The Sanctuary
Technology => Network (in)Security => Topic started by: Herr Ruin on October 09, 2014, 12:32:21 am
-
Remember how these faggots talked about how 1337 they are and shit? Well, big surprise, turns out they are not. In fact they don't know shit about security. I managed to get into their site, sadly I didn't get their whole DB due to me being a lazy drunk fuck, but I managed to get the important Parts. I won't go into details how I managed to get in so they don't fix this when/if they are back but let me tell you this; I found at least 4 exploitable SQL Injections and the Database Dump contains Username/Password MD5s as well as logged User IPs.
If I see one more fucking DDOS, CP Spam I will release every cracked Password, every logged IP and what ever else I see fit and trust me there are real IPs of mods and users in the dump maybe due to being too lazy to use a VPN properly or just simple incompetence.
Proof with redacted SQLi:
(http://abload.de/thumb/tmp_13946-94370932037jpo.jpeg) (http://abload.de/image.php?img=tmp_13946-94370932037jpo.jpeg)
BTW most of this was done via Smartphone, I didn't even need to boot up my workstation to own your shitty little forum
-
lol, sqli
-
Do it anyway.
-
hahaha win.
-
Remember how these faggots talked about how 1337 they are and shit? Well, big surprise, turns out they are not. In fact they don't know shit about security. I managed to get into their site, sadly I didn't get their whole DB due to me being a lazy drunk fuck, but I managed to get the important Parts. I won't go into details how I managed to get in so they don't fix this when/if they are back but let me tell you this; I found at least 4 exploitable SQL Injections and the Database Dump contains Username/Password MD5s as well as logged User IPs.
If I see one more fucking DDOS, CP Spam I will release every cracked Password, every logged IP and what ever else I see fit and trust me there are real IPs of mods and users in the dump maybe due to being to lazy to use a VPN properly or just simple incompetence.
Proof with redacted SQLi:
(http://abload.de/thumb/tmp_13946-94370932037jpo.jpeg) (http://abload.de/image.php?img=tmp_13946-94370932037jpo.jpeg)
BTW most of this was done via Smartphone, I didn't even need to boot up my workstation to own your shitty little forum
you kick ass :tup:
-
Great work. Can you probe IntoSanctuary for security flaws and assist in strengthening the defense?
Do it anyway.
Why throw it away?
Make an example of individual offenders as needed and leave the full leak and handover to relevant authorities. Work with Arnox for confirmation of matching IPs for active Avoyel participants and flag them here for M&A to see. Naming and shaming could be counterproductive and a breach of PI rules.
If it's not working, then unleash hell.
-
Do it anyway.
I might :D but let me finish cracking all the md5s first, I bet some Users were stupid enough to recycle their passwords. Motherfuckers dumb enough to go around claiming they are 1337 haXx0rs just because their lunch money was enough to rent a DDoS service tend to be this stupid...
Shit was too easy, this was done weeks ago and some users can verify my claims as they've gotten screenshots in advance
-
Great work. Can you probe IntoSanctuary for security flaws and assist in strengthening the defense?
Do it anyway.
Why throw it away?
Make an example of individual offenders as needed and leave the full leak and handover to relevant authorities. Work with Arnox for confirmation of matching IPs for active Avoyel participants and flag them here for M&A to see. Naming and shaming could be counterproductive and a breach of PI rules.
If it's not working, then unleash hell.
Of course I can but generally not without Arnox consenting.
I won't send shit to authorities but if I decide to publish the dump do as you please.
Matching IPs won't work in every case as there are multiple users using the same VPN Provider/IP at the same time, however it is entirely possible to identify users if you combine IP address and browser fingerprints for example but that's none of my business as far as this forum goes
-
win win :whee:
-
Doesn't really matter for both their security flaws or mine.
Kind of doesn't matter for them because they've long abandoned that site I'm sure.
Doesn't matter for me because I fully admit I don't know very much at all about networking and can do very little programming. I'm pretty sure I couldn't fix the holes with my knowledge.
HOWEVER, I constantly make backups of the sites forum files and database. So I can restore everything at the click of a button no matter how bad things get.
-
Herr Ruin, why does it say "Deutsch" at the bottom of your screenshot?
Are you a fellow Kraut?
-
Yup I'm from germany, not that my username gives it away or anything :D
-
Ich schätz ma, dass dir ein bestimmtes Opiat sehr gut gefällt. Ist aber reine Spekulation meinerseits. :P
Freut mich auf jeden Fall, dass ich nich der einzige Deutsche hier bin. Lass krachen. :tup:
-
Oh my god, you're almost as 1337 haxxor as -Spectral.
Anyway, great job dude. Kudo's.
-
Nope kein Heroin für mich :D ich glaube ich hatte das hier schon irgendwann erwähnt, grundsätzlich bin ich Opiaten/opioiden gegenüber nicht abgeneigt aber nachdem ich mit Jahrelangen Tilidin dauerkonsum, wie nicht anders zu erwarten war, ordentlich auf die Schnauze geflogen bin habe ich kalt entzogen und nasche heut zu Tage nur noch 2-3 mal im Jahr. Witzig ausgerechnet hier jemanden aus .de zu treffen. Warst du auch schon auf zoklet/totse aktiv?
Außerdem um den Klischees gerecht zu werden:
Sauerkraut Kartoffeln Fräulein Stechschritt!
-
Wir mussen die juden VERNICHTEN!
Tilidin, ist das so was wie Valtran? Das ist ein der weinige erfahrungen mit 'opioiden' fur mich. Und ja, ich weiss mein deutsch ist scheiss.
-
Schnitzel.
Ne, war weder bei &T noch &Z. Bin ganz neu dabei aber keiner glaubt mir deshalb tue ich einfach so als ob ich dazu gehören würd und klappt ganz gut bis jetzt.
-
Pfff...Nazikacke
Tilidin ist genau das selbe wie valtran, anfangs ganz witzig aber wenn man irgendwann bei 20ml am Tag ist hört der Spass auf.
Dein Deutsch ist gut, ich weiß gar nicht was du hast
-
Wir mussen die juden VERNICHTEN!
Tilidin, ist das so was wie Valtran? Das ist ein der weinige erfahrungen mit 'opioiden' fur mich. Und ja, ich weiss mein deutsch ist scheiss.
Passt schon.
Yep, Tilidin is Valtran they call it Valoron here. Are you from Belgium?
-
Good guess! Yes, I am, actually. I took Valtran when I had a really, reaaalllly bad tooth ache once. I felt shitty for days until I got that stuff. Maybe being relieved of the pain had something to do with it, but I was overwhelmed with joy.
Deutsch ist sicher nicht meiner erste sprache. Grammatik und so, das kann ich nicht. Nur wörter.
-
Grammatik und so, das kann ich nicht. Nur wörter.
Haha, sig'd. :tup:
-
LOL
-
Good guess! Yes, I am, actually. I took Valtran when I had a really, reaaalllly bad tooth ache once. I felt shitty for days until I got that stuff. Maybe being relieved of the pain had something to do with it, but I was overwhelmed with joy.
Deutsch ist sicher nicht meiner erste sprache. Grammatik und so, das kann ich nicht. Nur wörter.
...and you've experienced what got me hooked on tilidin/valoron/valtran initially. Even in therapeutic doses this stuff induces euphoria.
But I gotta admit, nothing else taught me the benefits of self discipline like quitting this shit cold turkey.
Back to Topic; I'm willing to bet that this hack played a major part in the decision to shut down avoyel if the site admin knows his shit even remotely. Not even one of these loudmouthed faggots is stepping up to take the blame for running a website that is open to exploitation like a fucking barn door.
-
Grammatik und so, das kann ich nicht. Nur wörter.
Haha, sig'd. :tup:
Like I said, my German is shit.
But anyway, yeah, lol. Avoyel.