Silk Road forums
Discussion => Silk Road discussion => Topic started by: warweed on January 30, 2012, 09:03 am
-
http://warweedoeg6lfyoz.onion/search/
There is still going to be some work done to it in the next 48 but yeah pretty much enter w.e you want to enter and it will search my db for that user name or uid the search utility is 100% always up to date :)
but yeah this is just 1.0 :) I will work on cleaning it up a bit make things linkable ect. I also plan to make it carve data on the fly
I suggest you bookmark it :) because alot of times your like shit whats such and suchs profile it happens trust me :)
anyways enjoy :) try not to abuse it to much because I can see your searches if it starts to get abused i will just take it down
-
http://warweedoeg6lfyoz.onion/search/
There is still going to be some work done to it in the next 48 but yeah pretty much enter w.e you want to enter and it will search my db for that user name or uid the search utility is 100% always up to date :)
but yeah this is just 1.0 :) I will work on cleaning it up a bit make things linkable ect. I also plan to make it carve data on the fly
I suggest you bookmark it :) because alot of times your like shit whats such and suchs profile it happens trust me :)
anyways enjoy :) try not to abuse it to much because I can see your searches if it starts to get abused i will just take it down
Warweed thanks :)
-
your welcome :)
-
pfft half expected a few replys :( you guys suck
-
Wow. I just noticed this in your sig.
Thanks a lot. It's really helpful. I've been waiting for something like this.
-
Nice one man :)
-
:)
-
Well this looks like it's the cat's pajamas! Thanks, warweed.
-
your welcome :) thanks for looking :)
-
I havent used the search function yet, but I wanted to say I really like the Up?Down link in your profile. You should let people become more aware of that. Really easy way to see if no one is getting in or just me.
THanks@
-
Updated to make the names linkable
-
I havent used the search function yet, but I wanted to say I really like the Up?Down link in your profile. You should let people become more aware of that. Really easy way to see if no one is getting in or just me.
THanks@
Thanks OSO not really sure how to spread the word more then it is :D
it will catch on sooner or later :)
-
Fooking sweet! This and your SR status page.
You're a true asset to the community - in so many ways.
-
thanks ben it's appreciated :)
-
shit, there are a few mito clones...
-
warweed, you rock.
This will be really useful, thanks! Asset indeed.
I could really use a bot that monitors my head stash quantity on hand, using order history to calculate lead times and ballpark cost, then finds the best deals using price comparison algorithms, obtains and deposits the correct amount of btc in my SR account, and finally places the orders.... ; ^)
Alternatively, being able to search based on country of origin would be really useful as well.
(and yes, the useless "undeclared" origin designation is the sand in that vagina)
-
there will be more options added to this in the future it's kind of a when i get to it project i would love to add so more on the fly data carving options but for now it will do since sr can't seem to build a search function that works worth shit :P
-
Thanks Warweed. Incredibly useful for finding vendors with no listings :)
-
Nice, you probably have talent to work as a computer script writer.
-
cheers My scripting knowledge is limited but i'm learning more and more this project is teaching me alot actually the project as of today is now a collaboration between renton and I and plan to add functions for pgp submission and verification sr user statistics in regards to member joins and such hopefully some rough sales figures and a way to search sellers feedback easily for less then 5 out of 5 ratings rather then doing it manually and display links to that item ..
I mean all these things are way down in the future but are all thoughts we are having :) also improvements on sr's current search functions is a thought because lets face it sr's search function sucks balls .. thou that has challanges by itself
-
Thanks Warweed! Both are super useful. I like your Up? much better than the Is It Up?....just one click! You can't beat that! ;D
-
Indeed i kinda made it more or less for me but then got annoyed because everyone in the silc chat would nto shut the fuck up about is it up or down so i posted it .. i just made it super simple and made the title UP or DOWN that way i could just leave the tab open and go about my work or w.e and i could see when it was up or down :) the biggest annoyance is not using java script
-
Thanks a lot warweed that's really useful :D
-
Thanks Warweed! This and your up/down checker are extremely useful. Keep up the good work.
-
Hey warweed if you have an idea to return the BTC exchange rate display it would be great. I think the reason SR remove that function was because if SR site gets the BTC rate update from MtGox/or where ever, SR IP address or server information would be compromised, since a connection would be needed. Is there anyway the script can be refreshed with a safe anonymous proxy?
-
it is a work in progress sr actuallly removed it because having the exact known btc amount causing a small security issue with internal functions not because of external i will patch somthing around it
-
Holy shit, this is exactly what I've been asking for. Thank you so much, man.
-
no worries :D i needed it so i made it now i share it :D
-
Cheers warweed, this was really useful. :D
-
no worries :D i needed it so i made it now i share it :D
If I may enquire, I'm somewhat curious as to how it functions because of my programming background; where do you get the list of SR users? Is there other data that SR publishes that I don't know about?
-
MORE BOTS!!!
:)
-
MORE BOTS!!!
:)
I, for one, welcome our new robot overlords.
-
no worries :D i needed it so i made it now i share it :D
If I may enquire, I'm somewhat curious as to how it functions because of my programming background; where do you get the list of SR users? Is there other data that SR publishes that I don't know about?
I was waiting for this questions lol I carved every user profile on SR for some basic info and stats and now that it's caught up it carves on the fly generally speaking if you register an account i probably carved it before you even login for the first time
-
At time of writeing this
157431:Coronanary
.
157432:beachbum
..........
157433:navarch72
157434:ep6664000
157435:krishnalovesyou
.
157436:FoaxNews
157437:asdejaf09
is the most current users to SR each "." represents a 10 seconds wait for instance it took 10 seconds between krishnalovesyou and FoaxNews signing up
-
hi warweed,
are the username links supposed to work?
what about SR users, can we search there too?
cheers.
-
Warweed, these two "bots" you've built are winners. Way to innovate like a boss.
If you fancy shrooms I'll send you a quarter ounce free, for the time you've put into these.
Either way, nice work!
http://silkroadvb5piz3r.onion/index.php/silkroad/user/139042
-
hi warweed,
are the username links supposed to work?
what about SR users, can we search there too?
cheers.
they work :) for instance http://warweedoeg6lfyoz.onion/search/index.cgi?warweed
Search results for: warweed
13555 : warweed
which links to http://silkroadvb5piz3r.onion/index.php/silkroad/user/13555 :)
-
Warweed, these two "bots" you've built are winners. Way to innovate like a boss.
If you fancy shrooms I'll send you a quarter ounce free, for the time you've put into these.
Either way, nice work!
http://silkroadvb5piz3r.onion/index.php/silkroad/user/139042
appreciate the fine offer chroot but i am more then set on boomers :)
thanks again thou :)
-
they work :) for instance http://warweedoeg6lfyoz.onion/search/index.cgi?warweed
This link is vulnerable to Cross-Site Scripting (XSS). A simple demo would be http://warweedoeg6lfyoz.onion/search/index.cgi?<script>alert("blah")</script>. You'll want to make sure that any user input after the question mark is validated before returning any results (only allow numbers and a-z/A-z for example).
-
thanks secret squirrel are you who i think you are ?
but yes this was identifyed prior to release it was more or less a quick utility toss together when i have time to work on it i will be implimenting a regex how ever server side the security is not a issue and the script runs thru transparent tor how ever i guess i should get of my ass and fix it up proper the problem with a regex is sr does not impliment one for user sign up so there are a bunch of special chars in usernames
-
thanks secret squirrel are you who i think you are ?
I don't know? Who do you think I am?
but yes this was identifyed prior to release it was more or less a quick utility toss together when i have time to work on it i will be implimenting a regex how ever server side the security is not a issue and the script runs thru transparent tor how ever i guess i should get of my ass and fix it up proper the problem with a regex is sr does not impliment one for user sign up so there are a bunch of special chars in usernames
Any vulnerability could /potentially/ be used to find the real IP address of the server hosting the .onion site, and could possibly also be used to attack the users visiting the site. Saying that it's just "a quick utility toss together" is a poor excuse, imo. I'm not saying the site itself sucks -- because I think it's great -- but I'm saying that releasing code that you know is vulnerable is a bad thing.
-
Any vulnerability could /potentially/ be used to find the real IP address of the server hosting the .onion site, and could possibly also be used to attack the users visiting the site. Saying that it's just "a quick utility toss together" is a poor excuse, imo. I'm not saying the site itself sucks -- because I think it's great -- but I'm saying that releasing code that you know is vulnerable is a bad thing.
I'm quite aware of what it's capable of doing however in this situation xss will not and can not reveal my location simply due to the method in which the server was setup though feel free to try at your please and share with us what you find
however "I guess" I can fix this the only issue really is this "<H1>Search results for: $results_ </H1> "
FIX:
simple regex to sanatize the result in the <body>
results_=`echo $1 | grep '[_-0-9A-Za-z ]'`
please continue to try and find bugs :) and thank you for pointing it out however I'm not so much concerned about my security though I do understand that security of my users is most important
-
though please continue to test it's much appreciated i had identified the variable was not sanitized prior to release was just trying to figure the best possible route in which to do it there are a few other small quirks but they are being worked out as we speak
-
:) I'm happy to say the search function is being fully utilized ATM im getting lots and lots of searches since this sale :D
-
MORE BOTS!!!
:)
I, for one, welcome our new robot overlords.
+1 and +1 for the tiny man that sits on my shoulder, who is also excited about robots.
and @war +3 for the scripting .......
and @the SR overlords, why isn't this integrated into the actual site? =P
and @the tiny man who sits on my shoulder, you owe me $8.50.
-
no idea why it's not integrated into the site :S
-
many thanks warweed, your search utility is very good!
oh, and i saw the "fuckoff" on the "homepage" ahahah :D
-
no idea why it's not integrated into the site :S
SR shoulda just hired you instead of not hiring me ;D
-
Lol i don't want to work for SR you kidding me I mean if he offered i would help but i would not apply at this point there is to many whiny sniveling brats complaining about the .25 btc they got ripped for I would make for very bad customer service lol
-
Warweed = gets hired by SR, writes bot to automatically say "FUCKOFF" to every incoming message, ????, PROFIT.
-
already had a automated PMing bot that every new user by the time they signed up and then logged in a new message from me was waiting for them :) infact this script was a spin of it
-
That ... sounds. .... .... Dangerous..
Are you watching me right now, war?!
-
Always ;)
-
please continue to try and find bugs :) and thank you for pointing it out however I'm not so much concerned about my security though I do understand that security of my users is most important
Happy to audit more. Want to share the code?
-
This is awesome warweed. 8)
-
Thanks to lilith2u for the .14 btc donation you are the first to donate and i really appreciate it
to reply to supersecretsquirrel
im sorry the code is closed source you may externally audit it if you choose but it does not contain and sql or anything of the like and is rather low tech and uses the kiss principle the xss was identified before release even due to it injecting the variable into the body of the page the regex stopped that
-
Hey War this is just a small nitpicky design/usability tip but what you just said about only one person donating to you made me think to tell you - On the results page after you search, you should make your name a link to your page. More people would be inclined to donate to you if they didn't have to hunt you down : )
-
Cheers :) I updated the page I think this is what you mean :)
thanks for the input
-
'
'
-1
-1000000000000000000000000000000
-100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
#
æøå
%nbsp;
../
<IMG
<LAYER
I wraff you wrose
-
I wraff you wrose
Turns out you get a nice piece of garbage printed if you enter enough characters that the server is not expecting. Good thing thttpd can handle it. Wonder if there's a username character limit.
-
Yeah you get a 400 error
somthing like this
UNKNOWN 400 Bad Request
Server:
Content-Type: text/html; charset=iso-8859-1
Date:
Last-Modified:
Accept-Ranges: bytes
Connection: close
Cache-Control: no-cache,no-store
<HTML>
<HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>400 Bad Request</H2>
Your request has bad syntax or is inherently impossible to satisfy.
<HR>
<ADDRESS><A HREF
not so much a security risk more over no patched .. lol this is good thou you are making me work.. how ever still not a exploit or vulnerability
-
not so much a security risk more over no patched .. lol this is good thou you are making me work.. how ever still not a exploit or vulnerability
True. I'll probably play nice and PM you directly if I come across something really interesting.
-
Great feature warweed. Bitcoins on the way. ;D
-
thanks to OldToker for the .40 btc donation it is greatly appreciated
and SS cheers tis no big really i mean if my location is compromised it happens i don't really have much to worrie about as for a user char limit no currently there is not one in place we will be implementing both a max and min char limit fairly soon I just have had some other projects on the go atm
-
just thought i would give er a bumpity bump for people who haven't seen yet
-
War! What now with the Stealth Mode?
PLEASE HELP US WARWEED YOU'RE OUR ONLY HOPE!
-
I'm high right now so maybe I'm missing something. If I knew the vendors name why would I need to search for it using Warweeds bot? There needs to be a bot where you can search for drugs not vendors (yes, I'm aware of the one on SR but that hides the stealth vendors so it's useless to find the drug you want from a stealth vendor). Again, I apologize if I'm missing something on account of being fucked up.
-
Search name => find URL => assist Warweed in taking over the world with Warbots.
YMMV . . .
-
I'm high right now so maybe I'm missing something. If I knew the vendors name why would I need to search for it using Warweeds bot? There needs to be a bot where you can search for drugs not vendors (yes, I'm aware of the one on SR but that hides the stealth vendors so it's useless to find the drug you want from a stealth vendor). Again, I apologize if I'm missing something on account of being fucked up.
You can only search for product names or categories with the 'search feature' built in the SR market.
Warweed, thanks for this.
-
Some members seem to be quite old:
has been a member for 42 years
was last seen: 42 years ago
has 0% positive feedback