetly tell him:)
SQL injection is so easy on my website? jesus
-
thats because the website is on cloud flare
Yes, but shouldn't i just get another IP address instead I'm not getting any IP address.
-
hmm he said that he knows shat sql injection is and that there is not possible to to that cuz you cant see online players list code because its php. Also there is something like realm=1 and i sent him links you gave. He said that you cant get any information cuz you will be getting "invalid realm id" error all the time. Also you cant get database information cuz there is no information_schema (whatever it is)
-
hmm he said that he knows shat sql injection is and that there is not possible to to that cuz you cant see online players list code because its php. Also there is something like realm=1 and i sent him links you gave. He said that you cant get any information cuz you will be getting "invalid realm id" error all the time. Also you cant get database information cuz there is no information_schema (whatever it is)
well your sql server is vuln to time based injection, so im sure we can.
do we realy need to prove it to your it guy by taking over the server ?
if there is a vuln there someone will exploit it, sooner or later, security by obscurity is not a good idea
-
if he won't do it cuz he is sure it is safe already proove would be a good idea. Of course if it's not so time consuming for you. I will do site backup anyway.
-
will someone please just download the source and prove to him that its vuln
http://www.ac-web.org/forums/showthread.php?t=119288 (http://www.ac-web.org/forums/showthread.php?t=119288)
i would do it if i had time and i suck at SQLi
-
Does he really require us to hack his website just t prove to him that we are right?
-
i don't know i will talk to him later but he seems to be sure he is right. Or dont hack it and give some secret information from the site. I will give him the link to this forum and he will knew then.
I don't know
-
As i said:/ he don't want to do anything because he says that he has some filtering or something which prevents sql injection. Either he is right or its time to find a new guy
-
Filters would have stopped sqli in the first place won't they?
-
I'm not much of a web guy but it looks like we have already proved the guy wrong. He obviously has no idea what the fuck he's doing. I think you should get another, more qualified person IMHO.
-
yes hire me ;D
-
what happened to the site? Is that you?
-
what happened to the site? Is that you?
Lol, you can expect that if you ask members of a hacking forum and then you don't listen to them when they tell you that the site is vulnerable :P It wasn't me by the way.
-
what happened to the site? Is that you?
Sad day
-
yes it strange but i thank you for the hack. I have backups so is not a problem. The guy finally believed and he is trying to make some securitiy changes;) I will let you know;)
-
It's unbelievable that the site needed to be taked down, just to prove to him that we were right.
-
Guys, please next time wait for proof that the guy really is the owner of the site before helping him to hack it ;)
-
so he was wrong, time to find a new guy. u wana hire me ? 4real
-
Guys, please next time wait for proof that the guy really is the owner of the site before helping him to hack it ;)
RoflOLOlol
That would be the best troll ever!!!
-
im intrested in the injection
will whoever made it inbox me ?
-
i just joined the forum to learn some SQLi. I have read the tutorial made by ande but I still can't get any result. I have seen also this topic and when u said the site is vulnerable i tried to hack it too. No results at all. I tried to add many things to the link after =1 etc and nothing happened. My question is, how did u do that? Any clues that can help me with SQLi? I understand how SQL and queries work and that's not the problem. Maybe i am doing something wrong.
I didn't want to make another topic so i wrote here.
-
i just joined the forum to learn some SQLi. I have read the tutorial made by ande but I still can't get any result. I have seen also this topic and when u said the site is vulnerable i tried to hack it too. No results at all. I tried to add many things to the link after =1 etc and nothing happened. My question is, how did u do that? Any clues that can help me with SQLi? I understand how SQL and queries work and that's not the problem. Maybe i am doing something wrong.
I didn't want to make another topic so i wrote here.
Simple answer learn SQL and then you will understand it.
-
yes but what does time based sqli mean? Exactly, I know what does it mean but how to use it? have you got any tutorials or clues fo it?
-
yes but what does time based sqli mean? Exactly, I know what does it mean but how to use it? have you got any tutorials or clues fo it?
Let me introduce you to your new best friend:
GOOGLE (https://www.google.com/)
This friend is like god, it knows EVERYTHING!!!! Including what SQLi is ;)
-
that was the simplest answer;) i have already looking for it. I am just asking if u know any good tutorial about time based sqli
-
that was the simplest answer;) i have already looking for it. I am just asking if u know any good tutorial about time based sqli
i agree google is your best friend but i like hacker con vids
there are a few nice SQLi defcon videos. use your best friend to find them.
DEFCON 16: Time-Based Blind SQL Injection using heavy queries http://www.youtube.com/watch?v=N8baNkyhRBM
-
I've already got the whole database structure but i have used The Mole. I know almost everything but passwords are in sha1 and i can't crack them.
Can you please give me the clue how to add/delete a record? (i know google is my best friend) I asked him, i have read almost every link connected on several result pages.
It should take max 1 min to help me i guess:) (less than writing about 'google is the best')
what should i add to ...page=news&id=2 to add or delete the record.
I know that:
[+] Found separator: " ' "
[+] Found DBMS: Mysql
[+] Found comment delimiter: "#"
Also i know that "id" is in the "maindb2" database and "news_update" table. Lets say i would like to add or delete an user in "user" table in the same database.
The mole gave me many info but i cant change anything using this tool.
Is there any way to get database root password using sqli?
-
have you read this?
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
-
...id=2; UPDATE news_update SET content = 'hacked' WHERE id='1'"#
why it doesnt work? i have mysql syntax error but everything should be ok with " ' " as separator and # as delimiter
-
I have also tried to do the same without " ' " signs and page loaded with error but nothing happened at all
-
i really dont like to write like this and i feel very embarassed but i want to ask you again. Please help with that sqli insert command
-
give more info then , the injection query can change alot from script to script , even if they do basically the same thing, what script are you trying to inject ?? maybe make a new thread.
-
give more info then , the injection query can change alot from script to script , even if they do basically the same thing, what script are you trying to inject ?? maybe make a new thread.
Yes, make a new thread, this is getting really off topic.
/