Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ande

Pages: [1] 2 3 ... 87
1
C - C++ / Re: Help for making c program invisble
« on: January 18, 2016, 12:10:31 pm »
You need to change it from a console application to a windows (win32?) application. This also changes a lot of things, there is no int main(), but a int WINAPI WinMain (), and variable types and a lot of other stuff is no longer as it used to be.

A few links to get you started:
http://stackoverflow.com/questions/6342935/start-a-program-without-a-console-window-in-background
http://winprog.org/tutorial/start.html

2
News and Announcements / Re: Merry christmas 2015!
« on: December 22, 2015, 10:30:52 pm »
Quote from: truecam on December 22, 2015, 10:26:28 pm
Uhm, hello not everyone celebrates Christmas you cissy......

In Norway, where I am from. At least for me, christmas has nothing to do with religion anymore. It's become a cozy and happy celebration once a year, a good and healthy tradition. You can celebrate it regardless. And also:


3
News and Announcements / Merry christmas 2015!
« on: December 22, 2015, 09:36:44 pm »
On behalf of the Evilzone staff I want to wish you all a merry christmas!


4
News and Announcements / Re: Official EvilZone Gitlab
« on: December 01, 2015, 09:56:58 am »
A little side note: The alpha source is on there. Any VIP member or higher has already heard this (if they have read the post in VIP): If you want access to the Alpha source, contact me directly. You wont get access unless I know who you are, but you don't need to be VIP to get access.

5
General discussion / Re: Penis bird.
« on: November 26, 2015, 02:11:49 am »
Quote from: 0pt1musPr1m3 on November 26, 2015, 01:41:26 am
lol

https://encyclopediadramatica.se/Penisbird

Not related :P

6
General discussion / Re: Penis bird.
« on: November 25, 2015, 09:22:06 pm »
That necro lol :P

Penis bird is no longer operational afaik. Havent been for a while. We should implement it again tho.

7
High Quality Tutorials / Re: Local File Inclusion (LFI)
« on: October 12, 2015, 03:56:33 am »
Quote from: kbt0000 on October 12, 2015, 03:43:36 am
Is local file inclusion similar to local attack

'local attack' is an ambiguous buzzword with no meaning.

8
High Quality Tutorials / Re: SQL Injection
« on: October 05, 2015, 04:37:46 pm »
Quote from: kbt0000 on October 04, 2015, 01:56:51 pm
First, thank for detailed tutorial. I have a question that in
http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3
You mean the query union select and the sql server return all 3 columns. I may ask that why it output "2", "3" on the webpage rather than anything else, for example columns name. In some other tut, this query is said to find vunerable column, and u make difference. Sorry for my bad english

There is no such thing as a 'vulnerable' column.

It outputs 1, 2 and/or 3 because that is the values you selected (SELECT 1,2,3). When you select a number instead of the column name, it takes the values as is, and prints them directly. You could also do SELECT 'a', 'b', 'c' and it would print 'a', 'b' and/or 'c'. You do this to see the changes in output, so that you know where to look and what is being printed in the next step: Actually retrieving data.

9
Hacking and Security / Re: Human Exploitation: the morals
« on: September 16, 2015, 08:10:05 pm »
Fix this shit thread or it goes in trash

10
General discussion / Re: insecure connection?
« on: June 23, 2015, 09:50:26 pm »
As far as I know its a bug in the forum system we are using. We are currently working on a new forum software which will fix this problem.

11
Web Oriented Coding / Re: Twitter username and paswords variables handling
« on: May 31, 2015, 11:24:11 pm »
Are that code supposed to work? $_POST[username_or_email] and $_POST[password] are not valid syntax. I think you will have to do $_POST['username_or_email'] and $_POST['password'] in this case.

PS: I think you should post a bit more information about the environment you are working on. Twitter source page? session? What does your POST form look like? Where does it come from and how is it sent? And so on.

12
General discussion / Re: New alpha dev release
« on: April 27, 2015, 10:34:48 pm »
Okay okay okay okay. Calm down ladies.

@HTTP, why do you like this one better? Security concerns or design/features?

@DeepCopy, I appreciate the trust you have in me, but even I can make mistakes. And there are some valid points here. Closed source and security has rarely ended well. But 'alpha' is not closed source, there have been many eyes on it and there will continue to be. We might even make it open source ish at some point. But I dont think it is a good idea to make it public open source just yet. It is still very much unfinished and unpolished.

PDO does take care of most database related vulnerabilities, but not all. There are queries that needs to be done in a different way than PDO wants, but thing is I am very much aware of these, and they are few.

As far as XSS goes I am fairly sure we are up to date.

DDoS has nothing to do with software. Unless you are speaking of a software DoS flaw, which there have been a few of in alpha but most of them have been corrected, and future ones will be fixed swiftly if discovered.

You are all more than welcome to go bug hunting as long as you report what you find :) I would very much appreciate in fact.

There has been some time since the alpha GIT was updated because of lack of interest, from me and others. Do tell if you are interested and we'll see what we can do about that.


EDIT: Ps: I just realized this reply might be slightly offending. That was not my intention. <3

13
General discussion / New alpha dev release
« on: April 27, 2015, 07:34:39 pm »
Hello!

Just wanted to let people know I just released a new dev version of alpha at http://alpha.evilzone.org

Been a long time since last time I updated it, so I cant remember all the new changes. Here is what I remember:

- Minimized to complete asap (Removed a bunch of unnecessary and features)
- Profile should work now (Data, PM, some account settings)
- New logo idea (If anyone is up for making something better, please do! We have tried a lot of logo variations, but I havent found one that I am satesfied with)
- DB cleaned, so you will need to reregister

14
Web Oriented Coding / Re: $_POST trouble
« on: April 27, 2015, 07:12:25 pm »
Yes, htmlspecialchars, my bad.

15
Web Oriented Coding / Re: $_POST trouble
« on: April 27, 2015, 06:56:21 pm »
There are so many vulnerabilities here its not even funny.

1. You should use PDO.
2. You need to sanatize and check your inputs much better. Look into is is_int, htmlspecialchars with ENT_QUOTES set,
3. String != Number
4. Setting something to null does not mean its not set
5. Your HTML is all messed up
6. Use sessions instead of cookies
6. I ran out of patience and fixed it for you:

(Havent actually tested it, but I am fairly sure it will work.)


Code: (php) [Select]
<?php

 // Includes
 require_once('mysqlLogin.php');
  
 // MySQL connection
 $connection = new mysqli($db_hostname$db_username$db_password$db_database);
 if ($connection->connect_error)
 die($connection->connect_error);
// Get account data
 $accountNum mysqli_real_escape_string($connection$_COOKIE['cookie_account']); // sanitizeNumber?
 $query "SELECT * FROM bank WHERE accountNum='$accountNum'";
 $result $connection->query($query);
 if (!$result)
 die ($connection->error);
 $display $result->fetch_array(MYSQLI_ASSOC);
  
 // Deposit
 if (isset($_POST['deposit'])){
$deposit=sanitizeNumber($_POST['deposit']);
 if ($deposit == NULL || $deposit 0){
 die("Invalid deposit value. Must be a number and bigger than zero.");
 }
$newMoney=$display['money']+$deposit;
 $query="BEGIN";
 $connection->query($query);
 $query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
 $connection->query($query);
 $query="COMMIT";
 $connection->query($query);
}
// Withdraw
 if (isset($_POST['withdraw'])){
$withdraw=sanitizeNumber($_POST['withdraw']);
 if ($withdraw == NULL || $withdraw 0){
 die("Invalid withdraw value. Must be a number and bigger than zero.");
 }
$newMoney=$display['money']-$withdraw;
 $query="BEGIN";
 $connection->query($query);
 $query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
 $connection->query($query);
 $query="COMMIT";
 $connection->query($query);
}

// Refresh data in case of actions above
 $query "SELECT * FROM bank WHERE accountNum=$accountNum";
 $result $connection->query($query);
 if (!$result)
 die ($connection->error);
$display $result->fetch_array(MYSQLI_ASSOC);
 //display the name and everthing
 echo "Account Number: "htmlspecialchars($display['accountNum'], ENT_QUOTES) ."<br>";
 echo "Name: "htmlspecialchars($display['firstName'], ENT_QUOTES) ."<br>";
 echo "LastName: "htmlspecialchars($display['lastName'], ENT_QUOTES) ."<br>";
 echo "Money: "htmlspecialchars($display['money'], ENT_QUOTES) ."<br>";
   
 $result->close();
 $connection->close();
// Function to make sure a input is a number (Int)
 function sanitizeNumber($i) {
 if(is_numeric($i) && (int)$i==$i)
 return TRUE;
 return FALSE;
 }
  
?><!DOCTYPE html>
<html lang="en">
<body>
<form method="post" action="accountManagment.php">
<p>Deposit: <input type="number" name="deposit" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>

<br><br>

<form method="post" action="accountManagment.php">
<p>Withdraw: <input type="number" name="withdraw" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>
</body>
</html>

https://gist.github.com/anonymous/222a342f3df49b0b2bf5

Pages: [1] 2 3 ... 87