Ebi search
Moderators: robot, noproblemo
27 posts
• Page 1 of 2 • 1, 2
Ebi search
by Exbi on Wed Oct 24, 2007 10:29 am
you not plan do search models by action(hard,anal,pad,dp and etc.)?
-
Exbi - Respected member
- Posts: 301
- Joined: Sat Apr 28, 2007 12:39 pm
by Steve on Thu Oct 25, 2007 5:04 am
That would be a rather monumentally large undertaking to achieve that.
I have a background in databasing and SQL driven systems and have handled database moves on systems like the AT&T telephone database, etc.
To convert a text driven listing into a database format for over 1000 models so that they can be referenced by type would be massive. Its possible of course but phenomenally difficult (well, time consuming is probably a better explanation).
I have a background in databasing and SQL driven systems and have handled database moves on systems like the AT&T telephone database, etc.
To convert a text driven listing into a database format for over 1000 models so that they can be referenced by type would be massive. Its possible of course but phenomenally difficult (well, time consuming is probably a better explanation).
- Steve
by boombingbang on Thu Oct 25, 2007 5:17 am
A search engine on the level of AskTiava & AskJolene that is maybe specific to EBI chicks & even further a go-out-and-grab-their-sample galleries type thing would be a tremendous addition though it seems a time consuming & ambitious one - as I believe & respect the above's opinion on the matter as having clear expertise in such & other tech matters (if not similar judgement of posting goodness). But I guess why re-create the wheel? But if you do I won't complain since it's not really the same wheel.
- boombingbang
- Respected member
- Posts: 180
- Joined: Sun Sep 23, 2007 12:54 pm
by Walter Burns on Thu Oct 25, 2007 5:37 pm
Are there problems with the current search engine?
Take the following case.
I did a search for "skinny" to look up the movie Skinny Dippin' & Cum Drippin' 2.
This is the result for this title. Only 1 performer is listed: Orsay.
And yet, the exact same title is also listed on the page of Victoria Dark.
Take the following case.
I did a search for "skinny" to look up the movie Skinny Dippin' & Cum Drippin' 2.
This is the result for this title. Only 1 performer is listed: Orsay.
And yet, the exact same title is also listed on the page of Victoria Dark.
- Walter Burns
- Mr. Burns
- Posts: 550
- Joined: Thu Apr 19, 2007 12:44 pm
by boombingbang on Thu Oct 25, 2007 8:05 pm
Yep, SQL injection is a real virtual ass fucker.
.NET I believe (and now I'm really scraping the back of the brain for this) has a feature whereby all the SQL can be "pre-crunched" then passed it's param (or maybe perhaps this is the DB system function? Oracle? Both in tandem? Well, whatever...), and then post a character strip routine perhaps to lose the $%^&ing BS then it's abracadabra time as you just killed two birds with one new cool simple & easy to use IDE (though maybe not so 'new' now). Of course one thing I don't have to think about is that these 1-2-3 armchair programmer designs are much harder & painful in practice & not to mention expensive - fuck that shit, that's why I went into sales and maybe for other rea$on$ too.
.NET I believe (and now I'm really scraping the back of the brain for this) has a feature whereby all the SQL can be "pre-crunched" then passed it's param (or maybe perhaps this is the DB system function? Oracle? Both in tandem? Well, whatever...), and then post a character strip routine perhaps to lose the $%^&ing BS then it's abracadabra time as you just killed two birds with one new cool simple & easy to use IDE (though maybe not so 'new' now). Of course one thing I don't have to think about is that these 1-2-3 armchair programmer designs are much harder & painful in practice & not to mention expensive - fuck that shit, that's why I went into sales and maybe for other rea$on$ too.
- boombingbang
- Respected member
- Posts: 180
- Joined: Sun Sep 23, 2007 12:54 pm
by boombingbang on Thu Oct 25, 2007 8:22 pm
Ya know, the more I think about all this speculation, the more I think it unwise. Take someone clever like myself who happens to have a few old SQL textbooks lying about. I hear you have problems per previously mention SQL infucktion and other nicely laid out snapshots & hints of your sites internal organs (though not complete, the sufficiently clever & cruel can connect dots). So continuing in this other type, more fruitful & enlightening type of speculation....
Let's say I'm not the nice guy you see posting before you. Nope, I'm a true cocksucker and love-to-have-my-cock-sucked scumbag. So I work up a good hard one that maybe when it hits a table it splitters or in the DB world it's obliviated...gone forever...bye...so then I take my virtual cock and slide it into your site's moneymaker of a search query box.
We're there by now & adequately horrified I think, yes? So good if so & no offense. If otherwise unphased, serious, no offense but you need to smarten up. Anyway for what it's worth, I would suggest scowlville for this thread (and maybe a good look-see for other security slipsies & oopsies) as though granted this place aint the FBI but the EBI, it perhaps helps feed a few mouths and there are really some scumbags out there - much worse than me. And also perhaps henceforth, maybe the background nitty gritty remain so for your sake and mine too as I'd like to keep posting until I'm at least banned.
Regards.
Let's say I'm not the nice guy you see posting before you. Nope, I'm a true cocksucker and love-to-have-my-cock-sucked scumbag. So I work up a good hard one that maybe when it hits a table it splitters or in the DB world it's obliviated...gone forever...bye...so then I take my virtual cock and slide it into your site's moneymaker of a search query box.
We're there by now & adequately horrified I think, yes? So good if so & no offense. If otherwise unphased, serious, no offense but you need to smarten up. Anyway for what it's worth, I would suggest scowlville for this thread (and maybe a good look-see for other security slipsies & oopsies) as though granted this place aint the FBI but the EBI, it perhaps helps feed a few mouths and there are really some scumbags out there - much worse than me. And also perhaps henceforth, maybe the background nitty gritty remain so for your sake and mine too as I'd like to keep posting until I'm at least banned.
Regards.
- boombingbang
- Respected member
- Posts: 180
- Joined: Sun Sep 23, 2007 12:54 pm
by Steve on Thu Oct 25, 2007 10:27 pm
AFAIK there are no current SQL Injection exploits in PHPBB. Knowing about SQL does not at all mean that you can perform an injection.
SQL injections are actually nothing to do with SQL (the name is misleading). They are done by exploiting the header code in PHP (most commonly $_GET statements). PHPBB wisely does the majority of its header functions using $_POST and if the server has register globals off, then you will find injecting almost impossible.
Even if an exploit does exist, you then need to know how the coding works and how the database is being used to handle critical functions (i.e. you need to know the ins and out of the package being used on a particular site).
Its all fair and well looking at the above URL and seeing that some is being sent via GET, but its just the mode and topic id. I do not think that the admin rights or server rights are going to be passed using GET on such a popular forum. Therefore you would not be able to inject because firstly the admin and server areas are passed via POST and register globals are off, so the site is simply gonna stick its middle finger up...
SQL injections are actually nothing to do with SQL (the name is misleading). They are done by exploiting the header code in PHP (most commonly $_GET statements). PHPBB wisely does the majority of its header functions using $_POST and if the server has register globals off, then you will find injecting almost impossible.
Even if an exploit does exist, you then need to know how the coding works and how the database is being used to handle critical functions (i.e. you need to know the ins and out of the package being used on a particular site).
Its all fair and well looking at the above URL and seeing that some is being sent via GET, but its just the mode and topic id. I do not think that the admin rights or server rights are going to be passed using GET on such a popular forum. Therefore you would not be able to inject because firstly the admin and server areas are passed via POST and register globals are off, so the site is simply gonna stick its middle finger up...
- Steve
by boombingbang on Fri Oct 26, 2007 12:32 am
You're knowledge is more sound, deeper & detailed obviously, and I find all this greatly & seriously interesting as hell being the nostalgic former CIS student (not being a douche here). Other then the injection example I was just speaking generally and basically out my ass perhaps and maybe even completely out of line & beyond the scope of my "mind your own f'n beezwax" role as JohnDoe-poster almost certainly. That's fair & assumed on this end just to preface & soften the jerk the following outrageousness I dare continue & amend might hit the old piss-me-off part of the frontal lobe when this text turns to comprehension by the relevant, the HDIC(s), the server-bill-payers(s), etc.
So as I am not & wasn't before looking to step on toes here I dare move on. Moreover, I am not saying anyone is saying this as I'm just being thorough in clearing any landmines before I blunder & step and they kaboom as I give all the benefit of the doubt per making such cliche accusations. But I add further within this previously mentioned "general" framework (however conjured & baseless) & straight out my rude buttinski (however unqualified & inexperienced) one might think it fair and reasonably logical commentary and maybe even not-so-very-rude to suggest that what one tells the entire world about a specific system even if it is (key 4-words here>>>) what it doesn't do (<<<end of 4) is a backdoor/reverse engineer springboard for leading to (4>>>) what it might do (<<<end), how to exploit & stick something unpleasant down the pipe line (if not SQl, perhaps something more slick) & cause discomfort.
So as I might suggest to a neighbor in a bad neighborhood, "Hey I thought I saw your backdoor wide open when is in my backyard cookin BBQ earlier. Just a heads-up!" I therefore give you all that up there. I mean, this is really a pretty tough neighborhood, I mean all this mudslinging & calling people horrible names like "dork", I mean it's just frightening. So there you are and I certainly would love to look over reasonable argument(s) that might make the above doodoo - again not to start a tiff but for my own personal intellectual edification.
Regards
Edit: Oh and just to complete the real world scenario per backdoor. He says, "Well no matter as that's where I keep the Rottweillers." So I go, "Oh, I'm an ass nvrmind take care." However, the dirty looking tatted up guy one yard over who just got off on parole overhears and now he knows he need to steal a silencer and larger calibur bullets this Staurday when he busts in and steals the stereo and 18 year old daughters virginity while the parents are on their Paris trip... etc, etc...Ok now I feel better as I feel this more symmetric a case or at least more insane.
So as I am not & wasn't before looking to step on toes here I dare move on. Moreover, I am not saying anyone is saying this as I'm just being thorough in clearing any landmines before I blunder & step and they kaboom as I give all the benefit of the doubt per making such cliche accusations. But I add further within this previously mentioned "general" framework (however conjured & baseless) & straight out my rude buttinski (however unqualified & inexperienced) one might think it fair and reasonably logical commentary and maybe even not-so-very-rude to suggest that what one tells the entire world about a specific system even if it is (key 4-words here>>>) what it doesn't do (<<<end of 4) is a backdoor/reverse engineer springboard for leading to (4>>>) what it might do (<<<end), how to exploit & stick something unpleasant down the pipe line (if not SQl, perhaps something more slick) & cause discomfort.
So as I might suggest to a neighbor in a bad neighborhood, "Hey I thought I saw your backdoor wide open when is in my backyard cookin BBQ earlier. Just a heads-up!" I therefore give you all that up there. I mean, this is really a pretty tough neighborhood, I mean all this mudslinging & calling people horrible names like "dork", I mean it's just frightening. So there you are and I certainly would love to look over reasonable argument(s) that might make the above doodoo - again not to start a tiff but for my own personal intellectual edification.
Regards
Edit: Oh and just to complete the real world scenario per backdoor. He says, "Well no matter as that's where I keep the Rottweillers." So I go, "Oh, I'm an ass nvrmind take care." However, the dirty looking tatted up guy one yard over who just got off on parole overhears and now he knows he need to steal a silencer and larger calibur bullets this Staurday when he busts in and steals the stereo and 18 year old daughters virginity while the parents are on their Paris trip... etc, etc...Ok now I feel better as I feel this more symmetric a case or at least more insane.
Last edited by boombingbang on Fri Oct 26, 2007 1:24 am, edited 1 time in total.
- boombingbang
- Respected member
- Posts: 180
- Joined: Sun Sep 23, 2007 12:54 pm
by Steve on Fri Oct 26, 2007 1:14 am
Probably an extremely bad place for me to post this, but let me give you an example of a simple SQL injection. Its known to the creators of this package and for some unknown reason so far unpatched. Although there is a patch available to those who care enough to worry about keeping things safe, 99% of sites using this package fail this test....
Here goes (maybe this will kick those lazy buggers into getting this fixed).
Search on google for "product_info.php".
You will find a list of probably thousands of OsCommerce driven websites (and yes, a ton of porn sites use this package for their DVD sales).
Open any of the sites listed on google.
In the URL when viewing a product add the following to the URL
¤cy=gbp (if the site uses UK money) or ¤cy=usd (if the site uses US Dollar) or ¤cy=eur (if the site uses Euro).
What happens here is not so much an injection (as were not actually changing anything on the database) but an exploit of bad coding. OsCommerce in many cases will switch on register_global locally to allow for bad coding to be acceptable... opening the door unfortunately to this kind of exploit.
The currency variable will be passed and allowed due to it being a recognised global. However, the currency variable should always be in uppercase, and we have injected it in lowercase. This results in the database going "um, cannot find this so therefore the price of every single item on this store must be... errm.. 0".
You cannot checkout as no billing company will allow a 0 valued item to be bought, but its an example of how it works and why register_globals should never ever ever be on.
Anyone who has an OsCommerce store who has just tried this and shit themselves... the fix is using a STRTOUPPER command in your code to force any lowercase currency values to uppercase. Easy fix and one that SHOULD be in the source...
That is how SQL injections work and a damn good example of bad coding. As I know that nothing malicious can come from this, I am happy to post it. However, I know others that are a tad more serious but I will not divulge. I am white hat, not black hat.
Here goes (maybe this will kick those lazy buggers into getting this fixed).
Search on google for "product_info.php".
You will find a list of probably thousands of OsCommerce driven websites (and yes, a ton of porn sites use this package for their DVD sales).
Open any of the sites listed on google.
In the URL when viewing a product add the following to the URL
¤cy=gbp (if the site uses UK money) or ¤cy=usd (if the site uses US Dollar) or ¤cy=eur (if the site uses Euro).
What happens here is not so much an injection (as were not actually changing anything on the database) but an exploit of bad coding. OsCommerce in many cases will switch on register_global locally to allow for bad coding to be acceptable... opening the door unfortunately to this kind of exploit.
The currency variable will be passed and allowed due to it being a recognised global. However, the currency variable should always be in uppercase, and we have injected it in lowercase. This results in the database going "um, cannot find this so therefore the price of every single item on this store must be... errm.. 0".
You cannot checkout as no billing company will allow a 0 valued item to be bought, but its an example of how it works and why register_globals should never ever ever be on.
Anyone who has an OsCommerce store who has just tried this and shit themselves... the fix is using a STRTOUPPER command in your code to force any lowercase currency values to uppercase. Easy fix and one that SHOULD be in the source...
That is how SQL injections work and a damn good example of bad coding. As I know that nothing malicious can come from this, I am happy to post it. However, I know others that are a tad more serious but I will not divulge. I am white hat, not black hat.
- Steve
by Steve on Fri Oct 26, 2007 1:21 am
I'll tell you what annoys me on website more than anything else. Its those damn flash animations that not only look shit, but force you to "click to activate". Its about time the people installing their crap flash code should embed it using swfobject into javascript to stop that Microsoft created bollocks (due to them losing a copyright battle).
Also, if any budding designers are out there using flash and now going "what the hell does he know?" If your site looks like this http://www.2advanced.com then you have the right to use flash... if it doesn't and will never... then stop using it... its tacky.
For reference - http://v4.2a-archive.com/flashindex.htm is another example of 2advanced.. the worlds best website designers (and no, I don't work for them and god I wish I did)
Edit: An afterthought and my apologies to albinoblacksheep... cause who could possibly call this crap - http://www.albinoblacksheep.com/flash/drum
Also, if any budding designers are out there using flash and now going "what the hell does he know?" If your site looks like this http://www.2advanced.com then you have the right to use flash... if it doesn't and will never... then stop using it... its tacky.
For reference - http://v4.2a-archive.com/flashindex.htm is another example of 2advanced.. the worlds best website designers (and no, I don't work for them and god I wish I did)
Edit: An afterthought and my apologies to albinoblacksheep... cause who could possibly call this crap - http://www.albinoblacksheep.com/flash/drum
- Steve
by boombingbang on Fri Oct 26, 2007 2:46 am
I have so many complaints about various website decisions & features & technology & blah that as I said before I decided to sell verse design or something else tech associated - if had gone one of the tech routes I probably would have long jumped out a window to the disappointment of more than a few - that is upset at me being here and breathing right now. However, one of the few blanket statements I feel comfortable committing on, per a very specific case, is that when it comes to presentation, intuitive-ness & intra-website transit, if designed & built such that the interface is 100% Adobe Flash or like technology, it's possible to do a good job. So here's the lamest, most emasculating possible example I could find & try to cover up that I actually visited with genuine interest as a geekboy fan having read all 7 books per my deep personal shame. Smooth flow, easiness on the eyes - though that site's admittedly a bit over the top for non-losers if not the girlishly overenthused - is good whether it's a Flash site like that or otherwise. Overall, simplicity is king and WOW what a nice tie-in to a familiar & well-designed counterexample to Flash.
- boombingbang
- Respected member
- Posts: 180
- Joined: Sun Sep 23, 2007 12:54 pm
by Steve on Fri Oct 26, 2007 4:36 am
Are you affiliated in any way to porgirls.com? I am just interested due to your positive review on the site design regarding simplicity.
I would have to be honest that from a website designers point of view I was initially shocked at the overwhelming size of the initial loading page. From the word go it breaks quite a few defined rules in website design and the most obvious being that the initial entry page takes far too long to load.
They are also utilising a big no no in regards to modern site design with the use of animated flashing gifs. Most webmaster discussion sites will always recommend not using those.
The site also does not utilise any form of CMS. I find that strange for a porn site. This means that the updates must be done via a HTML editor which must be very time consuming.
The security related to the site is also very weak. Its using a unix based htaccess/htpasswd approach which I have not seen for a long time. That affords it no protection to a brute force attack which means I would not be surprised to see shared passwords on sites that like sharing them.
Its also quite unusual to see a site of that nature not giving some warning on the opening page that it has adult related content and to proceed at the users discretion.
The USC 2257 also seems a bit suspect. Having 5 custodians all holding the records seems very unlikely. Generally, you have one custodian who maintains the database of records as well as holds the identification images. I am not sure how 5 people could all simultaneously hold the original consent forms and ID images given that they are in different countries?!?
Ultimately, it would be interesting to give bestporn.com or adultreviews.com a nod about this one and see what their feedback is.
They do appear to have a lot of content though which is a positive.
I would have to be honest that from a website designers point of view I was initially shocked at the overwhelming size of the initial loading page. From the word go it breaks quite a few defined rules in website design and the most obvious being that the initial entry page takes far too long to load.
They are also utilising a big no no in regards to modern site design with the use of animated flashing gifs. Most webmaster discussion sites will always recommend not using those.
The site also does not utilise any form of CMS. I find that strange for a porn site. This means that the updates must be done via a HTML editor which must be very time consuming.
The security related to the site is also very weak. Its using a unix based htaccess/htpasswd approach which I have not seen for a long time. That affords it no protection to a brute force attack which means I would not be surprised to see shared passwords on sites that like sharing them.
Its also quite unusual to see a site of that nature not giving some warning on the opening page that it has adult related content and to proceed at the users discretion.
The USC 2257 also seems a bit suspect. Having 5 custodians all holding the records seems very unlikely. Generally, you have one custodian who maintains the database of records as well as holds the identification images. I am not sure how 5 people could all simultaneously hold the original consent forms and ID images given that they are in different countries?!?
Ultimately, it would be interesting to give bestporn.com or adultreviews.com a nod about this one and see what their feedback is.
They do appear to have a lot of content though which is a positive.
- Steve
27 posts
• Page 1 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests