Full Disclosure mailing list archives
Re: Selling Exploit on Deep Web
From: Benji <me () b3nji com>
Date: Fri, 21 Dec 2012 10:26:02 +0000
Also genius, I know you're quick to kick things down because you are inept. However, I'd say after my whole 10 minute review of that code and a simple check with PHP that, that site is vulnerable to SQLi and by the look of it. If we take a look at latest WeBid code, specifically selleremails.php, we see them doing an array_merge from $_POST to $user>user_data (user_data being a trusted array it would appear). include 'includes/common.inc.php'; if (!$user->is_logged_in()) { $_SESSION['REDIRECT_AFTER_LOGIN'] = 'selleremails.php'; header('location: user_login.php'); exit; } // Create new list if (isset($_POST['action']) && $_POST['action'] == 'update') { $query = "UPDATE " . $DBPrefix . "users SET endemailmode = '" . $system->cleanvars($_POST['endemailmod']) . "', startemailmode = '" . $system->cleanvars($_POST['startemailmod']) . "', emailtype = '" . $system->cleanvars($_POST['emailtype']) . "' WHERE id = " . $user->user_data['id']; $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__); $ERR = $MSG['25_0192']; $user->user_data = array_merge($user->user_data, $_POST); //update the array } After staying up all night and working through this code, I came up with this test case: <?php $array1 = array("color" => "red"); $array2 = array("color" => "test"); $result = array_merge($array1, $array2); print_r($result); ?> Array ( [color] => test ) So as we can overwrite any array value, we have SQLi across the application. Maybe a first 0day for hacktalk.net? I will take your 'hella l33t', print it out, and then shit on it. Suck my dick. On Fri, Dec 21, 2012 at 10:12 AM, Benji <me () b3nji com> wrote:
You say "n00bz" welcome, where is my assistance and the warm atmosphere to embrace me into the world of script kiddy-ism? Oh, and the obvious literary genius. On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana <hacktalk () hacktalk net>wrote:Hella l33t bro, you can read an email address. Much propz On Dec 21, 2012, at 3:22 AM, Benji <me () b3nji com> wrote: in other news, have you heard of the super cool site hacktalk.net where they almost have 1000 members? On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana <hacktalk () hacktalk net>wrote:Not a single fucking exploit on the entire site. gg sir, gg On Dec 10, 2012, at 2:17 PM, tig3rhack () tormail org wrote:In Deep Web has created a new online site a few days ago that allowsyouto sell even exploits, malware, etc. etc.. The site works like Ebay so everything is auctioned. you can get from tor: http://qatuopo4wmzkirlo.onion Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Selling Exploit on Deep Web tig3rhack (Dec 10)
- Re: Selling Exploit on Deep Web illwill (Dec 11)
- Re: Selling Exploit on Deep Web Luis Santana (Dec 21)
- Re: Selling Exploit on Deep Web Benji (Dec 21)
- Re: Selling Exploit on Deep Web Luis Santana (Dec 21)
- Re: Selling Exploit on Deep Web Benji (Dec 21)
- Re: Selling Exploit on Deep Web Benji (Dec 21)
- Re: Selling Exploit on Deep Web Luis Santana (Dec 21)
- Re: Selling Exploit on Deep Web Benji (Dec 21)
- Re: Selling Exploit on Deep Web Luis Santana (Dec 22)
- Re: Selling Exploit on Deep Web tig3rhack (Dec 22)
- Re: Selling Exploit on Deep Web Julius Kivimäki (Dec 22)
- Re: Selling Exploit on Deep Web tig3rhack (Dec 22)
- Re: Selling Exploit on Deep Web Benji (Dec 21)