sud0nick Posted January 31, 2015 Share Posted January 31, 2015 It looks like I've been getting some messages from you guys on my Arduino messenger. I figured I would post some pictures of it here so whoever sent them knows it actually works. This one says it's by Pup This is claimed by molotof And this exceptionally true statement is brought to you by WM (It says "Pineapple rules") Quote Link to comment Share on other sites More sharing options...
Oli Posted January 31, 2015 Share Posted January 31, 2015 Looks pretty good. Although not too wise as we could probably mess it up and/or bring your site down :) Quote Link to comment Share on other sites More sharing options...
WPA3 Posted January 31, 2015 Share Posted January 31, 2015 Nice, looks a sweet setup. I sent you a message. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 31, 2015 Author Share Posted January 31, 2015 All of the data passed to the database is sanitized and inserted with prepared statements using PHP Data Objects (PDO). This is by far the safest method I've come across in adding user defined data to a database. Quote Link to comment Share on other sites More sharing options...
TGYK Posted January 31, 2015 Share Posted January 31, 2015 All of the data passed to the database is sanitized and inserted with prepared statements using PHP Data Objects (PDO). This is by far the safest method I've come across in adding user defined data to a database. Assuming you are protecting against sql injection attacks? I looked around on the page, and debated trying some stuff, but then remembered it's illegal without owner's consent. lol That and I don't remember enough of it to try in a time-efficient manner. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 31, 2015 Author Share Posted January 31, 2015 (edited) That's what prepared statements do. I create a statement with the column names, send that to the server for it to prepare the resources, then anything that gets added to the query is read strictly as a string. It can't overlap into the SQL query as it is only read as a value for a parameter. That means this: Name: ; OR 1=1 -- gets entered into the database as a value in the column 'Name'. The ; OR 1=1 -- will never be read as part of the query. Here is more info on PDO and prepared statements http://php.net/manual/en/pdo.prepared-statements.php Edited January 31, 2015 by sud0nick Quote Link to comment Share on other sites More sharing options...
cooper Posted January 31, 2015 Share Posted January 31, 2015 Nice one! This would be a fun project Shannon could possibly reference/demo in some future segment. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted January 31, 2015 Share Posted January 31, 2015 That's pretty cool! :) Keep up the good work! -Seb Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this 383d3d3d44 and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted February 1, 2015 Share Posted February 1, 2015 It looks like foxtrot got a little crazy with it and tried to draw penises in hex. The message turned out like this 383d3d3d44 and he did it about 40 times under the name Juan. I know it was him because the first time he did it he used the name foxtrot, lol. Figures he'd do that.. Good guy this Juan. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 1, 2015 Share Posted February 1, 2015 Listen, It isn't me. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted February 1, 2015 Share Posted February 1, 2015 Listen, It isn't me. This reply <3 Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 1, 2015 Share Posted February 1, 2015 No. Quote Link to comment Share on other sites More sharing options...
newbi3 Posted February 1, 2015 Share Posted February 1, 2015 Rofl yeah don't let foxtrot know about your internet of things projects Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 Listen, It isn't me. Oh? You mean <IP> isn't you? Granted it's actually your VPN because you keep posting under different IPs. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted February 1, 2015 Share Posted February 1, 2015 Oh? You mean <IP> isn't you? Granted it's actually your VPN because you keep posting under different IPs. Nah, we were just having a bit of fun - let's not post IPs though, please :) It's pretty cool, I kind of want to try replicating it with a tinyduino.. Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted February 1, 2015 Share Posted February 1, 2015 Do it Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted February 1, 2015 Share Posted February 1, 2015 Do it <3 Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 Nah, we were just having a bit of fun - let's not post IPs though, please :) It's pretty cool, I kind of want to try replicating it with a tinyduino.. Sorry, won't happen again. Would you even be able to get the LCD screen to work with a tinyduino? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted February 1, 2015 Share Posted February 1, 2015 Sorry, won't happen again. Would you even be able to get the LCD screen to work with a tinyduino? I have seen a video of it working, but I have an LED matrix which in a ghetto way could make this work.. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 (edited) I have seen a video of it working, but I have an LED matrix which in a ghetto way could make this work.. lol. That would be cool. The only problem I've run into is the CC3000 not connecting 100% of the time. It drops the connection with my router sporadically. Some days it works the whole day others it drops within 5 minutes. Edited February 1, 2015 by sud0nick Quote Link to comment Share on other sites More sharing options...
digip Posted February 1, 2015 Share Posted February 1, 2015 Guess you only have 25 entries so far? http://www.attackscanner.com/dump/puffy.php And no SQLi needed nor an attack to pull records since its simply http getting every entry sequentially Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 (edited) yep But you could have found that out with only one message since it tells you the index and total number of messages. All you did was the same thing the Arduino does to pull the messages. Edited February 1, 2015 by sud0nick Quote Link to comment Share on other sites More sharing options...
digip Posted February 1, 2015 Share Posted February 1, 2015 I didn't send any messages since I didn't actually try the code. in fact, I can't see your site in my browser, since I have JS disabled, it wouldn't load, so I had to view the source of the page. In reading through everything though I came across where you described the source code and read the sprintf(temp, "%s?index=%d"[/code] section and just tried pulling them with a loop starting at 1 and incrementing them. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 1, 2015 Author Share Posted February 1, 2015 Yeah, I've actually got all of the source code posted on the site without usernames, passwords, and SSIDs of course. I also have the PHP code for the script that you (or your scanner) accessed showing how the messages are retrieved and posted on the webpage for the Arduino to pull. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.