Hacking Session Id

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
    #1

    Hacking Session Id

    sum day ago i saw topic with the same title, but the next day it was deleted....

    in tht topic sum1 says it needs only ur nickname nd ur lastact 2 still ur session id...

    i dnt need 2 knw how it cn b done, all i want 2 knw is how 2 prevent it!!!!!!!!!!

    how 2 protect users id's from stilling their session id's???

    also i'd like 2 knw why the previous topic was deleted???

    We dont have rights 2 knw how we cn protect our site or what?

    its very lame nd all i cn think of is tht previous topic was deleted bcuz sum1 dnt want us 2 knw how 2 prevent it....

    we all knw WHO and WHY, right? lol

    anyway i belive this topic is not harmfull 2 any1 and most probably it will b deleted, but i'll write it again nd again nd

    again, at least untill i'll get banned!!!

    Thanks...
    sigpiceeeeerrr....
    Tags: None
    #2
    actualy tht topic is visible (look belove this topic) but it cannot be accessed lol


    Topic Replies Topic Starter Views Last Action
    Hacking Session Id 0 mcKeny 9 Yesterday, 01:25 AM
    Last post by: mcKeny
    sigpiceeeeerrr....

    Comment

      #3
      he was boasting about doing it had no action on how to stop it so id eleted it got a probem with that?

      Comment

        #4
        he was boasting about doing it had no action on how to stop it so id eleted it got a probem with that?[/b]
        got no problem with tht....

        i dnt need 2 knw how it cn still session,i just wanna knw how 2 prevent it on my site, if its easy as he said...

        nothng else......

        i guess u already fixed tht on ur site... would u mind share it?

        i'd just like an idea how it cn b fixed....

        and i dnt think on tht avatar ****......cuz in tht topic he said he only needs ur nickname and ur lastact....

        is tht true?
        sigpiceeeeerrr....

        Comment

          #5
          got no problem with tht....

          i dnt need 2 knw how it cn still session,i just wanna knw how 2 prevent it on my site, if its easy as he said...

          nothng else......

          i guess u already fixed tht on ur site... would u mind share it?

          i'd just like an idea how it cn b fixed....

          and i dnt think on tht avatar ****......cuz in tht topic he said he only needs ur nickname and ur lastact....

          is tht true?[/b]
          dont hotlink images is the best way to stop it and sometimes break the refereal link by visiting google or something then visiting the site

          Comment

            #6
            was i? are was i explaining how to prevent someone from using someone else sid?
            in your new script you got the function that send the user an auto pm if someone else is using someone else sid @amy .... in mine it log both of them out and user will have to re login....and if they get user sid
            by the way i know its done...you could do this to prevent it $did =$uid.$tm.$tm;

            R.M.C
            ----------
            PHP Adovocate B)

            Comment

              #7
              dont hotlink images is the best way to stop it and sometimes break the refereal link by visiting google or something then visiting the site [/b]
              u mean at my cpanel i should forbid others 2 linking my images or what?

              btw 2nd part of ur post i dnt understand "sometimes break the refereal link by visiting google or something then visiting the site"????

              ******************************************

              what should i get with $did =$uid.$tm.$tm; mckeny??
              it doesnt make sence 2 me....
              sigpiceeeeerrr....

              Comment

                #8
                U cemu je problem drug?
                Ako je ono sto ja mislim moras zabraniti sve slike odredjene extenzije... Ako nisi sredio detalji na pp

                Comment

                  #9
                  shouldn't this script of been using urlencode () for the sessions from the start anyway?? lol

                  Comment

                    #10
                    u mean at my cpanel i should forbid others 2 linking my images or what?

                    btw 2nd part of ur post i dnt understand "sometimes break the refereal link by visiting google or something then visiting the site"????[/b]
                    No, i mean you shouldnt hotlink any images from other sites... and my second part...

                    refereal links are found in the cpanel... just say i was on your site as owner but then didn't logout and then visited lavalair on the lavalair cpanel they would see a link in logs...

                    with that link they would see the entire link including the sid id... hard to understand if your not 100% sure with the cpanel and refereal parts lol

                    Comment

                      #11
                      No, i mean you shouldnt hotlink any images from other sites... and my second part...

                      refereal links are found in the cpanel... just say i was on your site as owner but then didn't logout and then visited lavalair on the lavalair cpanel they would see a link in logs...

                      with that link they would see the entire link including the sid id... hard to understand if your not 100% sure with the cpanel and refereal parts lol[/b]
                      oh yeah i understand now.....

                      no i dnt use images from other sites lol

                      and 4 the 2nd part aaahhhhhhhhaaaaa!!!! lol didnt knew tht lol thanx
                      sigpiceeeeerrr....

                      Comment

                        #12
                        shouldn't this script of been using urlencode () for the sessions from the start anyway?? lol[/b]
                        nah cuz the script doesnt use phpsessions, its just passing a normal variable in the url and check it for validation.

                        change how u create the session, for me i did this
                        Code:
                                            $var1 = $uid;
                    $var2 = $pwd;
                    $var3 = $func->GetIP();
                    $var4 = $func->GetBrowser();
                    $var5 = rand(1,1000); 
                    $var6 = time();
                    $var = $var1.$var2.$var3.$var4.$var5.$var6;
                    $SID = md5($var);
                    $SID = substr($SID,0,-22);
                    $SID = base64_encode($SID);
                    $SID = substr($SID,0,-6);
                        i could post my whole login page
                        Code:
                        <?php

if(!defined(&#39;LIVE&#39;))
{
    exit();
}

class Login
{
    public function doLogin()
    {
        global $tpl, $func, $db, $prefix;

        $tpl->assign(&#39;PAGENAME&#39;,&#39;Login&#39;);

        $logged = FALSE;

        $uid = $func->cleanstring($_REQUEST[&#39;UID&#39;]);
        $pwd = $func->cleanstring($_REQUEST[&#39;PWD&#39;]);
        if(!isset($_POST[&#39;submit&#39;]))
        {
            $log_error = &#39;&#39;;
        }else if($uid==&#39;&#39;||$func->$pwd==&#39;&#39;)
        {
            $log_error = &#39;Enter username and password to login!&#39;;
        }else{
            $uid = strtolower($uid);
            $pwd = md5($pwd);
            $chkUser = $db->fetchAssoc("
                SELECT COUNT(*) 
                FROM {$prefix}Members 
                WHERE Username=&#39;".$uid."&#39;
            ");
    
            if($chkUser[0]>0)
            {
                $chkPass = $db->fetchAssoc("
                    SELECT COUNT(*) 
                    FROM {$prefix}Members 
                    WHERE Username=&#39;".$uid."&#39; AND Password=&#39;".$pwd."&#39;
                ");
    
                if($chkPass[0]>0)
                {
    
                    $var1 = $uid;
                    $var2 = $pwd;
                    $var3 = $func->GetIP();
                    $var4 = $func->GetBrowser();
                    $var5 = rand(1,1000); 
                    $var6 = time();
                    $var = $var1.$var2.$var3.$var4.$var5.$var6;
                    $SID = md5($var);
                    $SID = substr($SID,0,-22);
                    $SID = base64_encode($SID);
                    $SID = substr($SID,0,-6);
                    $userid = $func->getuid_name($uid);
                    $xptime = time()+(60*$func->getseslength_uid($userid));
                    $chkSes = $db->fetchAssoc("
                        SELECT COUNT(*) 
                        FROM {$prefix}Sessions 
                        WHERE UID=&#39;".$userid."&#39;
                    ");
                    $visits = $func->getVisits_uid($userid);
    
                    if($chkSes[0]>0)
                    {
                        $UpSes = $db->Query("
                            UPDATE {$prefix}Sessions 
                            SET ID=&#39;".$SID."&#39;, XPtime=&#39;".$xptime."&#39; 
                            WHERE UID=&#39;".$userid."&#39;
                        ");
                        if($UpSes)
                        {
                                $logged = TRUE;
                                $log_success = &#39;Login was successful&#39;;
                        }else{
                                $log_error = &#39;Error updating session, please contact the admin!&#39;;
                        }
                    }else{
                        $AddSes = $db->Query("
                            INSERT INTO {$prefix}Sessions 
                            SET ID=&#39;".$SID."&#39;, UID=&#39;".$userid."&#39;, XPtime=&#39;".$xptime."&#39;
                        ");
                        if($AddSes)
                        {
                            $logged = TRUE;
                            $log_success[] = &#39;Login was successful!&#39;;
                        }else{
                                $log_error = &#39;Error adding session, please contact admin!&#39;;
                        }
                    }

                    if($visits>0)
                    {
                        $login_msg = &#39;Welcome back&#39;;
                    }else{
                        $login_msg = &#39;Welcome&#39;;
                    }
                    $visits += 1;
                    $UpVisits = $db->Query("
                        UPDATE {$prefix}Members 
                        SET Visits=&#39;".$visits."&#39; 
                        WHERE ID=&#39;".$userid."&#39;
                    ");
    
                }else{
                    $log_error = &#39;The password you have entered is incorrect!&#39;;
                }
            }else{
                $log_error = &#39;The username you have entered is not registered!&#39;;
            }
        }
        $tpl->assign(&#39;UID_INPUT_VALUE&#39;,$_REQUEST[&#39;UID&#39;]);
        $tpl->assign(&#39;PWD_INPUT_VALUE&#39;,$_REQUEST[&#39;PWD&#39;]);
        $tpl->assign(&#39;AUTOLOG_INPUT_VALUE&#39;,$_REQUEST[&#39;autoLogin&#39;]);
        $tpl->assign(&#39;log_error&#39;,$log_error);
        $tpl->assign(&#39;log_success&#39;,$log_success);
        $tpl->assign(&#39;login_msg&#39;,$login_msg);
        $tpl->assign(&#39;user&#39;,$uid);
        $tpl->assign(&#39;SID&#39;,$SID);
        $tpl->assign(&#39;logged&#39;,$logged);
        $tpl->display(&#39;Login.tpl&#39;);
    }
}

?>

                        Comment

                          #13
                          ppl use a tool is in the forum !

                          yes its a image tool that can code in php

                          in lavalair i see this error place images in AVATARS !!

                          any one way to delete this is edit file names when place in AVATARS self AVATARS dont let php code to be entered at all !
                          Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
                          Visit: WapMasterz Coming Back Soon!
                          _______
                          SCRIPTS FOR SALE BY SUBZERO
                          Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
                          FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
                          _______
                          Info & Tips
                          php.net
                          w3schools.com

                          Comment

                            #14
                            itz so easy :P but i dnt wanna share

                            Comment

                              #15
                              <div class='quotetop'>QUOTE (jehan18 @ Feb 4 2009, 11:40 PM) <{POST_SNAPBACK}></div>
                              itz so easy :P but i dnt wanna share[/b]
                              we will remember that when you gonna ask for anything
                              It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
                              ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
                              ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
                              キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

                              Comment

                              Previous 1 2 3 template Next
                              Working...
                              X