Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/Code)
 hack antispam code (if numbers are not changed)		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Sonic
New Member

Germany
82 Posts
Posted - 03 December 2005 :  05:04:19  Show Profile  Visit Sonic's Homepage  Reply with Quote
where:
anti-spam-registration code and
guestbook 3.6

what:
users / scripts can count back the antispam code and can enter the right security code

exploit:
right click on a security image you should see --> e.g.
http://aspire/register.asp?code=image&rc=12343321851&p=1

- we now need the number red marked
- and the count variable (in the antispam code)
RandCode = (strRCCode + 17456) / 50000

==> now count:
12343321851 + 17456 / 50000 = you get the image code

bugfix:
to prevent this change the numbers to some other e.g.

from -> RandomizedCode = NumbersToShow * 50000 - 17456
to => RandomizedCode = NumbersToShow * 47900 - 15249

and:

from -> RandCode = (strRCCode + 17456) / 50000
to => RandCode = (strRCCode + 15249) / 47900

don't use the numbers here it is just a sample use other numbers...
i don't know a page where it was happen but the way is there...
so it is better to change everything to make it heavy to hack something <
ich finds genial...
bei uns ist es ratzekuz dunkel und bei dene alle heller nachmittag
Edited by - Sonic on 03 December 2005 05:08:16

Nertz
Junior Member

Canada
341 Posts
Posted - 03 December 2005 :  17:26:53  Show Profile  Reply with Quote
Actually if you submit this URL with register.asp?code=image&rc=12343321851&p=1, it will redirect to the first digit image which is usually in the form of n.gif. The file name actually gives away the digit in the code. Increasing the number for p will eventually get you all the digits, ireegardless of what formula you used. There should be a way to prevent register.asp from showing the digits if the page was not called from a form submit.

cheers,
Nat<
Sadly, most Family Court Judges wrongfully reward opportunistic gold diggers
that use our children unjustly as "instruments" of power.

www.fathers-4-justice-canada.ca
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07