zabbix
Closed Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 43

Thread: Hacking *certain* invisionfree ***rds

  1. #16
    Join Date
    Apr 2006
    Posts
    12
    Thank you, I learned something new! I'll definately check that page info option out.

    Edit: Looked at it and it is a nice little option, and you're right, it would help somebody who wishes to learn about the website, but I think it would take more to find an exploit.
    Last edited by hackerz; 04-17-2006 at 06:58 PM.

  2. #17
    Join Date
    Apr 2006
    Posts
    6
    <QUOTE>"div class='maintitle'>Admin Notepad</div>

    <table width='*00%' cellspacing='0' cellpadding='5' align='center' border='0'><tr>
    </tr>
    <tr>
    <td class='tdrow*' width='*00%' valign='middle'><center><textarea rows='5' name='notes' wrap='soft' style='width:80%'>

    Text Here



    </textarea></center></td>"</QUOTE>

    can you explain how this code is exploitable ?

  3. #18
    Join Date
    Apr 2006
    Posts
    12
    Sure! But this is the only one I will release because I do not want the others getting patched. What's put in the admin notes section is not properly verified which allows you to embed javascript that will be executed on any persons computer that views the admin notes. The script to embed javascript is

    "</textarea>Hackerz pwns<script><!--
    window.location = "http://www.google.com/"
    //--></script>" (no quotes)

    That would embed the text "Hackerz pwns" directly into the admin page and not into the admin notes and it would not be able to be erased. Pic = [IMG]http://img60.imageshack.us/img60/4*5*/untitled*ar.jpg[/IMG]

    The actual script would redirect to google.com and you could replace that with any other JavaScript you want

  4. #19
    Join Date
    Apr 2006
    Posts
    6

    Wink

    nice observation Mr Hacker

  5. #20
    Join Date
    Apr 2006
    Posts
    12
    Thank you

  6. #21
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by hackerz
    Sure! But this is the only one I will release because I do not want the others getting patched. What's put in the admin notes section is not properly verified which allows you to embed javascript that will be executed on any persons computer that views the admin notes. The script to embed javascript is

    "</textarea>Hackerz pwns<script><!--
    window.location = "http://www.google.com/"
    //--></script>" (no quotes)

    That would embed the text "Hackerz pwns" directly into the admin page and not into the admin notes and it would not be able to be erased. Pic = [IMG]http://img60.imageshack.us/img60/4*5*/untitled*ar.jpg[/IMG]

    The actual script would redirect to google.com and you could replace that with any other JavaScript you want
    No, because you have enclosed the whole script in a comment "<!--" which means all that will happen is <!--window.location = "http://www.google.com/"//--> will be placed in the page (without ever executing), and only people that view the source will actually know anything's there. The correct form of the code would be:

    "</textarea>Hackerz pwns<script>
    window.location = "http://www.google.com/"
    </script>" (no quotes)

    EDIT: I forgot about javascript being enclosed in comment tags to stop it being displayed on any browsers with javascript disabled; so the original script was correct.
    Last edited by Ezekiel; 05-25-2006 at 03:34 PM.

  7. #22
    Join Date
    Apr 2006
    Posts
    12
    You would be right... usually, but if you try it, it actually will work because of the admin notes' vulnerabilites. But you're way works too, I just prefer to do it my way.
    Last edited by hackerz; 04-18-2006 at 08:51 AM.

  8. #23
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by johnnyy
    How about putting your skills to the test??

    I'm looking to steal a invision free websites password database, or itleast getting one of the people who are registered to this site's password...


    If you think you can do this, then be my guest. If you wouldn't mind I would like the password database if you can get it.

    or any password you get from anyone's account on this site.


    Thanks, John.


    invision free site.

    [url]http://www.google.com[/url]




    IF YOUR ONE OF THE BEST AT HACKING WEBSITES... Try to take this websites password database...

    [url]http://www.google.com/[/url]
    You are NOT going to hack any invisionfree forums. They are hosted and configured professionally, so there will likely be NO vulnerabilities. They are all on the same (or similar) servers, so all the forums are going to be patched and *******. Can people please stop asking for invisionfree forums to be cracked; the only forums that can be cracked are those on INDIVIDUAL sites, with old and vulnerable scripts running. All the forums on that site are just subdirectories on one website, so how do you think they will be any more vulnerable than the website itself?

    Also, games like runescape are lame, and nobody here cares about cracking their website. If you care about it so much, get off your ass and learn like the rest of us.


    EDIT: Post has been deleted, and user probably banned. Hehe, nice edit syntax******, now he looks even more like a moron.
    Last edited by Ezekiel; 05-25-2006 at 05:16 PM.
    Who needs drugs when you have electrons?

  9. #24
    Join Date
    Jun 2006
    Posts
    1
    You guys talk about invisionfree being practically unhackable but your all wrong. It is very easy to do so. If someone can hack NASA in mins. then they can hack forums like so. I'm not sure if it is true but I beleive that everythign to do with the intenet relates back to NASA. I beleive that any company DSL, Cable w/e they all link back to NASA.

  10. #25
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by -Flux
    You guys talk about invisionfree being practically unhackable but your all wrong. It is very easy to do so.
    Come on then smart guy, tell us all your ***7 methods to hack invisionfree. My point was, major websites like invisionfree will patch and update their scripts regularly, and not run any old versions. Even if someone found a vulnerability in their scripts (unlikely), they would patch immediately. And because it is a single site, the same patches will be applied to all the forums they host.

    With individual smaller websites, we can usually 'hack' them because there is a high probability that some of the scripts on their site will be old versions, and have vulnerabilities (for example, an old IPB forum version running). On a site like invisionfree, the scripts will be patched regularly, thus there will be no vulnerabilities.

    Smaller, individual websites == strong possibility that there will be vulnerabilities.

    Larger, regularly updates websites == No possibility of vulnerabilities, at least what can be relied on (in other words, it is so unlikely, that you would have to rely on pure luck to be there when some crappy scripting has left them open to attack).
    Who needs drugs when you have electrons?

  11. #26
    Join Date
    Jun 2006
    Posts
    1
    our forums somehow got hacked..........it's been like a month. and the forums are going crazy cuz the guy deleted all the accounts except one, so like admins have no modding power =(

    [url]http://s8.invisionfree.com/XileRO/index.php?showtopic=54*84[/url]
    Last edited by feelgood; 06-30-2006 at 07:37 PM.

  12. #27
    Join Date
    Sep 2005
    Posts
    2,050
    Quote Originally Posted by feelgood
    our forums somehow got hacked..........it's been like a month. and the forums are going crazy cuz the guy deleted all the accounts except one, so like admins have no modding power =(

    [url]http://s8.invisionfree.com/XileRO/index.php?showtopic=54*84[/url]
    Contact the invisionfree support and prove that you are the real 'owner' of the forum, then they will make any changes you request. Failing that, host your own forum, and don't rely on a service like invisionfree where you have no real admin control over the forum (such as direct database access, and ability to re-install when necessary).
    Who needs drugs when you have electrons?

  13. #28
    Join Date
    Jul 2006
    Posts
    1

    Will this work?

    I already have a username and an InvisionFree forum, I want to delete that forum's database or reek any kind of havok possible. Is there a way I can do this?

  14. #29
    Join Date
    Jan 2006
    Posts
    153
    I already have a username and an InvisionFree forum, I want to delete that forum's database or reek any kind of havok possible. Is there a way I can do this?
    Is it an admin or mod acct? thing is invisionfree charges for forum backups so hardly anyone does them... which means you axe a forum and its axed generally speaking.

    -------------

    I used to use a really stupid method and caused quite a bit of hell on an invisionfree ***rd...

    sign up for a new account and use ascii codes to 'clone' the admins acct.
    for example:
    Dave = (alt+68)ave
    alt + 68 on the numeric keypad = D. you can look up the ascii codes online.
    if you use the same avatar and sig and such the only difference is the post count, which at least at the time it may be patched now you could post and delete and it would still hold the post count so you just did that until you got into the range the admin had. It definatly caused confusion...especially when you started PMing the ***rd

    another thing was to use an automated keypresser to artificially pad a sites hits in their directory. invisionfree often removed a forum they found doing that.

    another way that worked was registering a user acct, and requesting a forgotton password. At the password reset page you modify it offline to specify another member ID rather than the one you set up, ideally someone with mod or admin rights...and thats that. You've just changed that members pw and thusly taken over that members account.

    hmm.. what else?
    can you tell I hate invision yet?
    ummm....

    ah yes, an automated spammer tool was created that waited the minimum post time and posted specified messages for as long as it ran. Running the program in several of the forums under several accounts (the more the better) was rather effective and must have been maddening to clean up. It was made in python but I'll be damned if I can find it right now. I'll keep looking and if I do find it I'll post code or binary or something.

    spoofing emails to members/mods/admins appearing to be invision staff, other members, even automated service messages (someone has attempted to rest your account, click this link to blah blah) and have the link in the email (in html of course) go to a page you own and get IPs, cookies or make iframes and have every site that installs spyware you can find on it can cause a riot...especially if its automated and continuous.

    oh yeah, another funny thing is to spoof your IP to match the admins and then troll the hell out of the forum. Once the mods/admin ban your IP, they just banned themselves. thats always good for a laugh.

    I could go on and on but I'll leave you with this...
    doing this stuff is mean and I dont condone or take any responsibilty for any one doing anything. Bad person! No biscuit!
    A trip to securityfocus.com helps too. Also, alot of folks at information leak dot com hate invision. power in numbers. Just thought Id mention that

  15. #30
    Join Date
    Jul 2006
    Posts
    1
    Quote Originally Posted by mike*0*
    You are NOT going to hack any invisionfree forums. They are hosted and configured professionally, so there will likely be NO vulnerabilities.
    Actually, I am here because some arsehole hacked our 2 week old invisionfree ***rd today out of vindictiveness and totally shut it down. (They were banned for harassing other members through PM.) We know exactly who did it (they also have an invisionfree ***rd), but not anything we can do about it really. I am trying to find out just how they were able to do it.
    Last edited by Ironic; 07-23-2006 at 06:17 AM.

Closed Thread

Similar Threads

  1. Is this possible with a InvisionFree Forum?
    By Billahz in forum Internet Privacy
    Replies: 2
    Last Post: 07-04-2008, 11:25 AM
  2. Invisionfree Issues!
    By Bertie in forum Internet Privacy
    Replies: 0
    Last Post: 01-19-2008, 06:32 PM
  3. Learning InvisionFree Passwords, possible or not..
    By NetHogz in forum Internet Privacy
    Replies: 19
    Last Post: 08-25-2007, 03:45 PM
  4. IE Closing on Invisionfree
    By tenboard in forum Internet Privacy
    Replies: 3
    Last Post: 08-22-2006, 04:33 PM
  5. invisionfree hacker
    By Dragula in forum Internet Privacy
    Replies: 1
    Last Post: 08-08-2006, 11:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts