Jump to content

Messages


sud0nick

Recommended Posts

All of the data passed to the database is sanitized and inserted with prepared statements using PHP Data Objects (PDO). This is by far the safest method I've come across in adding user defined data to a database.

Assuming you are protecting against sql injection attacks? I looked around on the page, and debated trying some stuff, but then remembered it's illegal without owner's consent. lol That and I don't remember enough of it to try in a time-efficient manner.

Link to comment
Share on other sites

That's what prepared statements do. I create a statement with the column names, send that to the server for it to prepare the resources, then anything that gets added to the query is read strictly as a string. It can't overlap into the SQL query as it is only read as a value for a parameter. That means this:

Name: ; OR 1=1 --

gets entered into the database as a value in the column 'Name'. The ; OR 1=1 -- will never be read as part of the query.

Here is more info on PDO and prepared statements

http://php.net/manual/en/pdo.prepared-statements.php

Edited by sud0nick
Link to comment
Share on other sites

It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this

383d3d3d44

and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol.

Link to comment
Share on other sites

It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this

383d3d3d44

and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol.

Figures he'd do that.. Good guy this Juan.

Link to comment
Share on other sites

Oh? You mean <IP> isn't you? Granted it's actually your VPN because you keep posting under different IPs.

Nah, we were just having a bit of fun - let's not post IPs though, please :)

It's pretty cool, I kind of want to try replicating it with a tinyduino..

Link to comment
Share on other sites

Nah, we were just having a bit of fun - let's not post IPs though, please :)

It's pretty cool, I kind of want to try replicating it with a tinyduino..

Sorry, won't happen again.

Would you even be able to get the LCD screen to work with a tinyduino?

Link to comment
Share on other sites

I have seen a video of it working, but I have an LED matrix which in a ghetto way could make this work..

lol. That would be cool. The only problem I've run into is the CC3000 not connecting 100% of the time. It drops the connection with my router sporadically. Some days it works the whole day others it drops within 5 minutes.

Edited by sud0nick
Link to comment
Share on other sites

Guess you only have 25 entries so far?

http://www.attackscanner.com/dump/puffy.php

And no SQLi needed nor an attack to pull records since its simply http getting every entry sequentially

Link to comment
Share on other sites

I didn't send any messages since I didn't actually try the code. in fact, I can't see your site in my browser, since I have JS disabled, it wouldn't load, so I had to view the source of the page. In reading through everything though I came across where you described the source code and read the

sprintf(temp, "%s?index=%d"[/code] section and just tried pulling them with a loop starting at 1 and incrementing them.
Link to comment
Share on other sites

Yeah, I've actually got all of the source code posted on the site without usernames, passwords, and SSIDs of course. I also have the PHP code for the script that you (or your scanner) accessed showing how the messages are retrieved and posted on the webpage for the Arduino to pull.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...