HomepageVulnerable Codelost-chall| Author | Post | |||
| unknown user |
a new site at that wechall.net thingie xss at http://www.lost-chall.org/activation.php?user=x<script>alert(5);</script>' (sql injetion too) if you don't want to create an account you can login using username: Inferno' or '1'='1 password: anything full path disclosure /home/www/web453/html/index.php sql injection in the register.php enter username: x' and '1'='1 x' and '2'='1 thank you for registering: Inferno, Kender, ... The website uses unsalted md5hashes of your passwords. Which i'm confident you don't use anywhere else in the world. Not that i would admit it if i knew otherwise. one final vulnerability is that this website is open to a lot of flac from anybody who owns Lost Intellectual property. just some minor vulnerabilities... |
|||
| 15.04.2008 04:31:28 |
|
|||
| unknown user |
heh solving a challenge, after logging in as Inferno' or '1'='1 reset every bodies challenge count. I guess that's going to upset thehivemind |
|||
| 15.04.2008 04:41:08 |
|
|||
Kender         |
Gee, thanks Rhican, for "helping" another community member. But why tell us? We can't fix it. Tell the admin of the site in stead, so he can fix it. Perhaps you might even go so far as to suggest some resources about preventing this kind of issues to him. |
|||
 15.04.2008 06:15:21 |
|
|||
quangntenemy           |
Hmm I alerted Varg a few days ago, but he only managed to fix the ones I found... Btw rhican u should try this site:  http://www.darkmindz.comRomeo would be excited to hear from u. |
|||
Edited by quangntenemy on 15.04.2008 07:45:25 | ||||
 15.04.2008 07:38:06 |
|
|||
| unknown user |
kender I don't report vulns anymore, partly because of your conduct in the past. That ship has sailed. It is not my responsibility to keep the internet safe. I am not mister protect-it, I have no cape. I just have my lulz. quang I don't do requests, requests cost money, i'll be glad to get you my paypall details, though my going rates might surprise you. quang how could you have missed these vulns when reporting? logging in with x' or '1'='1 ... if it were any more cliché. we were in a a 1980's movie. so in short, pay me or shut up. |
|||
| 15.04.2008 12:55:31 |
|
|||
|
quangntenemy |
 It was because I was logged in and too lazy to log out to try that Btw Romeo said u only pwned noobs site and can't touch his site. Maybe u can find the original text in a blog somewhere. |
|||
|
16.04.2008 00:32:27 |
|
|||
| unknown user |
 Quote from quangntenemy: It was because I was logged in and too lazy to log out to try that Btw Romeo said u only pwned noobs site and can't touch his site. Maybe u can find the original text in a blog somewhere. what am I twelve? |
|||
| 16.04.2008 00:33:49 |
|
|||
pvcuong      |
That series is boring as hell. |
|||
|
04.05.2008 02:37:54 |
|
|||
EMail
private message
Website