Messages

[sud0nick]

It looks like I've been getting some messages from you guys on my Arduino messenger. I figured I would post some pictures of it here so whoever sent them knows it actually works.

This one says it's by Pup

This is claimed by molotof

And this exceptionally true statement is brought to you by WM (It says "Pineapple rules")

[Oli]

Looks pretty good. Although not too wise as we could probably mess it up and/or bring your site down :)

[WPA3]

Nice, looks a sweet setup.

I sent you a message.

[sud0nick]

All of the data passed to the database is sanitized and inserted with prepared statements using PHP Data Objects (PDO). This is by far the safest method I've come across in adding user defined data to a database.

[TGYK]

All of the data passed to the database is sanitized and inserted with prepared statements using PHP Data Objects (PDO). This is by far the safest method I've come across in adding user defined data to a database.

Assuming you are protecting against sql injection attacks? I looked around on the page, and debated trying some stuff, but then remembered it's illegal without owner's consent. lol That and I don't remember enough of it to try in a time-efficient manner.

[sud0nick]

That's what prepared statements do. I create a statement with the column names, send that to the server for it to prepare the resources, then anything that gets added to the query is read strictly as a string. It can't overlap into the SQL query as it is only read as a value for a parameter. That means this:

Name: ; OR 1=1 --

gets entered into the database as a value in the column 'Name'. The ; OR 1=1 -- will never be read as part of the query.

Here is more info on PDO and prepared statements

http://php.net/manual/en/pdo.prepared-statements.php

Edited January 31, 2015 by sud0nick

[cooper]

Nice one!

This would be a fun project Shannon could possibly reference/demo in some future segment.

[Sebkinne]

That's pretty cool! :)

Keep up the good work!

-Seb

[sud0nick]

It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this

383d3d3d44

and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol.

[Sebkinne]

It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this

383d3d3d44

and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol.

Figures he'd do that.. Good guy this Juan.

[Foxtrot]

Listen, It isn't me.

[Sebkinne]

Listen, It isn't me.

This reply <3

[Foxtrot]

No.

[newbi3]

Rofl yeah don't let foxtrot know about your internet of things projects

[sud0nick]

Listen, It isn't me.

Oh? You mean <IP> isn't you? Granted it's actually your VPN because you keep posting under different IPs.

[Sebkinne]

Oh? You mean <IP> isn't you? Granted it's actually your VPN because you keep posting under different IPs.

Nah, we were just having a bit of fun - let's not post IPs though, please :)

It's pretty cool, I kind of want to try replicating it with a tinyduino..

[Foxtrot]

Do it

[Sebkinne]

Do it

<3

[sud0nick]

Nah, we were just having a bit of fun - let's not post IPs though, please :)

It's pretty cool, I kind of want to try replicating it with a tinyduino..

Sorry, won't happen again.

Would you even be able to get the LCD screen to work with a tinyduino?

[Sebkinne]

Sorry, won't happen again.

Would you even be able to get the LCD screen to work with a tinyduino?

I have seen a video of it working, but I have an LED matrix which in a ghetto way could make this work..

[sud0nick]

I have seen a video of it working, but I have an LED matrix which in a ghetto way could make this work..

lol. That would be cool. The only problem I've run into is the CC3000 not connecting 100% of the time. It drops the connection with my router sporadically. Some days it works the whole day others it drops within 5 minutes.

Edited February 1, 2015 by sud0nick

[digip]

Guess you only have 25 entries so far?

http://www.attackscanner.com/dump/puffy.php

And no SQLi needed nor an attack to pull records since its simply http getting every entry sequentially

[sud0nick]

yep

But you could have found that out with only one message since it tells you the index and total number of messages. All you did was the same thing the Arduino does to pull the messages.

Edited February 1, 2015 by sud0nick

[digip]

I didn't send any messages since I didn't actually try the code. in fact, I can't see your site in my browser, since I have JS disabled, it wouldn't load, so I had to view the source of the page. In reading through everything though I came across where you described the source code and read the

sprintf(temp, "%s?index=%d"[/code] section and just tried pulling them with a loop starting at 1 and incrementing them.

[sud0nick]

Yeah, I've actually got all of the source code posted on the site without usernames, passwords, and SSIDs of course. I also have the PHP code for the script that you (or your scanner) accessed showing how the messages are retrieved and posted on the webpage for the Arduino to pull.