suck-o.com

Forums
https://forums.suck-o.com/

Pathetic Websites

https://forums.suck-o.com/viewtopic.php?t=707

Page 1 of 1

Pathetic Websites

Posted: 27 Apr 2006, 16:39
by Gogeta70
Hey, this thread shall be dedicated to websites with poor coding and alot of exploits, or even just one pathetic one. Tell us about the exploit you found, so we shall laugh at the maker of the pathetic website.

Heres mine:

A friend of mine said he found a website he was SURE that was exploitable, but couldn't put his finger on it. So, i signed up for the website. The website allows you one page on their site where you can fully customize it. (Kind of like xanga, or myspace). Now, in their edit area the form reads something like this:

Code: Select all

<form action=edityea.php method=post>
Title<br>
<input type=text name="title" size=40><br><br>
Body<br>
<textarea cols=x rows=x name='body'>
</textarea><br>
<input type=submit value="Submit Changes">
<input type=hidden name='user' value="[username in use by user editing their page]">
</form>
Now for any web designers out there, you'd guess that that hidden input area is the most important part of the form, telling the site WHICH page to edit. Well, i made another user and did this:

java:void(document.forms[1].user.value="spareacct");alert(document.forms[1].user.value)

And thus changing the value of the input area. Then, i submitted the data and checked MY yea page (the yea page is your own customizable page).
Then i logged into the spare account and the page was editted... That's one helluva stupid web designer, agree?

By the way people, don't give the website's url, i don't want anyone to break the rules.

Posted: 27 Apr 2006, 18:04
by Nerdz
Well, I don't have example in mind but... how many time I have seen so much website which give you some nice juicy error msg... :( To all webadmin in here. PLZ DON'T GIVE SO MUCH STEAK AROUND THE BONES!
There i have put a ' into a search field...

Code: Select all

Le message : DB Error: syntax error
Erreur détaillé : SELECT distinct s.id_data, s.fichier, s.titre, s.date_unix FROM stack s, keyword k, article_data a WHERE s.id_data = k.id_data AND s.id_data = a.id AND a.quotidien_id = 81 AND s.approved='1' AND k.keyword like '%'%' AND s.date_unix >= 1143522000 AND s.date_unix <= 1146196799 order by s.date_unix desc LIMIT 0, 20 [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND s.date_unix >= 1143522000 AND s.date_unix <= 1146196799 o]

Not sure if this counts but:

Posted: 29 Apr 2006, 11:55
by LaBlueGirl
http://www.webpagesthatsuck.com/dailysucker/
All times are UTC-06:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited