Topic: "slyfx.com sql injection." (page 1 of 2)

1 2 >
Author Post
unknown user
yeah it's pretty hard to come up with targets that are noteworthy, but the first real link from
http://bright-shadows.net/link.php

first is meta, second is down, 3rd is hackquest ... been there, 4th slyfx ..

so here we go.

How does the site work? with some cgi scripts, that take GET parameters. Presumably they run it through something like
| tr -d -c '0123456789'
so those get parameters are rock solid.

Luckily for us, there are also post variables :D

the message board (for level 1)
http://www.slyfx.com/cgi-bin/wb.cgi?board=1
the configurations for the forum
http://www.slyfx.com/cgi-bin/wb.cgi?action=options&board=1

wiii post values.

we mess around a bit, and we notice:
these are the post values
radiobutton=0&radiobutton2=0&select=1&action=options&board=1&Submit=Apply


and what do you know if you enter some garbage as "select"
Database Error
There has been an error in executing a database command. This error has been logged.

[ EXECUTE :: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6666'' at line 1 ]


It's quite easy to guess that this is the sql that is throwing the error

UPDATE some_table set something=$_POST[radiobutton], somethingelse=$_POST[radiobutton2], numberofthreads= $_POST[select] where uid=6666


so it's trivial to send this as $_POST[select]

4' where uid = '6666' and 1 = 1/*



4' where uid = '6666' and 1 = 2/*

(make sure to url encode the =signs when you use live http headers)

depending on whether or not the change occurs, (you can check that by looking at the settings page again, you have a blind sql injection.

Tada ...

note, you have to change the digit at the start, in order to do multiple queries, because you can only see if a change occurs, if that number is actually different from the current setting ...

there is a users table, don't have too much fun ...
QuoteQuote:

Lost or forgotten your password? Use this form to get it emailed back to you.


I wonder if they store it plain text ... do let me know.
EMail
unknown user
hmz, they store it as plain text, that's pretty weak.
EMail
unknown user
Heh I can login as Erik over there :D,

I changed his password, just so you can't get it anymore.. but i'm sure it's worthless if he doesn't reuse it.
If you can't use the pw reset functionality Erik feel free to pm me, or extract your own new pw through the security hole

PS, erik's password (although a bit short) was pretty strong, Would have taken a while to brute force...
to bad it wasn't encrypted.
EMail
unknown user
o rats even Caesums password doesn't work on electrica :)

pretty weak password though

by now you guys do listen when I say "don't reuse passwords" :) I'm touched :P

ps: caesum is level10 over at slyfx though .. wii i have access to all slyfx levels...
EMail
unknown user
QuoteQuote:

A) There are four main ways, from getting a rank of 3 or higher in the old site, submitting challenge ideas that are likely to be used, finding bugs or security flaws in the site and informing me about them and last of all sponsoring the site (or paying for some hosting in some form).


Not that I really want tokens, .. but it doesn't state informing *only* me :D

hah, 't was fun.
EMail
quangntenemy
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
OMG it's rhican again!
He pwnzored another password of mine.
Gotta finish my code for finger-print authentication soon.
private message EMail Website
unknown user
as a minor update, they have pulled the vulnerable script offline. Didn't get any tokens though.. :P
EMail
Erik
groupmastergroupmastergroupmastergroupmastergroupmaster
Hi,
QuoteQuote from rhican:
Heh I can login as Erik over there :D,

I changed his password, just so you can't get it anymore.. but i'm sure it's worthless if he doesn't reuse it.
If you can't use the pw reset functionality Erik feel free to pm me, or extract your own new pw through the security hole

PS, erik's password (although a bit short) was pretty strong, Would have taken a while to brute force...
to bad it wasn't encrypted.
Congrats, well done! :thumbsup:
It must have been long ago I used to visit this site. I didn't take care of the account.
So now it at least had some use at all ^^

Cu, Erik :)
private message EMail Website
unknown user
Haha good work rhican!

You can see the vuln script @ http://slyfx.com/bad_wb.txt
You'll have to excuse the messy code, I was learning perl at the time.

Considering it was my first ever website (written back in 2001), and has had no updates since then, I think it lasted pretty well! Let me know if you find any other flaws in the above code - always interested. I've disabled all the scripts now, the sign up hasn't worked for years so not much point in keeping them live. In fact the last time I logged into the site was 2005...

I can't be bothered to make a slyfx version2, so if anyone has any suggestions on what I could use the domain for, let me know.

slyfx.
EMail
theAnswer
groupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmastergroupmaster
Ugh, slyfx was one of my first challenge sites, even before TheBlackSheep.
I was stuck around level 6/3 or something like that, if I remember correctly :D

... bye bye :(
private message

Topic: "slyfx.com sql injection." (page 1 of 2)

1 2 >