Please Try To Break My Website!

[darth_bubbles]

Already broken it, for example, if you upload a file with %20 in the filename it will parse it, it shouldn't do that

Newb here. What does that mean and why does it happen?

[SSL]

Newb here. What does that mean and why does it happen?

 

It's a URL-escaped string, meaning that special characters are encoded appropriately to appear in a URL. The escape sequence is being parsed when the file is uploaded.

[JeffreyEagan]

It's a URL-escaped string, meaning that special characters are encoded appropriately to appear in a URL. The escape sequence is being parsed when the file is uploaded.

%20 is 'spacebar', isn't it?

[SSL]

%20 is 'spacebar', isn't it?

 

Something like that.

[ekv]

userid	username	password	voornaam	achternaam	datum3	sandervdoorn	gef5jne7/Xgrk	Sander	van Doorn	2014-12-16 12:57:021	alterlai	geUlEgVXsTYIs	Jeroen	van der Laan	2014-12-15 23:03:012	alterlai22	gerM3WvMLwDXc	jeroen	jeroen	2014-12-16 09:59:334	test	gehDQcFQQf48o	test	test	2014-12-18 13:30:488	Kiwi1	gex.wN0hUtkmQ	Kiwi	Kiwi	2015-01-03 13:07:557	Kiwi	gejZjDhkSbYuw			2015-01-03 13:06:209	wesley	ge5hTfyZUCHb.	wesley	wesley	2015-01-06 14:05:2112	linus	geLjPlfKMNfGk	Linus	Tech Tips	2015-01-27 17:51:0311	krimik	ge4CD3ujv2RhE	fdsgd	fdtgd f	2015-01-15 21:37:2114	efaefafaewefa	gebSkT/3U.3R2	ffafafawf	awfawfawfwafwa	2015-01-27 18:02:1715	somethingelse	gef5aBJffUFtY	something	else	2015-01-27 18:28:5117	');	gejPCW90MdzZg			2015-01-28 19:22:3816	asd	ge3MtKR4lXSpw	asd	asd	2015-01-27 19:47:1018	ekv'	gerLoHNyCGCEs	stefan	stefan	2015-01-29 05:36:3721	Penis	gewX71L8b7nG2	PENIS	Vagina	2015-01-30 07:47:0719	ekv	gec0h7MRomSm2	ekv	ekv	2015-01-29 05:37:2420	ekv1	gepMAKyBPbwMA	ekv1	ekv1	2015-01-29 05:37:58

This is "users" table.

[Alterlai]

I see you've made progress

I'm learning a bit of PHP now myself and have my first site up with a login and stuff made for my dad's business.

You remember that post i made a while back?

[mightytech]

You remember that post i made a while back?

Yep

[TheRealNox]

userid	username	password	voornaam	achternaam	datum3	sandervdoorn	gef5jne7/Xgrk	Sander	van Doorn	2014-12-16 12:57:021	alterlai	geUlEgVXsTYIs	Jeroen	van der Laan	2014-12-15 23:03:012	alterlai22	gerM3WvMLwDXc	jeroen	jeroen	2014-12-16 09:59:334	test	gehDQcFQQf48o	test	test	2014-12-18 13:30:488	Kiwi1	gex.wN0hUtkmQ	Kiwi	Kiwi	2015-01-03 13:07:557	Kiwi	gejZjDhkSbYuw			2015-01-03 13:06:209	wesley	ge5hTfyZUCHb.	wesley	wesley	2015-01-06 14:05:2112	linus	geLjPlfKMNfGk	Linus	Tech Tips	2015-01-27 17:51:0311	krimik	ge4CD3ujv2RhE	fdsgd	fdtgd f	2015-01-15 21:37:2114	efaefafaewefa	gebSkT/3U.3R2	ffafafawf	awfawfawfwafwa	2015-01-27 18:02:1715	somethingelse	gef5aBJffUFtY	something	else	2015-01-27 18:28:5117	');	gejPCW90MdzZg			2015-01-28 19:22:3816	asd	ge3MtKR4lXSpw	asd	asd	2015-01-27 19:47:1018	ekv'	gerLoHNyCGCEs	stefan	stefan	2015-01-29 05:36:3721	Penis	gewX71L8b7nG2	PENIS	Vagina	2015-01-30 07:47:0719	ekv	gec0h7MRomSm2	ekv	ekv	2015-01-29 05:37:2420	ekv1	gepMAKyBPbwMA	ekv1	ekv1	2015-01-29 05:37:58

This is "users" table.

 

And no one heard from him again. 

[SSL]

Too bad he couldn't be bothered to share the hack.

[ekv]

Too bad he couldn't be bothered to share the hack.

 

As you see I shared hack before I did it. I was too lazy before, but when I seen that owner of website didn't get this seriously I made a hack.

 

Quote of the post:

 

Site is mess, sry bro, but u have low security on register/login.

Same as on delete, or other functions.

Work on design too.

This is SQLi i made on chaning value par. on button.

 

 

It's just sample MySQL injection on post form of delete (somthing) injection on dbid but as he made dbid & sessionid isset you must use random sessionid in injection, simple as that. :'D

At the end i told owner everything about this i think he fixed that.

[SSL]

As you see I shared hack before I did it. I was too lazy before, but when I seen that owner of website didn't get this seriously I made a hack.

 

Quote of the post:

 

 

 

It's just sample MySQL injection on post form of delete (somthing) injection on dbid but as he made dbid & sessionid isset you must use random sessionid in injection, simple as that. :'D

At the end i told owner everything about this i think he fixed that.

 

Gotcha, I just didn't read the thread closely enough.