ThinkDigit Site Hacked

iMav · 26-04-2008, 11:17 PM

How can something like this wither away as a post in a thread, this needs a full blown thread of it's own.

Our fellow member rohan_shenoy (who's wedding card is most probably gonna be in php) has found vulnerabilities in ThinkDIgit's site and gained access to the admin panel

cool if I were him I would have sent raaabo to shameful misery for 15 days

but that's just me, however...

check out his post on his blog:

http://www.w3hobbyist.com/view.php?id=10

and here is the post he made in the blogger's corner of this forum:

http://www.thinkdigit.com/forum/show...&postcount=240

good going bro, what's next?

Cool G5 · 26-04-2008, 11:19 PM

Saw his post.
The thinkdigit webmaster is a n00b.

Congrats Rohan_shenoy.

victor_rambo · 26-04-2008, 11:25 PM

Thanks Manan and Gaurav.

Now something more:
Though I managed to hack into the admin section of the website(Screenshots on my blog post), I immediately informed Digit about it(You can check copies of emails too on my blog post).

That is the reason now they have put the admin/ folder under .htaccess protection. If you try to visit http://www.thinkdigit.com/admin/ you will get a basic authentication type of popup which was implemented after i informed them about it.

Cool G5 · 26-04-2008, 11:28 PM

I visited your blog, but was unable to read the responses of nimish ?& the other which was in .pdf format.
Donno i am unable too view it.
Also I was not able to post comment.

praka123 · 26-04-2008, 11:31 PM

good going, shenoy!

victor_rambo · 26-04-2008, 11:32 PM

^
Are you browsing with disabled javascript?
The comment form is visible only with javascript.

wait, I will make some modifications that will not need javascript to be enables.

Cool G5 · 26-04-2008, 11:35 PM

Javascript is already unable. I do get the comment box.
Filled the required details but still unable to comment.

slugger · 26-04-2008, 11:38 PM

Really noble of you not to mess up anybody's accounts and report it immediately

while we here go about badmouthing and abusing things that contain i* M.S. or the tux, somebody did something realllllllly useful and note-worthy but chose not to blow his own trumpet

Great going buddy

victor_rambo · 26-04-2008, 11:40 PM

@Cool G5
right now people are getting this error, but their comment is being inserted into the database.

Quote:

Warning: Cannot modify header information - headers already sent by (output started at /home/mhtcet/public_html/w3hobbyist.com/comments.php:4) in /home/mhtcet/public_html/w3hobbyist.com/admin/config.php on line 12

Ignore this error if you get it. Ur comment will be inserted into the database, but it will be visible only after moderation.

@Slugger
Thanks dude! I actually intruded into their admin CP just by "matka". Just use some exploits and whoa!I could log in

I had not expected that the exploit wud work with this site.

praka123 · 26-04-2008, 11:48 PM

@Rohan:Yes,I got the same error message

! ofcourse,java script enabled!but I was using firefox3beta5

victor_rambo · 26-04-2008, 11:51 PM

^Prakash,
Ignore that error, btw ur comment is visible now on the blog.

and yeah, I don't use linux, stuck with ms box

Cool G5 · 26-04-2008, 11:53 PM

@Rohan - No buddy, I just get that plz check ur email id,ur name etc etc.
Do not get the error you mentioned.

slugger · 26-04-2008, 11:54 PM

something wrong with your comment feature
i keep getting this messasge

Quote:

Dear visitor,
Your comment could not be due to one of the following reasons.
The 'name' field can contain only alphabets, numbers and spaces.
The email address is invalid. Email address can contain only alphabets, numbers, underscores, hyphens, dot and the '@' character.
Please go back and correct the errors.

Thank you.

i used slugger as the name and contact[at]shubhspace[dot]co[dot]cc as mail id (put it correctly in the section)

victor_rambo · 27-04-2008, 12:03 AM

@ Slugger And Cool G5,
enter email in format "johnsmith@ms.com"

There is no need for using [AT] or [DOT]. The email address is NEVER put on the comment page. Only I can see through the backend database.

Also, .co.cc email addresses are not accepted as yet because of the standar email pattern, but I will soon allow that too. For now, if you want to use some fake email address, u can do so.

@Slugger,
Thanks for the compliments

I have received ur comment and it is visible now.

btw I coded the blog script myself-from scratch.
Was tired of standard blog scripts that are susceptible to comment spam

slugger · 27-04-2008, 12:03 AM

another problem. after i press submit (this time i put .com = fake id)

Quote:

404 Not Found

The server can not find the requested page:
74.86.90.81/view.php?id=10 (port 80)

Please forward this error screen to 74.86.90.81's WebMaster.

iMav · 27-04-2008, 12:04 AM

i guess it was the wrong time to link to rohan's site

victor_rambo · 27-04-2008, 12:05 AM

^That is some issue with server, it works perfectly on my localhost, I am aware of that problem and working on that too!

slugger · 27-04-2008, 12:11 AM

LOL!!!!

not even an hour passes and the NEWS will start spreading like wildfire

Indexed on Google

victor_rambo · 27-04-2008, 12:17 AM

^ The web design firm "Indus Net Technologies" really deserves that kind on negative publicity for the risk they ran with thinkdigit.com website.

If they had been even a *bit* careful, all could be avoided.

Quote:

Originally Posted by iMav

i guess it was the wrong time to link to rohan's site

If u are speaking this because of the error......

then all those errors were unexpected for me too

I had just upgraded few scripts tested them on localhost, they were fine.....but.........

slugger · 27-04-2008, 12:20 AM

Raaaboseth and the new owners must be aghast now that the News is indexed

what a way to take up ownership of a high-selling tech mag

may actualy have faar reaching effects - credibility, sales all may take a hit (to make up for this they will probably give out some reallllly coool freebies

)

the other pblications must be laughing thier guts out by now (or at least with their morning cup tommorow)