I'm studying SQL.
Why? Because certification exams don't pass themselves (unless it's in $pass - then
push $fail = $pass)

Doing so, I Googles up some SQL Table structures to study.
Before I know it, I'm flipping around the administrator tabs and SQL tables of some random website from Japan where the administrator's password is "webmaster."

Okay, seriously, what the fuck.

With this knowledge, I'm wondering if Google does the same thing for any other websites that I may know. Today at noon EST I will be attempting to gain the same privledges to the LeagueOfReason through Google-Fu and SQL tables. If I can, I will not post anything incriminating about anyone, but I will post the first half of table names (instead of $username I'll put $user-) and messsage Spork personally with what is going on.

Because, well, if I can do it then baddies can, too.

More updates to come.

You know, I'd rather you didn't do any of that. I don't care about your reasoning at all.

Personally, I think it might be a decent exercise as long as private information is not released.

Yay, go the nephilimfree way, read some wikis and google for some stuff and you're an expert over night.

You come here and make this topic, don't you think it's a bit silly, or illegal even?

If you want to playaround get a VirtualBox, install a server, run some phpBB or something like that and play with it. Don't go on a public forum and try to hack it.

Shoo shoo everyone, their growth is proportional to the amount of attention they get.

LOL! HAXED

The point is that I Googled my way into some serious system integrity information of some random website, just looking for example table layouts -
which means that the pages, links, and identity information required to access these pages were all on Google.
If I am able to successfully do that to the LeagueOfReason, then it means that anyone with actual ill-intent can just flip around on our website and fuck our world sideways.

Do you think I'm announcing this for self-attention? Really?
If I didn't manage to get anything:
1) Nothing happens.
2) This becomes a fun conversation about SQL and Database Structuring for my Certification that I'm studying for.
3) We hate Google for their web-crawling programs somehow automatically putting a website's behind-the-scenes information online.

If I did manage to get something:
1) I would have held database queries to the LeagueOfReason
2) Database Queries -> Exploitation -> Personal Information Risk -> A serious change in Network Structure & a serious note to Google.
3) Nobody could hush over the fact that I did manage to get them from Google - something that would mean that everyone should change their passwords because they were obtainable by people with less-than-noble means.
4) We hate Google for their web-crawling programs somehow automatically putting a website's behind-the-scenes information online.

And it's not like I would be holding a list of Usernames and Passwords -
I would be holding the logical pathway to them.
Which means that someone with less moral standing and a bit of Query knowledge could just make an account, hop on over to a post on the message board, comment out a few areas (if that's how it was structured) and input anything they wanted and obtain anything they wanted and displayed to them.

Also note that I stated that I would not publish the tables - ergo, no one can get this information by just reading my posts.

WarK wrote:Yay, go the nephilimfree way, read some wikis and google for some stuff and you're an expert over night.

I'm not sure about you, but food doesn't poof itself into existence, last I checked. The Military may be paying for college after I get out - but when it comes to my line of work there turns out to be not that many job openings for my current trade out there.
Computers and Networks are logical - I can do logical.

WarK wrote:You come here and make this topic, don't you think it's a bit silly, or illegal even?

I don't know. Is a citizen of the United States bound by the laws of Her Majesty's jurisdiction?
Besides, this was just a courtesy notification to everyone - I can't, with good conscience, do this without a public notification of both the test and the outcome.
Think about it like this:
Would you want the ability to access your passwords, PMs, and other privileged information available on Google?

WarK wrote:If you want to playaround get a VirtualBox, install a server, run some phpBB or something like that and play with it. Don't go on a public forum and try to hack it.

You completely missed the point.


I'm not doing this for lulz or anything beneficial (well, it's also a bit beneficial to know that Google can publish your website's database queries - and that it's automated system will publish it regardless) to myself.
Google = Public Access
Public Access = ER'RY BODY

Besides, is it really "hacking" if it's currently public access? I guess I hack Facebook every day when I magically type in a box and it appears on my News Feed.
-------------------------------------------------------------

Results are not final - but nothing has been found so far.
A few more table ideas, though.

========================================================

And I really don't appreciate the joke.

Googles web crawler does just that. It crawls links from one page to another.

If someone is dumb enough to make a website that exposes the backend of their website without security then they deserve what they get. It's not Google's fault, the bot was just crawling the links as it finds them. The same goes for any other search engine bot.

And yes, I think you are announcing this for self-attention. It's pointless and quite pathetic to be honest. The software used on this site is used by millions of others, it's tested constantly for SQL injection, cross site scripting, and various other exploits and updated to fix security holes. I'm not suggesting it's perfect... there's no such thing, but there are a lot more experienced people out there who are constantly trying to do what you are trying to do.

I've been working in web development all my adult life so I'm not exactly making this shit up.

Right now, I have absolutely no expectation you will find anything. I am even willing to say that you don't have a clue what you're even talking about.

I'm not normally this aggressive with people but you've pushed some buttons here. You presume to have some previously unknown knowledge about website security because you found a single badly made website and were able to query its data.

Let's review the posts here:

Wait -
Studying? Not qualified yet? Learning?

Wow. It's almost as if I literally said that I wasn't a professional and hosted a legitimate concern for web security of a site based off of an experience I had just earlier that day and kinda flipped over about it.


You know what? You can all go fuck yourselves-

Warnings be damned. I'll take my own leave and concerns with me.

)O( Hytegia )O( wrote:Do you think I'm announcing this for self-attention?

Yes, if it were due to concerns and security issues you would have pmed the hamster and then there would have been nothing to post about.

Why don't you just post about how your learning is going.

Also, are you going to hax0r the watermark out of your avatar with Paint, Photoshop or something?

I like the new site design. What now?

impiku wrote:I like the new site design. What now?

Now we sleep.

hmm...

)0(Hytegia)0( wrote: Let's review the posts here

Yes, let's do that... Has anyone up to this point been unkind or rude unduly? Nope. Yet you, precious, tell us to go fuck ourselves simply because you weren't congratulated wholeheartedly.

Perhaps you should have some time away... Give your balls time to drop and your voice time to settle at an appropriate octave.

)O( Hytegia )O( wrote:Do you think I'm announcing this for self-attention?

Next time, if you really want to help someone make their software more secure, inform the developers through private communication. Don't post about it for everyone to see.

)O( Hytegia )O( wrote:You know what? You can all go fuck yourselves-

Warnings be damned. I'll take my own leave and concerns with me.

Oh shit. Don't piss him off guys. He's got too much information on us.

UltimateBlasphemer wrote:

)O( Hytegia )O( wrote:Do you think I'm announcing this for self-attention?

Next time, if you really want to help someone make their software more secure, inform the developers through private communication. Don't post about it for everyone to see.

)O( Hytegia )O( wrote:You know what? You can all go fuck yourselves-

Warnings be damned. I'll take my own leave and concerns with me.

Oh shit. Don't piss him off guys. He's got too much information on us.

agree.. not only does it remind of attention seeking, but also if it really was the case, you made the information available for others, maybe some of them already tested it on this page and others, as many said before, next time if you REALLY want to help, do it privately.

And with all due respect (meaning none), take your own advice regarding auto-sexual intercourse, to put it that way

)O( Hytegia )O( wrote:You know what? You can all go fuck yourselves-

Warnings be damned. I'll take my own leave and concerns with me.

You know what? You've crossed a pretty serious line.

You've been here awhile, and you've contributed a bunch, and your ass should get bounced so fast that you land a few hundred meters from where you started.

To be on the safe side, I'd change your password.

Here is my take on it. This stuff has been out for a long time, and I find it particularly unlikely that there would such pissy security loopholes a this stage of the championship special that it could be hacked by anyone just learning SQL.
Now to everyone else, just STFU and let it die. If you think he is just doing this for attention and you think it warrants none, here is a good advice, act on your words and don't actually pay any attention to it. That is what I have been doing with half the stuff going arround here and it has worked just fine so far.