Hacking (Lavalair Script)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    by reading this you agree not to use this harm any one site..........but to put u on gaurd ..............i only use it when some one bet me
    Code:
    uid='".admin."' AND pass='".wrongpass."OR%0a"."id=1."'

    R.M.C
    ----------
    PHP Adovocate B)

    Comment


      #17
      lol

      Originally posted by Anshul View Post
      You should always filter user input that is stored or processed on a server because URLs and GET/POST requests can be created manually.

      PHP Code:
      function anti_hacker($txt){
      $txt=htmlspecialchars($txt);                       
      $txt=stripslashes(trim($txt));
      return 
      $txt;}

      if(isset(
      $_GET)){foreach($_GET as $key=>$value){$_GET[$key]=anti_hacker($value);}}
      if(isset(
      $_POST)){foreach($_POST as $key=>$value){$_POST[$key]=anti_hacker($value);}}
      if(isset(
      $_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=anti_hacker($value);}}
      if(isset(
      $_COOKIE)){foreach($_COOKIE as $key=>$value){$_COOKIE[$key]=anti_hacker($value);}} 
      this code can help in filtering data submitted by user.
      where can i use this lol

      Comment


        #18
        Top of core.php or sumthing!

        Comment


          #19
          everyone should know that if you going to use lavalair or base on it, you should rename all files and table structur in the database. then is harder to break in.
          mysterio.al - programming is a functional art

          Comment


            #20
            Originally posted by Mysterio3 View Post
            everyone should know that if you going to use lavalair or base on it, you should rename all files and table structur in the database. then is harder to break in.
            rename table structure means renaming table name?? or table field?? which??
            Wait...
            sigpic

            Comment


              #21
              Rename table names so that hackers will get crazy of guessing the name of the table they want to crack..'coz lava is commonly used by many wapmasters, they know it's ibwf_users..Then they might query like
              PHP Code:
              '); mysql_query("DROP TABLE ibwf_users"); 
              that was just an example!
              Last edited by kiLLeR-eyEd_14; 01.11.09, 08:49.
              My Blog: http://jhommark.blogspot.com
              My Facebook: http://www.facebook.com/jhommark
              My Official Site: http://www.undergroundweb.tk
              My Community Site: http://undergroundwap.xtreemhost.com

              Comment


                #22
                Yes. Look at this example: if your table ibwf_users has a field called perm and the value 2 means you are administrator, by using the method of killer-eyed_14 will be very easy to register yourself as and admin. but if the table is userbase and the field is userpermesion and the value of being administrator is 7325, then the method of him will not work. do you know how to do this?
                mysterio.al - programming is a functional art

                Comment


                  #23
                  Originally posted by Mysterio3 View Post
                  Yes. Look at this example: if your table ibwf_users has a field called perm and the value 2 means you are administrator, by using the method of killer-eyed_14 will be very easy to register yourself as and admin. but if the table is userbase and the field is userpermesion and the value of being administrator is 7325, then the method of him will not work. do you know how to do this?
                  but he said to me that his site is sql injection protected..so, my example would not work..but also it's good you change perm to something 5chars..or like what i've told you, you may edit function isadmin..Let's say adminperm is 75675..Instead of if perm > 0, make it if perm!=75675 then return false, else return true..Or if perm==75675 return true, else return false..That way, only user who has a perm 75675 which should be you is the only one to access admin..He'll get crazy guessing the exact perm as you set it to a very hard and 5 jumbled numbers..Unlike in lava that if perm is above 0 or anything, you are an admin/mod..If he set himself to 10 for example, then he is also an admin..
                  My Blog: http://jhommark.blogspot.com
                  My Facebook: http://www.facebook.com/jhommark
                  My Official Site: http://www.undergroundweb.tk
                  My Community Site: http://undergroundwap.xtreemhost.com

                  Comment


                    #24
                    Originally posted by coder4u View Post
                    where can i use this lol
                    include it at top of every page....

                    Comment


                      #25
                      You guys ever thought of loosing the whole session=$session BS and rather use client side sessions?

                      To explain. Rather set your session on the clients browser than using the URL to carry it. That way there will be no session to hack or whatever because the session code is not in the URL but stored in $_SESSION["whatever"]; and that is stored in the browser.

                      Your members URL will change from http://yoursite.com/index.php?PHPSES...df7sdfweorjwr3 to http://yoursite.com/index.php?

                      Comment


                        #26
                        Originally posted by boondocksaint View Post
                        You guys ever thought of loosing the whole session=$session BS and rather use client side sessions?

                        To explain. Rather set your session on the clients browser than using the URL to carry it. That way there will be no session to hack or whatever because the session code is not in the URL but stored in $_SESSION["whatever"]; and that is stored in the browser.

                        Your members URL will change from Turn-Key eCommerce Hosting from YourSite.Com to Turn-Key eCommerce Hosting from YourSite.Com
                        Whats the difference between them being in urls and in sessions?
                        No difference what so ever! both can be stole in same way and used in exactly same way.
                        only diffecence is not so many people know how to edit sessions.

                        Comment


                          #27
                          There is the main hole in lavalair.

                          it's that
                          Code:
                          $brws = explode(" ",$_SERVER['HTTP_USER_AGENT']);
                          $ubr = $brws[0];
                          mysql_query("UPDATE hx_users SET ua='".$ubr."' WHERE id='$uid'");
                          so u can prevent from it by adding below to top of config.php
                          Code:
                          $_SERVER['HTTP_USER_AGENT']=addslashes($_SERVER['HTTP_USER_AGENT']);
                          i thing most ppl know this & they don't tell it to begginers.

                          thankz.
                          Last edited by Rksk; 16.12.11, 21:06.

                          Comment


                            #28
                            PHP Code:
                            $brws htmlspecialchars(stripslashes(getenv('HTTP_USER_AGENT'))); 
                            <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

                            Comment


                              #29
                              i can get any session on any lava edit via a http request not only that yr browser info and real ip change my ip and browser to yours using a firefox addon copy nd paste your session and hey dude i am who ever clicks the link or views the image.i know how to prevent it its very simple but noobs won learn if u give them the answers









                              Dont Ask Me Dumb Questions.Or you'l get a Dumb Answer..
                              Want A Profesional Logo or Theme For Your wap site Pm Me.If I Have The Time Ill Make It For Free

                              Comment


                                #30
                                Show that question even exists, and let them to find an answer, right? :D

                                I have noticed that people echo addslashes, the case when user writes a " or ' simbol. I think that no influence on "bad input", because the input is allredy in and its no matter whats outputs (some experienced coder will correct me if im vrong).
                                Why not just use:
                                PHP Code:
                                $text htmlentities($textENT_QUOTES); 
                                htmlentities() will convert html simbols at there entities and ENT_QUOTES will convert ' symbol into its entity. ENT_NOQUOTES will clear it.
                                The point, back slash \' is ugly in forum texts.
                                <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

                                Comment

                                Working...
                                X