Author Topic: And the winner is.......  (Read 8738 times)

0 Members and 4 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
And the winner is.......
« on: December 04, 2005, 07:46:23 pm »
....... Furious. 

Second place is Xex. 

I am, of course, referring to the first people to go to the forum after I un-hacked it.  I was refreshing and watching the Member List :)

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #1 on: December 04, 2005, 08:18:10 pm »
Does it count if we were using the forums before you unhacked it? :(

http://www.x86labs.org/forum/index.php.bak worked, oddly enough. :P

I don't know why Apache would treat it as PHP; I suppose it's because it realizes .bak is a backup extension and it should treat it as the extension before .bak.  Ha.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: And the winner is.......
« Reply #2 on: December 04, 2005, 08:21:22 pm »
Does it count if we were using the forums before you unhacked it? :(

No. =P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

trust

  • Guest
Re: And the winner is.......
« Reply #3 on: December 04, 2005, 08:24:24 pm »
nerd.


</ul>

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #4 on: December 04, 2005, 08:26:45 pm »
Does it count if we were using the forums before you unhacked it? :(

http://www.x86labs.org/forum/index.php.bak worked, oddly enough. :P

I don't know why Apache would treat it as PHP; I suppose it's because it realizes .bak is a backup extension and it should treat it as the extension before .bak.  Ha.

Totally doesn't count :P

And file.php.anything works.  That's dangerous++ if you let people upload their own files :-o

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: And the winner is.......
« Reply #5 on: December 04, 2005, 09:22:34 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: And the winner is.......
« Reply #6 on: December 04, 2005, 09:49:12 pm »
I visited php.bak when you told me it worked, I was at the mall when you put it back up.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #7 on: December 04, 2005, 09:51:05 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #8 on: December 04, 2005, 09:54:18 pm »
Totally doesn't count :P

And file.php.anything works.  That's dangerous++ if you let people upload their own files :-o

T_T

Nuh uh!  http://sidoh.org/test.php.jpg

Code: [Select]
<?php

echo "WTF?";

?>

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #9 on: December 04, 2005, 10:23:04 pm »
Totally doesn't count :P

And file.php.anything works.  That's dangerous++ if you let people upload their own files :-o

T_T

Nuh uh!  http://sidoh.org/test.php.jpg

Code: [Select]
<?php

echo "WTF?";

?>

Nono, you misunderstand. 

www.javaop.com/~iago/test.php.anything

Nevermind the warning, I used my Rabbit-friendly program to test :)

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #10 on: December 04, 2005, 10:25:25 pm »
Nono, you misunderstand. 

www.javaop.com/~iago/test.php.anything

Nevermind the warning, I used my Rabbit-friendly program to test :)

Oh, hahaha.

That's actually pretty nice to know.  Upload scripts should always have a list of allowed extensions, not a list of banned ones.

http://sidoh.org/test.php.iz3nything

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: And the winner is.......
« Reply #11 on: December 04, 2005, 10:28:28 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
CRUEL ~
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: And the winner is.......
« Reply #12 on: December 04, 2005, 10:36:47 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: And the winner is.......
« Reply #13 on: December 04, 2005, 10:42:55 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: And the winner is.......
« Reply #14 on: December 04, 2005, 10:46:43 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #15 on: December 04, 2005, 11:02:36 pm »
Nono, you misunderstand. 

www.javaop.com/~iago/test.php.anything

Nevermind the warning, I used my Rabbit-friendly program to test :)

Oh, hahaha.

That's actually pretty nice to know.  Upload scripts should always have a list of allowed extensions, not a list of banned ones.

http://sidoh.org/test.php.iz3nything

A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #16 on: December 04, 2005, 11:09:03 pm »
A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

I don't know, but that should not be the default setting of Apache by any means.

I found another one:

.sql

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #17 on: December 04, 2005, 11:18:38 pm »
A list of allowed extensions can be circumvented in this case.  For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp

That would not have been cool.  You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..

I wonder if this is widely known, or if I should bring this up on a mailing list...

I don't know, but that should not be the default setting of Apache by any means.

I found another one:

.sql

.rar, too.  There's a lot of them...

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #18 on: December 04, 2005, 11:25:59 pm »
.rar, too.  There's a lot of them...

I guess the safest thing to do is to determine the real extension of the file, then rename it accordingly.  That's what my upload script does.  I bypassed an exploit without even knowing it!

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: And the winner is.......
« Reply #19 on: December 04, 2005, 11:29:08 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)

There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Hitmen

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: And the winner is.......
« Reply #20 on: December 04, 2005, 11:41:06 pm »
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)

I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.

Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)

There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it.  I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.
Quote
(22:15:39) Newby: it hurts to swallow

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #21 on: December 05, 2005, 12:02:33 am »
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it.  I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.

Hitmen has no problem seeing through any of my lies, me and him BS together too much :)

Offline Furious

  • Hero Member
  • *****
  • Posts: 1833
  • I hate rabbits
    • View Profile
Re: And the winner is.......
« Reply #22 on: December 05, 2005, 12:26:12 pm »
What do I win? Yeah, I was the first one, shows how much of a life I LACK.
Quote
[23:04:34] <deadly7[x86]> Newby[x86]
[23:04:35] <deadly7[x86]> YOU ARE AN EMO
[23:04:39] <Newby[x86]> shush it woman

Quote
[17:53:31] InsaneJoey[e2] was banned by x86 (GO EAT A BAG OF FUCK ASSHOLE (randomban)).

Quote from: Ergot
Put it this way Joe... you're on my Buddy List... if there's no one else on an you're the only one, I'd rather talk to myself.

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: And the winner is.......
« Reply #23 on: December 05, 2005, 05:00:43 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: And the winner is.......
« Reply #24 on: December 05, 2005, 05:43:37 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

No, it assumed that it was a string instead. :]

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: And the winner is.......
« Reply #25 on: December 05, 2005, 05:44:01 pm »
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2

I told you, iago.  It had to assume that the friendly constant had a value of "friendly".

Notice the next line, the one about iago being right?