WebCrappx
-
Some of you might have heard of a CMS called WebBrix. If you haven't, then you should know that it's absolute f'kin crap.
Live examples: prontanet.lt, itsolution.lt, ausra.nets.lt, etc.
-
Pure JavaScript. No JavaScript = no viewing our uberkewl site.
-
It's insecure in sooo many ways.
Open Live HTTP Headers and you'll see a request to "file_lister.php". It shows you all the files and dirs there.
In the file list, you can find "_xmlWriter.php" and "_xmlWriter.asp". And since it's a rare thing for both PHP and ASP to run on one server, one of the scripts works, and the other is just sent as text/plain, so you can figure out what it exactly does.
(The /pictures/ folder is world-writable. Should I need to say more?)
After some snooping here and there, you can find an XMLHttpRequest sent to this page:
http://www.webbrix.net/admin/readData.asp?returnvar=functionalityPermits&dbName=./../../private/register.mdb&sqlString=SELECT * FROM clients WHERE blah = blahblah
One more thing: noticed the _private.key and readEncrypted.php? Well, this _private.key contains^Hed the login and password for prontanet.lt (the CMS developers' site) and is included with almost every installation of WebBrix. Mmmmm, FTP.
-
-
@grawity said:
FTFYSome of you might have heard of a CMS called WebBrix. If you haven't, then you should know that it's absolute f'kin crap.
Live examples: prontanet.lt, itsolution.lt, ausra.nets.lt, etc.
- Pure JavaScript. No JavaScript = no viewing our uberkewl site.
- It's insecure in sooo many ways.
Open Live HTTP Headers and you'll see a request to "file_lister.php". It shows you all the files and dirs there.
In the file list, you can find "_xmlWriter.php" and "_xmlWriter.asp". And since it's a rare thing for both PHP and ASP to run on one server, one of the scripts works, and the other is just sent as text/plain, so you can figure out what it exactly does.
(The /pictures/ folder is world-writable. Should I need to say more?)
After some snooping here and there, you can find an XMLHttpRequest sent to this page: http://www.webbrix.net/admin/readData.asp?returnvar=functionalityPermits&dbName=./../../private/register.mdb&sqlString=SELECT * FROM clients WHERE blah = blahblah
One more thing: noticed the _private.key and readEncrypted.php? Well, this _private.key contains^Hed the login and password for prontanet.lt (the CMS developers' site) and is included with almost every installation of WebBrix. Mmmmm, FTP.
-
Hey now, that's not so bad, just about 310KB for the main page. Of which 300KB is JavaScript.
-
http://www.webbrix.net/admin/readData.asp?returnvar=functionalityPermits&dbName=./../../private/register.mdb&sqlString=SELECT%20*%20FROM%20clients
They don't have many clients. Just do the query :)
Shit i think i just dropped the table.
-
Is it bad that www.webbrix.net shows me a blank page, and yet looking at the source shows me thousands of lines of javascript?
Pwned.
-
@JamesKilton said:
Is it bad that www.webbrix.net shows me a blank page,
It does load a page eventually (in FF2), but only after spitting out a few hundred javascript warnings in the JS console. All of 'em warnings to not use "document.all".
-
I also like
@prontanet.lt said:
//document.write("<bgsound src=sounds/doorbell1.wav>");
-
Webbrix is a Content Management System ( CMS ) which allows users to create and modify website content without any programming skills or knowledge of internet technology.
Webbrix is a users to create and modify website content without any programming skills or Content Management System ( CMS ) which allows users to create and modify website content without any programming skills or knowledge of internet technology users to create and modify website content without any programming skills or .
-
I personally get annoyed by this 'clickety-clickety' sound from the flash animation
-
@dlikhten said:
They don't have many clients. Just do the query :)
Shit i think i just dropped the table.
But...can you restore it? That's the real challenge!
<font face="Courier New" size="2">Microsoft JET Database Engine</font> <font face="Courier New" size="2">error '80004005'</font>
<font face="Courier New" size="2">Query must have at least one destination field.</font>
<font face="Courier New" size="2">/admin/readData.asp</font><font face="Courier New" size="2">, line 15</font>
-
@AccessGuru said:
@dlikhten said:
They don't have many clients. Just do the query :)
Shit i think i just dropped the table.
But...can you restore it? That's the real challenge!
So it has been said, so it shal be done!
-
@dlikhten said:
It wasn't you. I think Bobby Tables just registered on their site...http://www.webbrix.net/admin/readData.asp?returnvar=functionalityPermits&dbName=./../../private/register.mdb&sqlString=SELECT%20*%20FROM%20clients
Shit i think i just dropped the table.