E-Shoping for 0$ !!! Posted By chintan Table of contents: ------------------ 1) Shoutz 2) Introduction 3) How eshoping works 4) Hack by changing source codes 5) Conclusion Table of contents: ------------------ 1) Shoutz 2) Introduction 3) How eshoping works 4) Hack by changing source codes 5) Conclusion 1) Shoutz: hackersprogrammers team (www.hackersprogrammers.com) especially, Kefka palazzo, _deno_, David Ginting, Siddhs, Stephen Martin, kri_s_2000, Adeem, A.B.Kaks, ryan, etc., 2) Introduction: "Who says a security expert earns more than a h4x0r ?? " Anyone can spread his business throughout the whole world using Internet. The whole world is a market. But he needs a medium to show his product and a platform where ppl can buy the things. This is fulfilled by a e-shopping website. But a poor design of an eshop-website can lead to a great loss for the company. And this is not a joke. I have seen hundreds of such vulnerable sites. And i assume that there are lakhs of such vulnerable sites which can help you to buy things for 0 $s or even -100 $s. The trick used is as simple as adding 1 and 1. Though the trick seems to be lame but it is the key to break thousands of eshop locks. You don require any other tools except a h4x0r brain. Lolz but be carefull, I am providing it to spread security. Don use it malisciously MAN. 3) How eshop works: First letz see how does the eshoping work. Just imagine yourself to be in shoping center. You are given a shoping cart. You move around in the shoping center with that cart, take all the things and put them in the cart. At last you go with that cart to the counter who totals up the price of items and gives you the final amount. And you pay the amount. Same is the case with the online shoping. We can see all items to be sold by the vendor. We look at the item and prices and select all those which we wanna buy and go on putting on the shopping cart. Every user has his own unique shopping cart. Total of all items is printed in the shoping cart. And when we click the "buy" button we are asked for the final payment using credit card. Now imagine that before we put items in the shopping cart if we were able to change prices of items then ?!!! You could change the total sum in the shopping cart. Letz see an eg. Item Price Red-Tshirt 30 $ Trowser-73 95 $ Book-Philosophy 300 $ T-shirt 22 $ ---------------------- Total 447 $ This is the list displayed in the shopping cart. We have added four items to it and total money is 447 $. Now if we are able to change the prize of any one item say the last item-- T-shirt 22$ to -425$ !! Yeah itz "minus" Then the total amount printed in shoping cart would be ? Item Price Red-Tshirt 30 $ Trowser-73 95 $ Book-Philosophy 300 $ T-shirt -425 $ ---------------------- Total 0 $ Bingo !!! Itz 0 $s. Yep now letz see how to do this. How to change the values of price of each item. 3) Hack By changing source code: Remember i mentioned earlier as poorly designed eshop sites ? Now wat does this poorly designed shopping carts or sites mean. Well it will be clear as follows. And you will be surprised to know that there are many many such poorly designed sites. I had even mailed admins about such bugs but they didn't care !!! Huh, from then on I decided never to mail admin about any bug. Instead write an article about it and whosever wants it will take it. :) Ok now the time comes about the real hack. The things which we have to change is only the html source code !!! Nothing more. View the source code of the site and look at some line like .... T-shirt .... Hidden type values are passed to buy.asp page. This values are not entered by the user but are set by the webdesigner himself. What we need to do is copy this source code to our computer and change it like ..... T-shirt .... And submit and bingo you are taken to a shoping cart page with value of Tshirt as -425 $s !! Lol i don think that i need to provide a demo for this. If you are not a script kiddie then you can make out many diff tricks from this. In one eshoping site, which was selling books, I saw that there are different books with diff prices to be sold. They were having check boxes so that user could select the books to be sold. Now the value given to this check boxes was not price like. Ooopz so changing value of that checkboxes wouldn't help me. When i scrolled down in the site i saw one more option as "inside this country" or "outside this country". There were radio buttons to select any one of this option. And looking at the source code of it I saw : Inside this country 10 $ Outside this country 50 $ Cool ! I changed the value of first one as Saved the source code. And now selected books with total of 19.95$ and submit and no bingo ofcourse. Bcz ITz clear that i got total as 0 $s in the shopping cart. So we see that changing such values of types hidden, radio, checkboxes etc. could change the price of items !!! But remember to change the url of > to when we have saved it on our computer. Okz Thatz not all. Something more. I have seen few sites which allow user to specify the number of a specific items to be bought. Like the shopping cart will show item Number price of 1 item Total T-shirt 3 10 $ 30 $ Trowser 2 12 $ 24 $ ---------------------------------------------------- Total 54 $ Thus the user is buying 3 T-shirts and 2 Trowsers. Such sites have a text box for user to specify the number of specific item to be bought. The user will enter the number of that specific items. Now suppose we enter the number of specific item as a negative value then ? !!!! Letz put the Number of Trowser as -2 !! item Number price of 1 item Total T-shirt 3 10 $ 30 $ Trowser -2 12 $ -24 $ ---------------------------------------------------- Total 6 $ Lol ! You buy things for just 6 $ !!! 3 T-shirst will reach to the specified address after you pay just 6 $ using a hacked credit card number. :) But some web designers put a javascipt to check the validity of this numbers put by user. Lol@lolz !! Copy the source code of the web page on your computer and now delete that specific javascript function definition. ( You should be knowing about html and javascript inorder to do all this. Else leave it) For defacers here something. :) Some sites keep logs of everything. They will have a line in the source code of webpage as or even some sites have it as a feedback page. Watever comments the user types in as the feedback will be passed to this feedback.html page. Comment Cool !! hope itz clear to a defacer what he has to do. :) Change "value=index.html" and then write some write some cool comment like Defaced by Chintan Trivedi which will write that comment in big letters on the main page "index.html" Even you can see all comments given by other users by opening the feedback.html page. 5) Conclusion Such types of many many things can be done by viewing the source codes of html page. Even many useful info is given in the meta tags at the begining of the web page source codes. You can just play with the html source codes. I have seen tons of such sites and also experimented with them with successful results. And i am damn sure you will too get many of them with successful results if you are not a script kiddie and know about html, forms, javascripts, etc. Actually leaving big commercial sites i see all the eshop sites to be vulnerable. Huh. Whichever eshop sites my friends use, I see all of them vulnerable. Duh. Just you need to play with html source codes and form tags. :) Security not only depends upon the network administrator but also on the webdesigner. This things can be stopped by putting the check of validation of user inputs on the server side scripts. Even if the h4x0r who considers himself 31337 changes the values of hidden, radio, checkboxes, those values should be rechecked on the server side scripts like asp, php, cgi or whichever has been used. Javascripts are used for client side validation but those can be changed by the user by editing the source codes. So a revalidation should be put on the server side scripts. The article is in no way complete. I see the same things in variety of ways on many sites. You will also find them when you start experimenting. Especially the tags have something cool. I think there should be a site something like www.secure-eshop.com which explains tricks played by hackers and how to avoid them. Someone pleaz go and make it if you have time. The cyber world really needs it. I know that the things I wrote are not something 31337 but very imp from security point of view. Itz just bcz i see a lot of such bugged sites. Security of our cyber world lies in the hands of hackers. Be real hackers and not thieves. Learn hacking and help others. Regards Chintan Trivedi www.hackersprogrammers.com chesschintanNO_SPAM_PLEAZ@hotmail.com (Remove NO_SPAM_PLEAZ)

Windows Root Kits a Stealthy Threat Posted By Fuse Hackers are using vastly more sophisticated techniques to secretly control the machines they've cracked, and experts say it's just the beginning. By Kevin Poulsen, SecurityFocus Mar 5 2003 5:12AM

Never wait for Tech Support again! (AUDiX ripped apart) Posted By cleanfloor “Thank you for leaving your message” How many times have you called tech support, and like with any company, you had to wait in queue for hours because there is only one slackie assigned to directly helping the end-user? So what do you do? If you’re like me, you just leave them a message and pray that within 5-8 weeks they’ll return your call. How do they really call back? Let’s be serious...

How to Build, Install, Secure & Optimize Apache 2.x Posted By Kirt Written by Gerhard Mourani Corrected by Colin Henry This document is copyright(c) 2002 for Open Network Architecture Inc. (OpenNA) and it is a FREE document. You may redistribute it under the terms of the GFDL. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.