http://www.nse.org.ng/

Shot them a mail. Still up and still looking fresh.

Hacked By
Hacked By MR.dem

Hacked By MR.Dem

http://www.nse.org.ng/index2.php?page=application

Our resident security expert, slyrox, can probably chime in better on this than I can but for what it's worth, you DO NOT want to code your pages based on one-page-delivers-all-content" per the bolded section above. It is way to risky.

All I had to do, to determine if the site had a possibility of getting hacked was to replace "application" with a tick ('). The hackers most likely exploited the site using what I would call the kindergarten of hacking techniques. Makes me wonder how "good" the site's security is, given this entry-level hacking techinique.

Oh well, if I had offered my services, they would have said I charged too much. This is most likely what you get when you squeeze your Azikiwes so tightly that even the late Azikiwe feels suffocated in the grave, though he's been gone for many, many years.

Someone here on NL accusing me I was the one that did it. Amazing

yawa-ti-de:

All I had to do, to determine if the site had a possibility of getting hacked was to replace "application" with a tick ('). The hackers most likely exploited the site using what I would call the kindergarten of hacking techniques. Makes me wonder how "good" the site's security is, given this entry-level hacking techinique.

White unfortunate!
Is it possible to use the method above to determine whether and html page has the possibility of being hack and what are the other method in determining the security?

Most likely though again, I will yield to those who are more versed in these things. I just know the theory but not the practical

Take another example, to show how bad this can get: http://www.aksgonline.com/articlePage.aspx?qrID=700

1) Note the news article
2) replace "700" with a tick and note the error, which tells you, among others: table name and column name. Now a bad guy would immediately exploit this and make the 'webmaster' lose his job by posting articles that are offensive to the governor abi? but I am not like that

Hmm, this smells very suspicious mehn, oga cactus, you sure say no be you?

oga cactus, we are open to ur confessions.

Cactus, dont worry, we will go eazy on ya!

How can one prevent this from happening?
How can you use the information to hack?

Am not asking because I want to hack, but to understand more and to prevent it from happening to me. I might loose clients if it happen to me

Poor Cactus, many messengers usually get shot.

yawa-ti-de:

Most likely though again, I will yield to those who are more versed in these things. I just know the theory but not the practical

Take another example, to show how bad this can get: http://www.aksgonline.com/articlePage.aspx?qrID=700

1) Note the news article
2) replace "700" with a tick and note the error, which tells you, among others: table name and column name. Now a bad guy would immediately exploit this and make the 'webmaster' lose his job by posting articles that are offensive to the governor abi? but I am not like that

Lol Ya-wa-ti-de! Im a big fan of yours, ma'am. . . just so you know!

BTW, I just followed you on twitter. Im the dude with a baby face

BTW, I just followed you on twitter. Im the dude with a baby face Smiley

Follow me, i follow you. man no go vex

,

Men, Sly, you are something else!

Did you get my mail On the one you used to mail me then when you were banged!

Yeah bro.

me self, i don do my own
http://www.nse.org.ng/pic_upload/slideshow/dhtml.txt

Donpuzo:

Men, Sly, you are something else!

Did you get my mail On the one you used to mail me then when you were banged!

lol

This website is so unsecure that even an olodo-haccker like me can still bomb the whole thing, both files and databases. . .

Most site Get Hacked because of the Pattern they use query or die(mysql_error()) which vomits the issue, using Exception hides the message and also don't any webmaster know of Regular Expression its worth looking into,

You guys are just bitting around d bush. Only 'INTITLE' search on google is enough for me to hack a poor site let alone its javascript. The harcker tried it often occure when php rules are violeted then we can use GET command to inject some malicious codes into ur database via forms. Thats sql injection for you lol,

^^^you right but. @ yawa you be good madam O.
The problem of those site is they dont really protect those linkings against Sql injection attacks.

How would they when prob they are using apps like Dreamweaver to create login, SQL Injection is not a big deal, First Use Javascript to Sanitize Strings and if Javascript is Turned off use PHP to convert all link to html entities like ">" =" &gt" then create a script to trim words like "like,select,drop,-" and if thats too strict then use PERL Regular Expression most are too lazy to build a security system, also if u are the daring types like DHTML you can create SESSION handler that bounces people from your site if they have tried miscellaneous login attempts

Let me still do

http://www.nse.org.ng/pic_upload/slideshow/PEDDY.TXT

pc guru:

How would they when prob they are using apps like Dreamweaver to create login, SQL Injection is not a big deal, First Use Javascript to Sanitize Strings and if Javascript is Turned off use PHP to convert all link to html entities like ">" =" &gt" then create a script to trim words like "like,select,drop,-" and if thats too strict then use PERL Regular Expression most are too lazy to build a security system, also if u are the daring types like DHTML you can create SESSION handler that bounces people from your site if they have tried miscellaneous login attempts

well, i only setup proper security if i am paid for it - then i employ the security ppl to do that

@YAWA thanks for that candid advice on that website project. I am thru with everything.
The man now call another guy to test my work. And find out errors. At least now only one error have been found and that was a broken link.

http://www.nse.org.ng/pic_upload/slideshow/donpuzo.txt

That's my quota. It feels good having fun! Though it's unprofessional and not ethical!

I bet the web developers, are busy having fun with Ashewo's and have forgotten to even check the site on regular basis!

well, i only setup proper security if i am paid for it - then i employ the security ppl to do that

dhtml, not a good attitude to have. I hope you are joking sha.

There are certain things that should come standard with every site you do. Personally, I set a price based on requirements, knowing again that certain things come standard. Either we agree on that price, negotiate within reason or I reject. In the case of the latter, I always believe that there are a lot of fish in the ocean so I never feel down or angry.

Yawa. I wanna show you a site, for personal review,

How do i do that??

Already deleted my link. Its VERY unprofessional and d height of it is sm1 deleting d original documents. Y wld sm1 do dat? Also hope you ppl knw dere is a log being kept? Well,its Nigeria and n0body chcks log buh wht if dey do?

@Yawa, ure quite right ma'am. The 1st step z d quote(') thingy 2 chck if tis vuln to sqli buh m0st sophisticatd webapps wont spit out errors even whn vuln. So u jst go on checking evry parameter available wv diff kinds of cmds i.e. ', 'OR 1=1' , 'OR a=a', just kip tryin every logical true statement you can try till you get an error eida on d page, hidden in d src c0de, or u av an incomplete page. Also dere's d blind sqli attack where d AND statement comes to use.

i.e index.aspx?cat=1' AND 1=1--

index.aspx?cat=1' AND 1=2--

The 1st one is a logical true statement as 1=1, therefore d page loads n0rmally; The 2nd statement z false as 1 != 2 resulting in missing items on a page. This then tells us d webapp z vuln then u can go on wv ur order by,select,union,concat bla bla bla FROM table bla bla

Most thns scripts kiddies look for in sites are sites dat luks ds way

http://myname.com/index.php?page=2 even if dey aint vuln, d kid goes on wv diff cmds eventually breaking(n0t into) d appli.

In dis case lotta thns went wrong even d phpinfo file was left open. Also the file upload vuln, y shld sm1 wv a guest priviledge be given access to upload stfs?? A php shell can find its way in2 d svr dis way.

@Slyrox.

Most times fun out ways professionalism. We have to break professional ethics to have fun! Like i do with babes! I break ethics!

As for you later point. "The fun never stops until it hits the dance floor. Endangering the globe is worse than endangering Nairaland!"

Endangering the globe is worse than endangering Nairaland!"

Baba iBelieve say uBe Igbo dude and as such 'proverbial sayings' na ur 2nd name. Abeg rephrase dat using a lang. a Yoruba dude lyk me wil undastand

Always try to be ethical. You never know when ur deeds might come and bite u in the ,

Always try to be ethical. You never know when your deeds might come and bite u in the navel

The only thing that goes to my Belly Botton na my GF LIPS,     

@Sly, I once thought Hackers understood proverbs. At least i can pass a secretive message to you. Only me and you get to understand. 

Cause i don't want to get arrested. My address dey www.marknollis.com. Even the one for village self(In the site, i call am branch office)

Marketing Strategy!

Yeah, Am a certified penetration tester and i assist companies/organizatns in performin a pentest on dere web applis and Network. You can hit me up slyrox2[at]gmail[.]com


Marketing strategy