Lavalair Exploit

**something else** · 29.05.10, 13:36

Originally posted by mobileGIGS View Post

f.uck u, u, and oh you too. ;-)

I help when its necessary, nt like nw. And kev u shudnt be even talkn considerin u got a team who cant even spot a crevice in ur script even if it hit them in the face.

This topic is like most of the topics in coding-talk which is helping others with coding. In this topic it is about helping others with security problems which you make out to be the expert on.
So if it is not necessary to help others in a topic that you know so much about then its pointless you being here, Other than to do your normal routine and put other people down.

Just a quick question does it make you feel like a big man when you put people down? .... you know what they say about cyber bullies.

maybe one day you will get off your high horse and decide to thank someone for there coding instead of putting people down.

Sorry for going off topic opticalpigeon.

Back to on topic:

BorN2pwn i think the hacker from the shout box was injecting sql into the script why else would they bother updating plusses. im guessing they was using it as multi part sql injection
eg: ', perm='4', plusses='9999999

**something else** · 29.05.10, 17:53

As Requested:
here is a quick coding of checking ip and browser against 1 in database to see if the user has same details to help secure sessions (as me and thantos were talking earlier on in topic):

change the line:

PHP Code:


if((islogged($sid)==false)||($uid==0)) {

To

PHP Code:


$check = mysql_fetch_array(mysql_query("SELECT ipadd, browserm FROM ibwf_users WHERE id='".$uid."'"));



if((islogged($sid)==false)||($uid==0)||($ip!=$check[0])||($ubr!=$check[1])){

You will also need to update ip and browser info on login page

eg:

PHP Code:


$res = mysql_query("UPDATE ibwf_users SET browserm='".$ubr."', ipadd='".$uip."' WHERE id='".getuid_sid($sid)."'");

This isnt the perfect solution but helps

**thanatos** · 29.05.10, 18:18

filter the value where HTTP UserAgent and other HTTPs wil affect d field

**something else** · 29.05.10, 18:50

other things you can do to help is things like check referer eg:

PHP Code:


if(substr_count($_SERVER['HTTP_REFERER'],$_SERVER['HTTP_HOST'])<1&&$_SERVER['HTTP_REFERER']!=""){

echo "your not logged in!";

exit();

}

**CreativityKills** · 29.05.10, 22:23

lmao @ does it make u feel big.

Well if u must knw the site needs a rebel. Too fu.ckin boring. All u all say is lava dis lava dat, session dis, session dat, hack dis, hack dat (and 1/2 dnt knw d first). If yal wud rather talk archaic **** ova n ova again then pls dnt mind my intrusion, im just avin fun. And oh if yal take me or wot i say personally then u nid to get a life. . .No Really. :-/

**CreativityKills** · 29.05.10, 22:29

@the wuss dat tinks im a nerd. . .well i may be a nerd bt im waay cooler like pharrell williams lol skateboard geek.

**kabooms** · 29.05.10, 23:49

Nice topic thankz for idea.up :d

**amylee** · 30.05.10, 01:26

meh.. i would share my knowledge i have of my scripts, but I did the professional and wise thing and used 3rd party's and hundreds of hours and dollars finding nearly every hole/exploit/weakness/unoptimized shizzle in the script

only way people will get this info is if i respect them or i release the script with my own encryption, none of the ioncube/zend rubbish
most of the people here are retards who probably can only just code a phpinfo script let alone a multi-functional community script, those people i do not like

/end offtopicness

**kevk3v** · 30.05.10, 01:59

lol hundreds of hours and dollars?... for my scripts i just tell every hacker.. hack it if they can, and then i log every move they make and then i patch it...
but thats risky if you don't have a backup of your site

**thanatos** · 30.05.10, 02:58

@amylee, ok tnx 4 dat info. we wont look any further share from you with regards to lava scripts hole. :D

**thanatos** · 30.05.10, 03:05

@mobilegigs, well if u dnt mind. Dz topic is not 4 u 2 have fun to insult pipol hir or act lyk a gangsta hir. If u may, if u got nothng gud to share, jst dnt go over dz topic. Ur presence is not needed here wid dat kind of attitude u have.

**amylee** · 30.05.10, 04:05

Originally posted by thanatos View Post

@amylee, ok tnx 4 dat info. we wont look any further share from you with regards to lava scripts hole. :D

your welcome...

**thanatos** · 30.05.10, 04:17

:P dz d frst time i see amylee says "your welcome" :P

**CreativityKills** · 30.05.10, 05:19

Act Gangster? WTf! I rest ma case.

**something else** · 30.05.10, 14:42

Originally posted by thanatos View Post

Since hacking lavalair is scattered like a disease. Im going to reveal some hakworx to alert some newbies and not be played by sum outpatient psychotic hackers.[br/] SQLi is nt only in registration bt also cn b done in HTTP headers like UA, http_x_forward etc etc. Take a look at this query: update table_users set browserm='sqli here' and ip='function getip'; and look at the function getip and analyze how sqli workx wid http header using curl manipulation. One must fix that query since it is nt covered wid magic quotes.

going back to the original exploit you will need to cover your ip and browser details with mysql_real_escape_string and htmlspecialchars to stop people like mobileGIGs from injecting sql or malicious html into your site
eg:

PHP Code:


////////////////////////////get ip

function getip(){

if(!empty($_SERVER['HTTP_CLIENT_IP'])){

      $ip=$_SERVER['HTTP_CLIENT_IP'];

    }else if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){

      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];

    }else{

      $ip=$_SERVER['REMOTE_ADDR'];

    }

$ip = strtolower($ip);

if(substr_count($ip,"unkown")>0){

$ip=$_SERVER['REMOTE_ADDR'];

}

$ip = htmlspecialchars($ip);

$ip = mysql_real_escape_string($ip); 

    return $ip;

}



////////////////////////////////get browser

function getbrowser(){

$brws = $_SERVER['HTTP_USER_AGENT'];

$ope = $_SERVER['HTTP_X_OPERAMINI_PHONE_UA'];

if ($ope==""){

$br = $brws;

}else{

$br = "$ope $brws";

}

$br = htmlspecialchars($br);

$br = mysql_real_escape_string($br);

return $br;

}

Lavalair Exploit

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment