Lavalair Exploit

**thanatos** · 30.05.10, 15:00

Changing field names and table names will also help. so it will be hard for noobs like me to keep guessing it.

**something else** · 30.05.10, 15:15

Originally posted by thanatos View Post

Changing field names and table names will also help. so it will be hard for noobs like me to keep guessing it.

Changing field names is good as long as you keep php error messages off and dont show mysql errors as otherwise people can crash your sql to get field names

**kevk3v** · 30.05.10, 16:05

Originally posted by something else View Post

going back to the original exploit you will need to cover your ip and browser details with mysql_real_escape_string and htmlspecialchars to stop people like mobileGIGs from injecting sql or malicious html into your site
eg:

PHP Code:


////////////////////////////get ip
function getip(){
if(!empty($_SERVER['HTTP_CLIENT_IP'])){
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }else if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }else{
      $ip=$_SERVER['REMOTE_ADDR'];
    }
$ip = strtolower($ip);
if(substr_count($ip,"unkown")>0){
$ip=$_SERVER['REMOTE_ADDR'];
}
$ip = htmlspecialchars($ip);
$ip = mysql_real_escape_string($ip); 
    return $ip;
}

////////////////////////////////get browser
function getbrowser(){
$brws = $_SERVER['HTTP_USER_AGENT'];
$ope = $_SERVER['HTTP_X_OPERAMINI_PHONE_UA'];
if ($ope==""){
$br = $brws;
}else{
$br = "$ope $brws";
}
$br = htmlspecialchars($br);
$br = mysql_real_escape_string($br);
return $br;
}

huh?..... they can even hack ur site using ip?

**something else** · 30.05.10, 17:35

Originally posted by kevk3v View Post

huh?..... they can even hack ur site using ip?

yes many people on here know how to change there ip into words or even sql injection thats why you must cover every single input a user can make on your site as anything can be spoofed

**kevk3v** · 30.05.10, 18:21

lol i'm lucky cuz i always used <?php echo $_SERVER["ROMOTE_ADDR"]; ?> to display ip =/

**Loony** · 30.05.10, 18:22

Originally posted by thanatos

may i remind u again pipol dz discussion is for security protection of lavalair script. If ur damn GOOD at all, u might wana show it, not jst posting in words dat tells us dat u knw greater thngs, stop boastin around. Again and again, f.uck off a.ssholes if u got nothng good to share.

i think what u ment to say was ( may i remind you ppl that this yet another discusion for someone to do all the research and show me how to secure my lavalair script)

my answer is look Look here i searched for you

but im gona add if u need to make a topic about this your not gona understand what u read in which case delete the file called config.php and drop the database most probly called database and your done no will will be able to hack your site and u wont waste alot of ppls time.

if u do understand coding there is about 915 matches on google surly if you read thru some off them u will see and understand what u need to do.

my best advice is to STOP USING LAVALAIR ALL TOGETHER and code your own script

**Loony** · 30.05.10, 18:29

Originally posted by kevk3v View Post

lol i'm lucky cuz i always used <?php echo $_SERVER["ROMOTE_ADDR"]; ?> to display ip =/

u no this doesnt help u at all
theres programs to change your ip output and anyone that knows what there doing can always change there local ip address as well

**CreativityKills** · 30.05.10, 22:36

lol @ something else . . . U said i will inject what? Ha ha. Im a security auditor nw and i audit sites for firms part-time, pay my tuition with cash gained so except ANY OF THE SITES you own has a hole that can fetch me about 500+ bucks when i find it out then *read my lips* im nt FU.CKING interested!!!

Theres a bigger world out of ur miniature brain box. U tink session jacking is the sh!t? Or maybe its sql injectn? Well newsflash, d only reason u knw just those is cuz u got a 2bit, 50 online max wapsite.

Incase u wer wndrin, wot amy said was true, lava script and all its mods r like cheese, MANY HOLES.

**something else** · 30.05.10, 23:59

gigs favorite insult "2 bit site" lol
if your such a big time auditor what the hell are you doing on a site that is full of "2 bit site"? (as you call them)
as i said before you just come here to make your self feel the big man. but if you read your posts you just make yourself look like a right...... well I dont need to say any more as your next post will do it for me lol

**thanatos** · 31.05.10, 02:56

@loony, sorry i dnt have site anymore so i dnt hav nothng 2 worry about. and my intention is to share the vulnerabilities of lava script. its not ur problem if ppl wana use lava script. dats why i created dz topic so ppl cn discuss hir d holes of lava script and how to cover it up atleast to prevent sum1 frm j.acking it off. and btw not all ppl cn code his site in an instant esp 4 d newbies. and i bliv newbies cn make lava script as their basic foundation to learn a lot.

**Loony** · 31.05.10, 08:27

load of ****

Originally posted by thanatos

and oh btw id lyk 2 add dz. if ppl shud not use lava script anymore, its lyk ur saying, hey dnt cme 2 codingtalk anymore wer lava script is discussed evrytme? if lava script shud not b used at all then y most of d members hir hav used it and done modification? codingtalk is much more known for lava script discussion. if ppl r not going 2 use it, den wat ppl supposed 2 b discussing hir? its not a failure if u wil b hacked a millions time. Bt failure comes when u give up.

this is just STUPID this site is called coding-talk not lava-talk i wouldnt say anything bad about the lava creators (amylee and irisblaze) are awesome and everyone owes them alot but im seriusly over all the **** about that script. the mods are all coded with major holes, most of the so called fixs have major holes saying that alot them actualy do work if u no how to adjust the code to add the fixs. why keep opening up new post asking the same question everyone on this site see's everyday use the search bar then u dont have to put up with ppl trolling your post's and wasting your time.

**thanatos** · 31.05.10, 09:04

i didnt say dz is lava-talk LoLz.. Bt luk w/c is most discussed hir, its lavalair. Dats why i open dz topic to discuss d holes and learn sumthng from it, dz issue doesnt only covers lava holes bt also other codings dat may be subject 2 dz kind of attack. U get my point?

**thanatos** · 31.05.10, 09:12

My intention is clear. im jst trying 2 help and maybe, jst maybe, sum1 wil get sumthng out of dz. Well if u ppl tink dz is useless, why u pipol kip on opposing it? Perhaps u shud create ur own topic and discuss "Pipol must not use lavalair".

**thanatos** · 31.05.10, 09:29

And btw jst 4 e.g dz site has vulnerabilities too: http://www.bulacan.gov.ph/tesda/news....asp?newsid=-2 we see that even professionals has weakness. Everybody commits mistakes. So if a lot of u will contradict dz discussion, wat must be done then if we're not gonna take actions about lava holes? We'll jst say dnt use lava script so u wil not b hacked. U tink by coding ur own script, u wil not encounter any ataks at all? Dz is a topic wer i hope sum1 will learn out of dz. Not to contradict their beliefs,skills,idea etc etc.

**CreativityKills** · 31.05.10, 19:13

lmao. What im doing ere? Its called 'keeping ur ears in d streets' in my line ov business its essential to knw whats nu, whats what, and wher it is. I go round ere, stackoverflow, php.net, secunia etc. Trust me im nt perculiar to just ere. Maybe u shud try it, it helps broaden ur views.

And kev u knw OOP? And u wer trying to instantiate a method like dis

PHP Code:


$test = new function();

$test->test();

in one ov ur threads? U just knw basic classes, go deeper. Advice nt insult.

Next stop stackoverflow, adios til lata :-( miss yal.

Lavalair Exploit

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment