HackMe (#1) - Learn WebHacking

Hello and welcome my burning flammes!

This is my first (real) topic on 0x00sec.org and that’s why I’ve got a new idea to write about:

HackMe

That's the title of this. Maybe it'll become a series with more parts :joy: ## What does it do? It challenges you a bit in web hacking, so you can learn with it what to do if you really want to hack someones sites. Firstly it's just for really bad programmed sites (Someone's personal Blog or else) but maybe it will become better! ## How does it work? I will not post any type of source code. Why should I? I only will give you some accepted inputs/parameters that are for example: > Accepted parameters of site: > Post:
  • id=

Get:

  • searchquery=

There will be one or more hind(s) if you did something right. You can try what you want, but I please you not to use it in harmful intentions :sweat_smile:
And please remember:

“The site(s) are for hacking them, that’s why I’m not responsible for the content!”

Questions?

If you got any question about the challenge contact me by pm or comment.

Let’s start

Today I’ve got your first victim:
DELETED

Accepted parameters of site:

Post:
  • None

Get:

  • searchquery=

Mission

Hack it and let your username be seen under the keyword ‘Hacked’

(You can do an MySQL injection in the table “HackMe1” in columns “keyword” and “content”)

Help

If you’ve got problems (I don’t think so but):

<script type="text/javascript">alert("XSS");</script>


Wish you lots of fun (It's short :stuck_out_tongue_winking_eye: ) and if you've got good ideas let me know them. Also let me know if you want more of this type!
  • More of this!
  • No one more please!

0 voters

##Derfloink out

9 Likes

Those would definitely be a fun little challenge if you’d post some every once in a while @Derfloink

Even in this short example one can easily use different kind of XSS insertions to explore the world of web hacking/XSS. So if you have more of those I’d be happy to try them!

This was only the first one of maybe more. But it needs time to get more ideas + scripting them :wink:

Don’t rush it. If you have an idea and the free time to give us something to play around with do so. We will be waiting and hitting refresh on the forum until then :wink:

1 Like

I’m liking this.

Just an FYI, if anything weird somehow happens to you while doing this (e.g., some other user h4x0rz you), 0x00sec is not liable in any way. Visit the websites included at your own risk.

4 Likes

good read about xss => http://brutelogic.com.br/blog/using-xss-to-control-a-browser/

1 Like

Cool article. I will try to get something like this in a challenge script. But firstly not the next one :stuck_out_tongue_winking_eye:

Hi @Derfloink,
You should maybe add some details next time, I was desperately looking for a Php code/sql injection :joy: Anyways, nice idea!

I tried…

:cry:

5 Likes

Yeah I will give more information next time. ( For this I’ll use the

Mission

in the next articles :wink: )

Otherwise got new Ideas 'cause of @DAGONCHU and @ricksanchez. Just have to script them :joy:

Finally made the code for using it on your own webserver after a lot of time. I didn’t feel like I want to do it, but today I said: “Let’s do it before this topic is totally non-sense”.
Here are the files:

You can use it as you want but for the right feeling only import the HackMe1.sql under the tabell name “HackMe1” and change the password.php file for the right database connection.

And can somebody close this topic?