Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Selling Exploit on Deep Web

From: Benji <me () b3nji com>
Date: Fri, 21 Dec 2012 14:46:24 +0000
Not your website. The website you were somehow accusing of being shit based
on it's lack of interesting information when obviously hacktalk is a
plethora of information, expertise and semen samples.


On Fri, Dec 21, 2012 at 2:44 PM, Luis Santana <hacktalk () hacktalk net> wrote:


Lulz? Sorry bro but uh, the main page runs SMF not WeBid so I'm not really
too sure where you pulled that from. Good job though, maybe santa will give
you some of his cookies for your effort.


On Dec 21, 2012, at 5:26 AM, Benji <me () b3nji com> wrote:

Also genius, I know you're quick to kick things down because you are
inept. However, I'd say after my whole 10 minute review of that code and a
simple check with PHP that, that site is vulnerable to SQLi and by the look
of it.

If we take a look at latest WeBid code, specifically selleremails.php, we
see them doing an array_merge from $_POST to $user>user_data (user_data
being a trusted array it would appear).

include 'includes/common.inc.php';

if (!$user->is_logged_in())
{
$_SESSION['REDIRECT_AFTER_LOGIN'] = 'selleremails.php';
 header('location: user_login.php');
exit;
}

// Create new list
 if (isset($_POST['action']) && $_POST['action'] == 'update')
{
$query = "UPDATE " . $DBPrefix . "users SET endemailmode = '" .
$system->cleanvars($_POST['endemailmod']) . "',
  startemailmode = '" . $system->cleanvars($_POST['startemailmod']) . "',
  emailtype = '" . $system->cleanvars($_POST['emailtype']) . "'  WHERE id
= " . $user->user_data['id'];
 $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);
$ERR = $MSG['25_0192'];
 $user->user_data = array_merge($user->user_data, $_POST); //update the
array
}

After staying up all night and working through this code, I came up with
this test case:
<?php
$array1 = array("color" => "red");
$array2 = array("color" => "test");
$result = array_merge($array1, $array2);
print_r($result);
?>
Array
(
    [color] => test
)

So as we can overwrite any array value, we have SQLi across the
application. Maybe a first 0day for hacktalk.net?

I will take your 'hella l33t', print it out, and then shit on it.

Suck my dick.


On Fri, Dec 21, 2012 at 10:12 AM, Benji <me () b3nji com> wrote:


You say "n00bz" welcome, where is my assistance and the warm atmosphere
to embrace me into the world of script kiddy-ism? Oh, and the obvious
literary genius.


On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana <hacktalk () hacktalk net>wrote:


Hella l33t bro, you can read an email address. Much propz


On Dec 21, 2012, at 3:22 AM, Benji <me () b3nji com> wrote:

in other news, have you heard of the super cool site hacktalk.net where
they almost have 1000 members?


On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana <hacktalk () hacktalk net>wrote:


Not a single fucking exploit on the entire site. gg sir, gg


On Dec 10, 2012, at 2:17 PM, tig3rhack () tormail org wrote:


In Deep Web has created a new online site a few days ago that allows

you

to sell even exploits, malware, etc. etc..
The site works like Ebay so everything is auctioned.

you can get from tor: http://qatuopo4wmzkirlo.onion

Or by proxy (tor2web): https://qatuopo4wmzkirlo.tor2web.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/











_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: