Fun Fact/Tip: This site has tooltips, try to find them!
Hello! I was greeted by a group chat on Discord made, telling me about an UTTP website (uttpempire.com), I got to work instantly.
1. The "not-so" exploits.
It was really easy to make an account with a username already existing, just put an invisible character, yes, they didn't patch that.
They used htmlspecialchars on existing posts, but not when posting, but it wasn't PHP-compatible :(
There were some files: admin.php, but that was protected.
2. The real exploits.
I made a python script checking for common database names, it was obvious the site was made with AI, so I took a shot.
I found a file named data.db, it had 2 users, a couple messages, it seemed like an old database (it was SQLite3).
After peeking more, I found database.sqlite, this one was 232MB! (compared to the previous ~200KB)
This had a lot more, I saved it and it had even more data, it even had passwords! (tho hashed, AI knows better than them).
I used the rockyou.txt file to try to brute-force it, I didn't think it would work, but it did (SPOILER: it was 6 numbers).
We just nuked it, GG UTTP.
- 2025-08-03 13:13:28 +0000
To comment on this blog, please visit our Discord server, it's in the contact page.