I am no one, but I have not started it I post what I post on my blog! Il 22.12.2012 16:07 Julius Kivimäki ha scritto: > Aren't you a true master hacker trying (and failing) to DDoS sites > and posting XSS vulnerabilities on random sites to FD. > > 2012/12/22 tig3rhack <[email protected]> > >> Onion Bazaar is an online auction site, exploits are filled in by >> those >> who want to sell them, for hacktalk exploiting my dick. >> >> Ooops your site is down ho ho ho >> >> stupid idiot >> >> Il 21.12.2012 14:49 Luis Santana ha scritto: >> >>> Semen samples are just how we pay the bills, don't hold that >>> against >> > us. Do you know how much you can get for over 9000 gallons of >> semen? >> > You can get a lot, a _whole_ lot. >> > >> > Anyway, I wasn't saying that the "Onion Bazaar" site was shit, >> simply >> > that the OP said it was a place to buy/sell exploits and yet not a >> > single exploit was available for sale; was a bit of the bait & >> > switch. >> > >> > <3 Benji, stop being so upset; you just survived the end of the >> world >> > man! >> > >> > On Dec 21, 2012, at 9:46 AM, Benji <[email protected]> wrote: >> > >> >> Not your website. The website you were somehow accusing of being >> >> shit based on it's lack of interesting information when obviously >> >> hacktalk is a plethora of information, expertise and semen >> samples. >> >> >> >> On Fri, Dec 21, 2012 at 2:44 PM, Luis Santana >> >> <[email protected]> wrote: >> >> >> >>> Lulz? Sorry bro but uh, the main page runs SMF not WeBid so I'm >> not >> >>> really too sure where you pulled that from. Good job though, >> maybe >> >>> santa will give you some of his cookies for your effort. >> >>> >> >>> On Dec 21, 2012, at 5:26 AM, Benji <[email protected]> wrote: >> >>> >> >>>> Also genius, I know you're quick to kick things down because >> you >> >>>> are inept. However, I'd say after my whole 10 minute review of >> that >> >>>> code and a simple check with PHP that, that site is vulnerable >> to >> >>>> SQLi and by the look of it. >> >>>> >> >>>> If we take a look at latest WeBid code, specifically >> >>>> selleremails.php, we see them doing an array_merge from $_POST >> to >> >>>> $user>user_data (user_data being a trusted array it would >> appear). >> >>>> >> >>>> include 'includes/common.inc.php'; >> >>>> >> >>>> if (!$user->is_logged_in()) >> >>>> { >> >>>> $_SESSION['REDIRECT_AFTER_LOGIN'] = 'selleremails.php'; >> >>>> header('location: user_login.php'); >> >>>> exit; >> >>>> } >> >>>> >> >>>> // Create new list >> >>>> if (isset($_POST['action']) && $_POST['action'] == 'update') >> >>>> { >> >>>> $query = "UPDATE " . $DBPrefix . "users SET endemailmode = '" . >> >>>> $system->cleanvars($_POST['endemailmod']) . "', >> >>>> startemailmode = '" . >> $system->cleanvars($_POST['startemailmod']) >> >>>> . "', >> >>>> emailtype = '" . $system->cleanvars($_POST['emailtype']) . "' >> >>>> WHERE id = " . $user->user_data['id']; >> >>>> $system->check_mysql(mysql_query($query), $query, __LINE__, >> >>>> __FILE__); >> >>>> $ERR = $MSG['25_0192']; >> >>>> $user->user_data = array_merge($user->user_data, $_POST); >> //update >> >>>> the array >> >>>> } >> >>>> >> >>>> After staying up all night and working through this code, I >> came >> >>>> up with this test case: >> >>>> >> >>>> <?php >> >>>> $array1 = array("color" => "red"); >> >>>> $array2 = array("color" => "test"); >> >>>> $result = array_merge($array1, $array2); >> >>>> print_r($result); >> >>>> ?> >> >>>> Array >> >>>> ( >> >>>> [color] => test >> >>>> ) >> >>>> >> >>>> So as we can overwrite any array value, we have SQLi across the >> >>>> application. Maybe a first 0day for hacktalk.net [1] [5]? >> >>>>>> >> >>>> I will take your 'hella l33t', print it out, and then shit on >> it. >> >>>> >> >>>> Suck my dick. >> >>>> >> >>>> On Fri, Dec 21, 2012 at 10:12 AM, Benji <[email protected]> wrote: >> >>>> >> >>>>> You say "n00bz" welcome, where is my assistance and the warm >> >>>>> atmosphere to embrace me into the world of script kiddy-ism? >> Oh, >> >>>>> and the obvious literary genius. >> >>>>> >> >>>>> On Fri, Dec 21, 2012 at 8:25 AM, Luis Santana >> >>>>> <[email protected]> wrote: >> >>>>> >> >>>>>> Hella l33t bro, you can read an email address. Much propz >> >>>>>> >> >>>>>> On Dec 21, 2012, at 3:22 AM, Benji <[email protected]> wrote: >> >>>>>> >> >>>>>>> in other news, have you heard of the super cool site >> >>>>>>> hacktalk.net [1] [5] where they almost have 1000 members? >> >>>>>>>>> >> >>>>>>> On Thu, Dec 20, 2012 at 3:13 PM, Luis Santana >> >>>>>>> <[email protected]> wrote: >> >>>>>>> >> >>>>>>>> Not a single fucking exploit on the entire site. gg sir, gg >> >>>>>>>> >> >>>>>>>> On Dec 10, 2012, at 2:17 PM, [email protected] wrote: >> >>>>>>>> >> >>>>>>>> > In Deep Web has created a new online site a few days ago >> >>>>>>>> that allows you >> >>>>>>>> > to sell even exploits, malware, etc. etc.. >> >>>>>>>> > The site works like Ebay so everything is auctioned. >> >>>>>>>> > >> >>>>>>>> > you can get from tor: http://qatuopo4wmzkirlo.onion [2] >> [1] >> >>>>>>>>>> > >> >>>>>>>> > Or by proxy (tor2web): >> https://qatuopo4wmzkirlo.tor2web.org [3] >> >>>>>>>> [2] >> >>>>>>>>>> > >> >>>>>>>> > _______________________________________________ >> >>>>>>>> > Full-Disclosure - We believe in it. >> >>>>>>>> > Charter: >> >>>>>>>> http://lists.grok.org.uk/full-disclosure-charter.html [4] >> [3] >> >>>>>>>> > Hosted and sponsored by Secunia - http://secunia.com/ [5] >> [4] >> >>>>>>>>>> >> >>>>>>>> _______________________________________________ >> >>>>>>>> Full-Disclosure - We believe in it. >> >>>>>>>> Charter: >> http://lists.grok.org.uk/full-disclosure-charter.html [4] >> >>>>>>>> [3] >> >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ [5] >> [4] >> > >> > >> > >> > Links: >> > ------ >> > [1] http://qatuopo4wmzkirlo.onion/ [6] >> > [2] https://qatuopo4wmzkirlo.tor2web.org/ [7] >> > [3] http://lists.grok.org.uk/full-disclosure-charter.html [4] >> > [4] http://secunia.com/ [5] >> > [5] http://hacktalk.net/ [8] >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [4] >> Hosted and sponsored by Secunia - http://secunia.com/ [5] > > > > Links: > ------ > [1] http://hacktalk.net > [2] http://qatuopo4wmzkirlo.onion > [3] https://qatuopo4wmzkirlo.tor2web.org > [4] http://lists.grok.org.uk/full-disclosure-charter.html > [5] http://secunia.com/ > [6] http://qatuopo4wmzkirlo.onion/ > [7] https://qatuopo4wmzkirlo.tor2web.org/ > [8] http://hacktalk.net/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
