hax0r

Audigy

New member
hey

this is kind of for a pet personal project of mine, but basically i'd like to prove to someone that allowing characters like < and > in their search strings is a bad idea.

the site runs some unknown version of IIS and the pages are coded mostly in vb 7.0/.net something.

after submitting a search string, it's returned and displayed... and i've gotten html and vbscript to parse.

Are there any fun things I could submit it the search string to affect the remote server? :) it's running IIS with no custom error pages yet, so yay, server info:

Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET Version:1.1.4322.2032

thanks for any help :)


-- http://www.oddigy.com beadsprites and PSFs, oh my!
 
You could have some javascript spit out the cookies or post them to another url to steal them. I'm not versed in the shitty lingo they call vbscript.
 
nevermind... I got in. ;)

I'll send the guy a list of all of his users along with their passwords, and then maybe he'll contemplate changing the way the site is coded.

passing userids in the URL... that are not encrypted at all is stupid stupid stupid.
 
> passing userids in the URL... that are not encrypted at all
> is stupid stupid stupid.
>

Lol, on one forum I know of, during a day of server problems a MySQL error thrown by the server caused an error report to show up instead of the page I requested, with helpful diagnostic information like the administrator's own password.

Hmm, that reminds me-- I meant to tell him about that problem, but forgot to. I should do that now, in case it happens again and someone less friendly gets some nasty ideas. =P

<p id="signature"><center><a href=http://1001insomniacnights.com><img src=http://pages.nyu.edu/~jc73/misc/1k1IN.gif border=0>
1k1IN:</a><font color=#903030>A Dark Comedy About 2 Roomates</font></center></p>
 
yeah... this experience has opened my eyes to other sloppy coding. Maybe i'll be able to find something interesting ;)
 
> > nevermind... I got in. ;)
>
> Do you think you could post the code you used?
>

*laughs*

the userid of the user was being passed visibly in the URL. All I had to do was simply change the userid, resubmit the URL, and poof, another user's data would appear, completely with password in plaintext.

It is not an exploit. it is EXTREMELY sloppy code. I didn't have to code anything to get around it. :p

bloody thing doesn't even set session variables for logins
<img src=smilies/headshake.gif>
 
> the userid of the user was being passed visibly in the URL.
> All I had to do was simply change the userid, resubmit the
> URL, and poof, another user's data would appear, completely
> with password in plaintext.

Wow whats the URL of this site? <img src=smilies/magbiggrin.gif>

I guess I won't probably ever find another site like this to try this out on.
 
hell if I'm gonna tell you.

it's not public.

edit: yay, 400 posts.
Anyway, it's a site he's in the progress of working on, and I'm trying to convince him to learn from someone who knows what they're doing before he makes it public, because all kinds of bad things will happen. He's consulting with someone next week. :p<P ID="edit"><FONT class="small">Edited by Audigy on 08/09/05 01:27 AM.</FONT></P>
 
Back
Top Bottom