Tentang website php.net.my
12 replies [Last post]
does not have a status.
User offline. Last seen 5 years 9 weeks ago. Offline
Joined: 08/16/2009
Points: 0

Assalamualaikum dan salam sejahtera.

aku adalah ahli lama di website ini, masa aku join dulu, aku masih lagi newbie dalam php. Sekarang aku datang untuk menbalas jasa Laughing out loud

Ini aku nak ceritakan tentang website php.net.my ini, iatu pasal Vulenable/Bug.

XSS Vuln/Bug :

http://www.php.net.my/search/index.php?q="><script>alert(123);</script>

SQL Injection :

http://www.php.net.my/forum/attachment.php?attach_id=-356%27

Dengan XSS(cross site scripting), penyerang itu dapat mencuri COOKIES/SESSION login/dan lain-lain lagi seseorang user itu dan login dengan cookies yang di perolehi itu . (ada banyak lagi keguaan xss)

SQL Injection :

Boleh mendapatkan sesuatu data daripada database dan juga boleh digunakan untuk mendapatkan password/username seseorang itu.
Dan juga jika user database itu ada kuasa untuk menggunakan LOAD_FILE, sesorang itu dapat menbuka sesuatu fail di dalam website/webserver itu.
(banyak lagi kegunaan sql injection)

contoh :

load_file('/etc/passwd');

Harap dapat menbantu Smile

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

fuiyo

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

bleh tak explain sini pasal xss ni.. kena gaya bahaya gak nih. >Smile

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

[url=http://www.php.net.my/search/index.php ?q=">">test]apa benda bleh dibuat dgn cookie ni?[/url]

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

takleh edit.

http://www.php.net.my/search/index.php
?q=">"><a href=javascript:alert(document.cookie)>test</a>
mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

kelihatan aku sesorang insomnia malam ni. takpa la. tanya acik google. Laughing out loud

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

apa benda la yg best kalu dpt cookie tu? aku tgk tade ape pun yg menarik. taip kat kotak url atas tu pun bleh kuar. hehe

(boring punya pasal. tido lagi baik la)

keje :)
zam3858's picture
User offline. Last seen 2 weeks 5 days ago. Offline
Moderator
Joined: 04/26/2003
Points: 383

cookie simpan id session.

basically kalo tau id session, macam ko dapat login la as user tu la.

daku kecewa tak boleh nak pos apa2 lagi ...
amin007's picture
User offline. Last seen 18 weeks 4 days ago. Offline
Pro
Joined: 08/16/2009
Points: 2050

siap ada gambar awek tu weldan? siapa yer???? Laughing out loud

mweldan.com
weldan's picture
User offline. Last seen 41 weeks 21 hours ago. Offline
Pro
Joined: 08/16/2009
Points: 297

oo kalau id session use yg ada akses sistem aku dpt. aku replace jadi bleh la akses sistem.. okay

tu gamba liyana jasmay min. keh keh

keje :)
zam3858's picture
User offline. Last seen 2 weeks 5 days ago. Offline
Moderator
Joined: 04/26/2003
Points: 383

hmm.. aku rasa cam tak betul je statement aku.

XShimeX ngan weldan demonstrate dia boleh create satu link atau run satu command javascript seperti benda tu datang dari website php.net.my.

katakan script tadi tu bukan echo cookie, tp submit request cancel account (through ajax or click tipu) kat php.net.my, php.net.my akan terima request tu sebab aku dah login kat php.net.my n dia ingat aku betul2 request tu.

kalo aku buat kat maybank2u.com.my, aku boleh insert kat url (maybank2u.com.my ada control skit kat situ kot) untuk satu script javascript yg capture username/pw/tag untuk org lain transfer duit aku ke badan amal jariah AKA account nenek dia yang ada sakit tak leh nafas (sebab dah mati).

er... tu aa kot xss. Laughing out loud

does not have a status.
User offline. Last seen 5 years 9 weeks ago. Offline
Joined: 08/16/2009
Points: 0

ini contoh cara serangan XSS(cross site scripting)

http://www.xssed.com/article/6/Paper_Kr3ws_Cross-Site_Scripting_Tutorial/

Banyak lagi cara untuk "mengodam", contoh Cross Site Request forgery.