Silk Road forums
Discussion => Security => Topic started by: gasparin on September 21, 2011, 01:44 am
-
Unless there is some authorized pentesting going on, this probably needs some attention. I didn't want to take the time to post screenshots but I can produce that if this listing disappears before some admin get to take a look. So, here's what has me a bit freaked out:
When the Cannabis category is sorted by 'bestselling', this listing appears on page 5 of the listings (at the time of writing this post) -- http://ianxz6zefk72ulzz.onion/index.php/silkroad/category/1/140
From left to right, the columns read: Test listing ฿0.11 truenull x'; DROP TABLE members; -- add to cart
That "x" is a broken image link in the "ships to" field of the listing... And there in the 'ships from' field looks like a naughty lil bit of SQL.
The actual listing is just filler. -- http://ianxz6zefk72ulzz.onion/index.php/silkroad/item/9033
And the seller is ranked last, with no transactions. Member for a month, active today. -- http://ianxz6zefk72ulzz.onion/index.php/silkroad/user/36937
So, can somebody please tell me that they know this truenull character and that he's one of the good guys? As I mentioned, this has me kinda freaked, even though it looks like he's failing.
-
Oh shit, someone should look into this.
lol. theres already a few threads about this.
-
Bad guy trying an SQL injection. I doubt it's SR staff testing the system for vulnerabilities, why would they be "testing" with queries aimed at deleting all users in the database :o
Perhaps LE? Why else would somebody bother to shell out for a sellers account solely for the purpose of (attempting to) take out SR?
-
Old news, read other thread about that issue!
No worry about that!
-
Sorry for double-posting. Like I said at the start, I didn't want to waste time with the usual formalities when I saw something that might have been serious and ongoing. So I just logged in here and made a thread ASAP. I guess I'll search out that other thread now and maybe take something for my anxiety. :-.
Thanks to you all for replying fast. :-)
-
::)
Just filler. My pentesting isn't publicly visible.
Besides, it would be drop table users, not members, as evidenced by various SQL errors <<
-
???
So, what's going on, lookbehindyou?
I found the thread that you started about the problems in the search box, but still nothing about this listing. Obviously I can't diagnose this, but it's clear to me that it's not Cannabis. That much I know.
-
Just miscategorizing, SR won't let me change it.
-
Hehe... alright... so, in the future, could you maybe do that shit in the benzo or opioid sections... putting it in Cannabis is a bit like yelling "FIRE" in a crowded theatre. Folks get paranoid enough already.