Find the index filename and Win 500 credits/points

olliepop · Mar 4, 2009

The first person to tell me the name of the index page (eg hello.php) of http://tribalcorp.net/project automatically wins 800 points/credits

only regular users can enter

Wizet · Mar 4, 2009

Can you like give us any hints because there can be googols of combinations out there.

olliepop · Mar 4, 2009

sorry, i made this contest to see if there was any way of finding the filename

just knowing the filename can compromise my entire website and security mainframe

sorry man

Wizet · Mar 4, 2009

Technically it will be impossible because there are thousands of combinations of letters and there are many types of website file types. So that's your answer

olliepop · Mar 4, 2009

but i want to know if there is a way for people to find the name besides guessing.
yes it is a long name also.

Livewire · Mar 4, 2009

olliepop said:
but i want to know if there is a way for people to find the name besides guessing.
yes it is a long name also.

Other than brute-force trying every single possible combination, not that I can see - I disabled javascript and could view the source of the included ajax javascript file (you may wanna look for a way to disable that from happening, not sure exactly -how- to go about that though), but there's nothing that indicates what the name of that exact page is.

olliepop · Mar 5, 2009

Livewire said:
Other than brute-force trying every single possible combination, not that I can see - I disabled javascript and could view the source of the included ajax javascript file (you may wanna look for a way to disable that from happening, not sure exactly -how- to go about that though), but there's nothing that indicates what the name of that exact page is.

thanks man. you sound experienced, so you gave me some assurance ^^
i know how to make the js file hard to find

of course, im not going to rest all my hopes for security on hiding the file names (for you skeptics :drool

for the next load of people who read this, is it possible for me to chmod the js file from reading and writing (unreadable and unwritable by world, user and private) but yet still call the ajax functions from it?

sorry if its going a bit off topic...
keep trying to find the name guys!

jensen · Mar 5, 2009

well i got the http://tribalcorp.net/project/register/main.php page from javascript but then that's not the main page even though it says main.php

if this was posted on a white hat forum maybe you'd have got your winner by the 2nd post.

Sohail · Mar 5, 2009

I managed to get one of your scripts out of it :

"var xmlHttp;
2var div;
3
4function Registration()
5{
6xmlHttp=GetXmlHttpObject();
7if (xmlHttp==null)
8 {
9 alert ("Browser does not support HTTP Request");
10 return;
11 }
12div = "mainbody";
13document.getElementById(div).innerHTML="Loading please wait... T R I B A L    C O R P";
14var url="register/main.php";
15url=url+"?sid="+Math.random();
16xmlHttp.onreadystatechange=stateChanged;
17xmlHttp.open("GET",url,true);
18xmlHttp.send(null);
19}
20
21function ShowCopyright()
22{
23xmlHttp=GetXmlHttpObject();
24if (xmlHttp==null)
25 {
26 alert ("Browser does not support HTTP Request");
27 return;
28 }
29div = "copyright";
30document.getElementById(div).innerHTML="Loading please wait... T R I B A L    C O R P";
31var url="copyright.php";
32url=url+"?sid="+Math.random();
33xmlHttp.onreadystatechange=stateChanged;
34xmlHttp.open("GET",url,true);
35xmlHttp.send(null);
36}
37
38function Advertise()
39{
40xmlHttp=GetXmlHttpObject();
41if (xmlHttp==null)
42 {
43 alert ("Browser does not support HTTP Request");
44 return;
45 }
46div = "mainbody";
47document.getElementById(div).innerHTML="Loading please wait... T R I B A L    C O R P";
48var url="advertise.php";
49url=url+"?sid="+Math.random();
50xmlHttp.onreadystatechange=stateChanged;
51xmlHttp.open("GET",url,true);
52xmlHttp.send(null);
53}
54
55function HideCopyright()
56{
57xmlHttp=GetXmlHttpObject();
58if (xmlHttp==null)
59 {
60 alert ("Browser does not support HTTP Request");
61 return;
62 }
63div = "copyright";
64document.getElementById(div).innerHTML="<a href=# onclick=ShowCopyright() >Legal and Advertising</a>";
65}
66
67function mainhome()
68{
69xmlHttp=GetXmlHttpObject();
70if (xmlHttp==null)
71 {
72 alert ("Browser does not support HTTP Request");
73 return;
74 }
75div = "mainbody";
76document.getElementById(div).innerHTML="Logged in. Welcome, " + sessionname;
77}
78
79function stateChanged()
80{
81if (xmlHttp.readyState==4 || xmlHttp.readyState=="complete")
82 {
83 document.getElementById(div).innerHTML=xmlHttp.responseText;
84 }
85}
86
87function GetXmlHttpObject()
88{
89var xmlHttp=null;
90try
91 {
92 // Firefox, Opera 8.0+, Safari
93 xmlHttp=new XMLHttpRequest();
94 }
95catch (e)
96 {
97 // Internet Explorer
98 try
99 {
100 xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
101 }
102 catch (e)
103 {
104 xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
105 }
106 }
107return xmlHttp;
108}"

This one makes me think that register/main.php is it but I can't be sure... Are you using a URL rewrite with .htaccess?

xxll_martin_llxx · Mar 5, 2009

It wouldn't happen to be in this list would it? http://www.google.co.uk/search?hl=en&safe=off&q=site:tribalcorp.net&start=0&sa=N

olliepop · Mar 5, 2009

yep im using .htaccess

please don't use your adminess ftp to get the name :s
i need to know if it really is findable

ps: google shouldn't work
Edit:
prize bumped to 800: just to put you on the right path, its not main

Livewire · Mar 5, 2009

olliepop said:
yep im using .htaccess

please don't use your adminess ftp to get the name :s
i need to know if it really is findable

ps: google shouldn't work
Edit:
prize bumped to 800: just to put you on the right path, its not main

Yah, main was one of my first tries; it returned a 404 so it didn't come up

Also tried another handful, but in the interests of me NOT getting blocked by x10's firewall, I'm not gunna try brute-forcing it. Advantages to being on someone elses server - their security is -your- security too

leafypiggy · Mar 5, 2009

Couple questions, what's your server name and cPanel name?

I "could" use bash to find it. but I would need your server name and cPanel name

olliepop · Mar 5, 2009

Roflmao.
That would qualify for the points, technically it is hacking the names

but if you do please pm me instead, dont make it public

Hired_Goon · Mar 6, 2009

ajaxtribal.js

ichwar · Mar 6, 2009

Hired_Goon said:
ajaxtribal.js

I think it's a php page, not a js.

olliepop · Mar 6, 2009

Sorry, its not ajaxtribal.js
I'll give you guys some time saving hints:
Its not main.php
Its not a .js file

The file is under the main tribalcorp.net/project directory.
Admins dont ftp it o.o

xav0989 · Mar 6, 2009

There would be a way through the apache access logs, but I would need cpanel username and server.

supajason · Mar 8, 2009

Ok sounds like fun to me i will give it a go, althought it is pretty impossible i mean it could be something crazy like 28940789102784u890378u80rj32890dfj893fh297823.php

Teensweb · Mar 10, 2009

seems like the account got suspended for some reason...

Find the index filename and Win 500 credits/points

Member

New Member

Member

New Member

Member

Abuse Compliance Officer

Member

Active Member

Active Member

Member

Member

Abuse Compliance Officer

Manager of Pens and Office Supplies

Member

New Member

Community Advocate

Member

Community Public Relation

Member

New Member

Free Web Hosting

Our Community

Legal