Difference between revisions of "User talk:Nx"

WikiIndex - wikis, wiki people, wiki software, and wiki ideas
Jump to: navigation, search
(Hacking skills: re)
Line 9: Line 9:
  
 
There were a few things that you claimed to be able to do [[User_talk:Phantom_Hoover#Hiya_old_buddy|here]]. [[User:Lumenos|Lumenos]] 05:07, 4 September 2009 (EDT)
 
There were a few things that you claimed to be able to do [[User_talk:Phantom_Hoover#Hiya_old_buddy|here]]. [[User:Lumenos|Lumenos]] 05:07, 4 September 2009 (EDT)
 +
 +
:Look at the code in [http://www.mediawiki.org/wiki/Extension:Whos_online Extension:Whosonline]. It says "DELETE from $tblname WHERE username = '$username' OR timestamp < '$old' ". With a username like [[User:Robert' OR username like '%' -- aaa|Robert' OR username like '%' -- aaa]], this code becomes "DELETE from $tblname WHERE username = 'Robert' OR username like '%' -- aaa' OR timestamp < '$old' ". The problem is that the ' in the username is not handled correctly, and when passed to sql it is interpreted as the end of the username, and the rest of the username is interpreted as sql. The -- is a comment marker, it tells sql to disregard everything after that. In this case, it deletes every entry from the "online" table, so whosonline will show noone online. One way to cause harm would be: "DELETE from $tblname WHERE username = 'Robert'; drop table pages -- aaa' OR timestamp < '$old' ", which would delete all content on this wiki, but fortunately you cannot execute two sql queries with this command (the ; signals the end of the first query, and drop table pages is the second query). It would be possible to execute a subquery, and insert the result of the subquery into the username, to get some private information from the database. However mysql does not use the standard sql string concatenation operator ||, so that can't be done. The other option would be to get a numerical value, e.g. the token, because you can add together numbers. For example, I could manipulate whosonline so that instead of the real username, it displays '1' + (subquery returning number) - '1', so I could get your token, change my cookies manually, and I would be logged in as User:Lumenos. The only thing preventing me from doing that is that underscores (_) are used for field names in the user table (user_token, user_name), and those are converted to spaces in usernames when creating accounts, so the sql query doesn't work.
 +
:I don't know of a way to crash RationalWiki. All our custom extensions use the database functions provided by mediawiki (unlike whosonline, which accesses the database directly), and those are safeguarded against stuff like this. Of course there can be unknown vulnerabilities in either our custom code or mediawiki. [[User:Nx|Nx]] 06:18, 4 September 2009 (EDT)
  
 
==Mr. Ernst==
 
==Mr. Ernst==
  
 
You said you emailed, em, is he still around? [[User:Lumenos|Lumenos]] 05:18, 4 September 2009 (EDT)
 
You said you emailed, em, is he still around? [[User:Lumenos|Lumenos]] 05:18, 4 September 2009 (EDT)

Revision as of 10:18, 4 September 2009

I'm blocking you for removing content from pages. You knew this is a blocking offense because you saw Phantom Hoover's talk page. Proxima Centauri 15:34, 23 August 2009 (EDT)

You really are a pathetic, childish idiot, aren't you? Phantom Hoover 15:45, 23 August 2009 (EDT)
Is that a question for the general public? I'm finding it difficult to relate to your apparent sense of entitlement. Do you feel that you should enjoy privileges here which others should not? Lumenos 05:04, 4 September 2009 (EDT)
Or do you feel that due to your possibly superior knowledge of computers (or the number or dedication of your allies), that this enables you more control of this wiki, than the administration? Lumenos 05:04, 4 September 2009 (EDT)

Hacking skills

I would be most delighted, if you might share with us (or me privately) any of your hacking skills. Could you say for example, crash the RationalWiki server? Lumenos 05:04, 4 September 2009 (EDT)

There were a few things that you claimed to be able to do here. Lumenos 05:07, 4 September 2009 (EDT)

Look at the code in Extension:Whosonline. It says "DELETE from $tblname WHERE username = '$username' OR timestamp < '$old' ". With a username like Robert' OR username like '%' -- aaa, this code becomes "DELETE from $tblname WHERE username = 'Robert' OR username like '%' -- aaa' OR timestamp < '$old' ". The problem is that the ' in the username is not handled correctly, and when passed to sql it is interpreted as the end of the username, and the rest of the username is interpreted as sql. The -- is a comment marker, it tells sql to disregard everything after that. In this case, it deletes every entry from the "online" table, so whosonline will show noone online. One way to cause harm would be: "DELETE from $tblname WHERE username = 'Robert'; drop table pages -- aaa' OR timestamp < '$old' ", which would delete all content on this wiki, but fortunately you cannot execute two sql queries with this command (the ; signals the end of the first query, and drop table pages is the second query). It would be possible to execute a subquery, and insert the result of the subquery into the username, to get some private information from the database. However mysql does not use the standard sql string concatenation operator ||, so that can't be done. The other option would be to get a numerical value, e.g. the token, because you can add together numbers. For example, I could manipulate whosonline so that instead of the real username, it displays '1' + (subquery returning number) - '1', so I could get your token, change my cookies manually, and I would be logged in as User:Lumenos. The only thing preventing me from doing that is that underscores (_) are used for field names in the user table (user_token, user_name), and those are converted to spaces in usernames when creating accounts, so the sql query doesn't work.
I don't know of a way to crash RationalWiki. All our custom extensions use the database functions provided by mediawiki (unlike whosonline, which accesses the database directly), and those are safeguarded against stuff like this. Of course there can be unknown vulnerabilities in either our custom code or mediawiki. Nx 06:18, 4 September 2009 (EDT)

Mr. Ernst

You said you emailed, em, is he still around? Lumenos 05:18, 4 September 2009 (EDT)