....... Furious.
Second place is Xex.
I am, of course, referring to the first people to go to the forum after I un-hacked it. I was refreshing and watching the Member List :)
Does it count if we were using the forums before you unhacked it? :(
http://www.x86labs.org/forum/index.php.bak worked, oddly enough. :P
I don't know why Apache would treat it as PHP; I suppose it's because it realizes .bak is a backup extension and it should treat it as the extension before .bak. Ha.
Quote from: Sidoh on December 04, 2005, 08:18:10 PM
Does it count if we were using the forums before you unhacked it? :(
No. =P
nerd.
</ul>
Quote from: Sidoh on December 04, 2005, 08:18:10 PM
Does it count if we were using the forums before you unhacked it? :(
http://www.x86labs.org/forum/index.php.bak worked, oddly enough. :P
I don't know why Apache would treat it as PHP; I suppose it's because it realizes .bak is a backup extension and it should treat it as the extension before .bak. Ha.
Totally doesn't count :P
And file.php.anything works. That's dangerous++ if you let people upload their own files :-o
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I visited php.bak when you told me it worked, I was at the mall when you put it back up.
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Quote from: iago on December 04, 2005, 08:26:45 PM
Totally doesn't count :P
And file.php.anything works. That's dangerous++ if you let people upload their own files :-o
T_T
Nuh uh! http://sidoh.org/test.php.jpg
<?phpecho "WTF?";?>
Quote from: Sidoh on December 04, 2005, 09:54:18 PM
Quote from: iago on December 04, 2005, 08:26:45 PM
Totally doesn't count :P
And file.php.anything works. That's dangerous++ if you let people upload their own files :-o
T_T
Nuh uh! http://sidoh.org/test.php.jpg
<?phpecho "WTF?";?>
Nono, you misunderstand.
www.javaop.com/~iago/test.php.anything
Nevermind the warning, I used my Rabbit-friendly program to test :)
Quote from: iago on December 04, 2005, 10:23:04 PM
Nono, you misunderstand.
www.javaop.com/~iago/test.php.anything
Nevermind the warning, I used my Rabbit-friendly program to test :)
Oh, hahaha.
That's actually pretty nice to know. Upload scripts should always have a list of allowed extensions, not a list of banned ones.
http://sidoh.org/test.php.iz3nything
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
CRUEL ~
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.
Quote from: Scr33n0r on December 04, 2005, 10:36:47 PM
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.
Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Quote from: Quik on December 04, 2005, 10:42:55 PM
Quote from: Scr33n0r on December 04, 2005, 10:36:47 PM
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.
Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)
Quote from: Sidoh on December 04, 2005, 10:25:25 PM
Quote from: iago on December 04, 2005, 10:23:04 PM
Nono, you misunderstand.
www.javaop.com/~iago/test.php.anything
Nevermind the warning, I used my Rabbit-friendly program to test :)
Oh, hahaha.
That's actually pretty nice to know. Upload scripts should always have a list of allowed extensions, not a list of banned ones.
http://sidoh.org/test.php.iz3nything
A list of allowed extensions can be circumvented in this case. For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp
That would not have been cool. You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..
I wonder if this is widely known, or if I should bring this up on a mailing list...
Quote from: iago on December 04, 2005, 11:02:36 PM
A list of allowed extensions can be circumvented in this case. For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp
That would not have been cool. You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..
I wonder if this is widely known, or if I should bring this up on a mailing list...
I don't know, but that should not be the default setting of Apache by any means.
I found another one:
.sql
Quote from: Sidoh on December 04, 2005, 11:09:03 PM
Quote from: iago on December 04, 2005, 11:02:36 PM
A list of allowed extensions can be circumvented in this case. For example, if programming languages were allowed, they could have uploaded:
http://www.javaop.com/~iago/test.php.c
http://www.javaop.com/~iago/test.php.java
http://www.javaop.com/~iago/test.php.cpp
That would not have been cool. You have to either:
a) rename the file complete
b) remove php from the inside, which leaves me wondering what else can be run like that..
I wonder if this is widely known, or if I should bring this up on a mailing list...
I don't know, but that should not be the default setting of Apache by any means.
I found another one:
.sql
.rar, too. There's a lot of them...
Quote from: iago on December 04, 2005, 11:18:38 PM
.rar, too. There's a lot of them...
I guess the safest thing to do is to determine the real extension of the file, then rename it accordingly. That's what my upload script does. I bypassed an exploit without even knowing it!
Quote from: Scr33n0r on December 04, 2005, 10:46:43 PM
Quote from: Quik on December 04, 2005, 10:42:55 PM
Quote from: Scr33n0r on December 04, 2005, 10:36:47 PM
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.
Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)
There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
Quote from: Quik on December 04, 2005, 11:29:08 PM
Quote from: Scr33n0r on December 04, 2005, 10:46:43 PM
Quote from: Quik on December 04, 2005, 10:42:55 PM
Quote from: Scr33n0r on December 04, 2005, 10:36:47 PM
Quote from: iago on December 04, 2005, 09:51:05 PM
Quote from: Ergot on December 04, 2005, 09:22:34 PM
What was "hacked"? I was cleaning gutters :/ ? I never noticed a change before 1:15 (when I started)
I replaced the forum with a textfile saying, "pwned fags"
Oh that was you? Here I was thinking Hitmen came back and did it again.
Sounds like you missed it, so here it is again: Hitman cannot gain unauthorized access to any remote computers. He never had a part in this except being used as a scapegoat and playing along.
Ok, so technically by what you're saying, he took part in it, however, didn't actually hack the forum. (?)
There was no hacking of the forum, and Hitmen didn't take part in it. It was a joke (see the current news) and Hitmen was just informed, he didn't do anything except watch.
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it. I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.
Quote from: Hitmen on December 04, 2005, 11:41:06 PM
I wasn't 'informed', I just happened to figure it out and people didn't want me ruining it. I'm rather good at analyzing people's writing and can usually tell when someone who I've talked to a lot online isn't telling the truth, because the writing just doesn't look like how the person normally writes. iago in particular I picked up on easy and he could tell I did and made me shut up so I didn't ruin it. Newby's was also easy to tell, but I don't really know myndfyre so couldn't tell there or not. And lies!!!! I did take part. Blaming it on me was my idea, since I knew I was the only one who knew, other than the leader people.
Hitmen has no problem seeing through any of my lies, me and him BS together too much :)
What do I win? Yeah, I was the first one, shows how much of a life I LACK.
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2
I told you, iago. It had to assume that the friendly constant had a value of "friendly".
Quote from: rabbit on December 05, 2005, 05:00:43 PM
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2
I told you, iago. It had to assume that the friendly constant had a value of "friendly".
No, it assumed that it was a string instead. :]
Quote from: rabbit on December 05, 2005, 05:00:43 PM
Notice: Use of undefined constant friendly - assumed 'friendly' in /www/hosts/iago.no-ip.com/web/test.php.anything on line 2
I told you, iago. It had to assume that the friendly constant had a value of "friendly".
Notice the next line, the one about iago being right?