API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 26th, 2017
49
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.06 KB | None | 0 0
raw download clone embed print report
  1. Hey guys,
  2.  
  3. Late Monday night/Tuesday morning Harrek contacted me asking if I could help with php as Lucas had left the ACWC project. I said yes and I was told they were trying to access the "unapproved" teams who had been submitted. I was finished by about 3am and went to bed, thinking all was well and good.
  4.  
  5. The next night(tuesday) at 8pm I got an angry email from Lucas which can be seen here:
  6. [quote="Lucas"]
  7. echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";
  8.  
  9. Remind you something ?
  10. Yes, when you were stealing my db username / password, right.
  11. First, you were not supposed to have enough access. Since you were going to play the tournament and you had nothing more to do, and to prevent this kind of shit from happening, i had removed your svn access;
  12. Unfortunately, (fortunately for you), daylixx gave you his login and password. It was his fault ok. But how could he guess you would do such things ?
  13.  
  14. You have absolutely NO reason to steal this informations, you could have done without it and you know that.
  15. Also you've made this critical data public while you were trying to get it.
  16. And anyway you could have asked me if needed instead of doing that.
  17.  
  18. Of course daylix password has been removed.
  19. And i'm seriously thinking about taking other actions against you.
  20.  
  21. PS : db password has been changed and i will not share my VPS any longer. Thanks to you.
  22. [/quote]
  23.  
  24. I was confused by this, but as I was at work I thought I would attend to it then.
  25.  
  26. When I arrived home from work finding out my team captain(undead) had recieved the following message from daylixx(new acwc admin).
  27.  
  28. [quote="DaylixX"][23:09] <DaylixX> Hello Undead, we disqualified Castiel of the World Cup for hacking database site, so you will have found a new partner.[/quote]
  29.  
  30. This all threw me off a bit, as all I thought I had done was help out my friend, Harrek.
  31.  
  32. I promptly emailed lucas back apologising, a sent him another email a few hours later but I have had no response. I also tried to contact him(Lucas) on teamspeak when he was online but I got no response(harrek told me he was talking to him moments before).
  33.  
  34. Now I'm confused and not really sure what to do, I have been excluded from a tournament I was rather looking forward to due to me trying to help out and have been accused of hacking.
  35.  
  36. Also when I now try to visit the ACWC website, I get a 403 error, which usually means my ip has been blocked(I have asked others and they can still access it fine).
  37.  
  38. The events on the night of the accused "hacking" go as follows:
  39. [quote="Castiel"]
  40. Harrek/DaylixX contacted me asking if I knew php, I replied yes. They needed help finding the teams which had applied to ACWC, as the current admin interface that DaylixX had did not show the unapproved teams.
  41.  
  42. I was previously working on the site, but my svn access had been disabled as I am a player(of course), so daylixx gave me his access so that I could try and work out how to view the unapproved teams.
  43.  
  44. My first thoughts were that lucas possibly had a higher admin role on the acwc site so that I just needed to change daylixx's role to the same and it would all work.
  45.  
  46. I ran queries against the database to increase my role to same level as lucas, to test if that meant you could see the unapproved teams, unfortunately it seemed that lucas and daylixx had the same admin level on the acwc site and lucas was approving teams a different way.
  47.  
  48. I looked through the php of the site and I saw that when a user submitted a team the team details was inserted into the mysql database.
  49.  
  50. My next thought was that if I simply had the database username and password, I could login to phpmyadmin(an online database viewer) and look at the unapproved teams in the database.
  51.  
  52. To do this I used the following command:
  53. echo "<!--Herro " . MYSQL_USER . " " . MYSQL_PASSWORD . " -->";
  54. This would output the username and password to the site, but would put it in a comment, only viewable if the user clickes "view source" and then knows what the username/password combo is for. It was a slightly risky thing to do but I removed that line as soon as I had the username and password to ensure nobody else would see it.
  55.  
  56. I then used the username and password to login to phpmyadmin and to view the acwc database, I was able to inform harrek and daylixx of the extra teams that had been submitted, so they were now able to approve the newly entered teams.
  57. [/quote]
  58.  
  59. This is all that I did, in defense of myself:
  60. [list]
  61. [*]I was [b]ONLY[/b] trying to help, nothing else. All my actions were in an attempt to help Harrek and DaylixX
  62. [*]I did not know it was lucas's personal server
  63. [*]I did not email lucas about this as I was informed/thought that he was unreachable(that's why I thought they contacted me not him)
  64. [*]I attained the MySQL username and password so I could easily view the content of the database, not for [b]ANY[/b] other reason
  65. [/list]
  66.  
  67. I don't think I should be labeled a hacker for this, or excluded from the tournament, I have not heard from lucas in over 2 days so decided I would post and let people know what is going on.
  68.  
  69. Thanks for hearing me out, Castiel
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!