You can change the: eCcgVU5JT04gU0VMRUNUIDEvKjox when exploiting?
(User-level authentication bypass exploit),
That pesky private message exploit and forum too was still getting in to my site and sending me private messages with MY account, and also the power to change my profile and make and or delete posts etc.
In modules.php
before:
Code:
global $nukeuser, $db, $prefix;
Add:
Code:
if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");
Thanks to chatserv for that.
However with that addition to modules.php, they was blocked from exploiting it via private messages but they could still get in via forum module. So I changed to this:
Code:
if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");
if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Forums) header("Location: hackattempt.php");
Now they can kiss the hack alert script instead.
Last edited by GanjaUK on Wed May 12, 2004 2:41 am; edited 1 time in total
Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to. This is used as a way to get past checking just for the %20UNION%20.
So far, I'm fine on the Forums exploit, as I'm not using the forums module, but thanks for the private message, I'll drop that into my sites right now.
Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to.
Joined: Aug 27, 2002 Posts: 16987 Location: Kansas
Posted:
Sat May 15, 2004 11:23 am
My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless . PM me your IP if you try the exploit. Thanks.
My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless . PM me your IP if you try the exploit. Thanks.
Raven,
If you want ... I get a variety of new attempts everyday .. I can post you the ones that the hackalert doesn't catch. Usually hackalert catches them before the Protector does ... but there's been a couple that weren't caught. I pm'd the most recent one to Six a little while ago.
I can try the private message and forum exploit if you like raven. This exploit got through on my site multiple times, until I added the lines to modules.php I mentioned above.
Joined: Aug 27, 2002 Posts: 16987 Location: Kansas
Posted:
Sat May 15, 2004 8:40 pm
Just to be clear, the only hacks that my script is aimed at are the UNION types. I have posted another script for the admin.php hack. If you have a union attack that gets through, please PM me the exploit. Thanks!
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
