How can i atack myself to testing my sentinel

Nuke Soldier Joined: Oct 26, 2004 Posts: 30

hi guys

i just installed sentinel and want to check it if it works truely or not? Can you say me or pm me the most important atacks. Rolling Eyes

Also i wrote some modules for nuke ,how could i protect the strings or vaules against hacking or sql injection with sentinel.

also is strip_slashes(); kills all scripts perfectly? or are there any ways to pass it.
Question

NOTE: I am using nuke7.4 with sentinel 2.1

Posted: Tue Oct 26, 2004 6:15 pm

The scary thing about this post is that someone may actually answer you not knowing whether or not you are a script kiddie trying to hack other sites. What I suggest is finding someone you can trust and ask them to hack your site for you.

There are several members on here who have done that in the past...

-sting

Nuke Soldier Joined: Oct 26, 2004 Posts: 30

I thing you are true. Sorry for the misunderstanding.

But i do not know any(honest) hackers.If you know could you send me PM.

I justed wanted to know the issues that every body knows sentinel can stop. For example i just try union ataack then i get bloked Smile

Thats makes me feel better.

Anyway what about the second question :

"Is strip_slashes(); kills all scripts perfectly? or are there any ways to pass it."

Support Mod Joined: Feb 15, 2004 Posts: 806

aracnet wrote:

Anyway what about the second question :

"Is strip_slashes(); kills all scripts perfectly? or are there any ways to pass it."

Where do you get this "strip_slashes" function?

PHP provides two functions called stripslases() and stripcslashes(). Both used to remove slashed special chars (as known in C/C++). Both functions does not provides any security measures but there are known tricks to shutdown or damaging database (called poison-null), or hides some "dangerous" characters. If you want to sanitize user inputs (especially a series of characters), be sure to use addslashes() or addcslashes() before passing the input into database or echoing to output buffer (e.g. using echo() or print() constructors).

Sergeant Joined: Aug 26, 2004 Posts: 75

run stripslashes and then use mysql_escape_string() if you're a mysql user cos there are differences in each type of SQL server

Nuke Soldier Joined: Oct 26, 2004 Posts: 30

Sorry I wrote wrong Embarassed

I wanted to ask for :

strip_tags()

Support Mod Joined: Feb 15, 2004 Posts: 806

FreeBee wrote:

run stripslashes and then use mysql_escape_string() if you're a mysql user cos there are differences in each type of SQL server

You can put this code (e.g. in mainfile.php) to "recoding" quote characters. In this example, the code will "sanitize" quotes from submitted user input (for example: it's become it's, "hello" become "hello", etc):

Code:

/*
* put this line _BEFORE_ import_request_variables() function call in mainfile.php
*/
$_REQUEST = recode_quotes($_REQUEST);

/*
* function to replace single- and double-quotes into html entity
* written by madman at nukecops, oct 28 2004
*/
function recode_quotes($var_array)
{
if (is_array($var_array))
{
reset($var_array);
foreach($var_array as $var_key => $var_value)
{
if (is_array($var_value))
{
$var_value = recode_quotes($var_value);
}
else
{
if (!get_magic_quotes_gpc()) $var_value = stripslashes($var_value);
$var_value = str_replace("'", ''', str_replace('"', '"', "$var_value"));
}
$var_array[$var_key] = $var_value;
}
}
else
{
if (!get_magic_quotes_gpc()) $var_array = stripslashes($var_array);
$var_array = str_replace("'", ''', str_replace('"', '"', "$var_array"));
}
return $var_array;
}

aracnet wrote:

I wanted to ask for :
strip_tags()

Use htmlspecialchars() or htmlentities() instead, it will keep the actual text even containing html tags in it. All html special characters will be encoded into entities.