Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011Next
Current Page: 5 of 11
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 23, 2006 10:27PM

That was my understanding as well... the redirect would only be useful if the same redirect had a response splitting hole in it as well. And even still you need control over something to send the data to or to use it in a CSRF or something.

What kind of API are you writing?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 23, 2006 10:35PM

well basically, it'll work by including the API script.. and using
mhtml_pull("http://targetsite.com","callBackFunction")

the mhtml_pull function will work its magic and pull the info by mhtml: .. then once it receives it (onreadystatechange) it'll call the callback function with everything passed to it
callBackFunction("target sites html here")

but it's only about half complete rite now

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 23, 2006 10:44PM

oh, and i don't think a response splitting would work.. since i think that's firefox only.. and mhtml vuln is IE only

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 23, 2006 10:57PM

That's very cool that you're writing an API to do that. Let me know when you're done. That'd definitely worth a post.

True response splitting will work in IE... header injection won't... I rarely do full response splitting because it's a pain to type, but yes, you're right that what I generally put in the response splitting directory won't work.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 23, 2006 11:04PM

ah, i'll have to go learn how to do the full version then.. i assume it'll just be matching a full request with a buttload of %0A%0D's. Never an end to the learning i guess :/

and ya, i'll send it when i'm done.. or post it somewhere in this forum. I might cry if microsoft patches it before patch tuesday though..

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 23, 2006 11:16PM

Shhh, it's not done. http://ha.ckers.org/response-splitting.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 23, 2006 11:30PM

hehehe, you spoil me ^^

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 24, 2006 02:28PM

lol.. http://www.maluc.com/go.php?aHR0cDovL25vdG1hbHVjLmNvbQ==

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: October 24, 2006 04:22PM

What was supposed to happen? I just got redirected to notmaluc.com

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: October 24, 2006 04:41PM

thats why it's posted in the 'Redirects Edition' thread.. -.-

and i was too lazy to check for splitting but i will now. i really wanted to also find an XSS hole on the domain, to add it into this api - hopefully completed before the end of the nite

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: unsticky
Date: October 26, 2006 04:54PM

[clk.about.com]

[www.aol.com]



Edited 1 time(s). Last edit at 10/27/2006 12:45AM by unsticky.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: November 05, 2006 12:04AM

https://www.hollywoodvideo.com/offsite.aspx?url=http://www.cnn.com/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rsnake
Date: November 07, 2006 10:46PM

http://appzone.intel.com/scripts-util/serve-url.asp?iid=contactus+relate_techsupport&url=http://www.cnn.com/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: November 11, 2006 08:18AM

http://search.hp.com/redirect.html?url=http://dell.com

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: alf
Date: November 11, 2006 03:42PM

great one for spammers....

http://www.ard.de/cmwebapp/util/redir.jsp?url=http%3A%2F%2Fn0n4m3-cr3w.de/Subdomain_Service/alf/

ard= The Arbeitsgemeinschaft der öffentlich-rechtlichen Rundfunkanstalten der Bundesrepublik Deutschland ("Cooperative association of public-law broadcasting institutions of the Federal Republic of Germany"), or simply ARD, is a joint organization of Germany's regional public broadcasting agencies. It was founded in West Germany in 1950 to represent the common interests of the new post-war broadcasting services - mainly the introduction of a joint television network.



Edited 1 time(s). Last edit at 11/11/2006 03:44PM by alf.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: jungsonn
Date: November 11, 2006 04:07PM

Would be cool if you redirect every redirecting page to one another, u could do this forever i guess...

http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://www.blackboxsearch.com

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: nrg
Date: November 11, 2006 06:14PM

@ jungsonn Firefox recognizes redirection loops and stops them. I don't know if it would stop them when the redirection was through several different pages though.
Anyway i think maluc or whiteacid made something like that in this topic (didn't last long).

--
http://chasenet.org/home/

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: sjensen
Date: November 12, 2006 12:20AM

http://www.powersportsnetwork.com/redirect.asp?dealercode=1&url=http://sla.ckers.org

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: jungsonn
Date: November 12, 2006 03:16AM

Quote

Firefox recognizes redirection loops and stops them. I don't know if it would stop them when the redirection was through several different pages though.
Anyway i think maluc or whiteacid made something like that in this topic (didn't last long).

This long loop seems to work perfectly:
http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=https://www.hollywoodvideo.com/offsite.aspx?url=http://idl.ee.washington.edu/Redirect.php?ID=22&Publication=http://www.blackboxsearch.com

Or does it happen in a background process? but still i get there with the insane redirection above.



Edited 1 time(s). Last edit at 11/12/2006 03:32AM by jungsonn.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: alf
Date: November 12, 2006 02:02PM

http://adclient.uimserv.net/event.ng/Type=click&Redirect=http://www.n0n4m3-cr3w.de/Subdomain_Service/alf/index.php?ct=apps

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: alf
Date: November 12, 2006 02:16PM

http://de.ard.yahoo.com/SIG=12lnn77nh/M=200084491.201287525.202593797.200702075/D=finfr/S=97107386:FB2/Y=FR/EXP=1163448820/A=200544671/R=0/SIG=113es77l7/*http://www.mybeNi.tk

dunno if this was here before

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: November 12, 2006 05:46PM

i posted the same link for the us.ard.yahoo.com one a while back.. but it's nice to know it works for all their *.ard.yahoo.com subdomains.

The only problem is that it expires.. all the parameters cannot be changed except the last three (A,R,second SIG) .. so it seems they are hashed together or interdependant. Would be very nice if some could reverse engineer their validating scheme to make it an quasi-open redirect

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: Spikeman
Date: November 13, 2006 01:15AM

This is cool because you can inject stuff into the meta tags (I'm not that knowledgeable about meta tags, but maybe you could do other things as well).

http://dictionary.reference.com/browse/0;url=http://google.com%22%20http-equiv=%22refresh%22%20xss=%22

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: alf
Date: November 13, 2006 09:37AM

http://www.gmx.net/dereferer.do?dest=http%3A%2F%2Fwww.mybeNi.tk
http://toi.passul.t-online.de/cgi-bin/XP/toi/pers/dsl/mehr01,toi/pers/ziel,0,2,1?l=http://www.mybeNi.tk
http://www.arcor.de/home/extern_track.php?url=http://www.mybeNi.tk&name=click-shopping&kat=nav
http://www.rtl.de/tools/count/xdot/count.php?id=12&artikelid=12&dst=http://www.mybeNi.tk
http://cre.chunnel.de/bounce.php?url=http://www.mybeNi.tk
http://www.vox.de/tools/count/navcount.php?referrer=vox_filme&target=http://www.mybeNi.tk

GMX = Freemail
t-online = germanys largest ISP (TELEKOM)
arcor = another isp
RTL, VOX = tv companies

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: sjensen
Date: November 13, 2006 04:20PM

http://www.netelco.com/redir.php?url=http://sla.ckers.org/



Edited 1 time(s). Last edit at 11/13/2006 04:21PM by sjensen.

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: rdivilbiss
Date: November 13, 2006 06:22PM

http://www.krha.org/goto.cfm?page=http://sla.ckers.org/

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: November 14, 2006 02:18AM

they also whitelist infonow.net .. http://www.usa.visa.com/track/dyredir.jsp?rDirl=http://hp.infonow.net/bin/findNow?CLIENT_ID%3DHP_LOC_CAN_SRV%26PAGE%3DSearchFinal.html%26PROD_DESC_NUM%3D6%26HIDDEN_TIER_2_TEXT%3D%3Cscript%3Edocument.location%3D%22http://example.com%22%3C/script%3E

whitelisting by domain seems like a bad idea for redirects.. as it relies on the security of other sites you don't control. Probably best to use either an obfuscated lookup table (i.e. redir.jsp?link=13524 instead) or explicit url matching. (i.e. site.com/index.htm != site.com/index.htm?a)

anywayz, it's the xss hole on infonow that makes it possible

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: br0ken
Date: November 17, 2006 01:52PM

http://www.mytelus.com/
"Telus, the largest telecommunications company in western Canada"
but still suck at pretty much anything they do.

BTW I am new ... hi .. I will introduce myself in your introduction thread.

./br0ken

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: maluc
Date: November 17, 2006 06:34PM

welcome broken, glad to have ya aboard..

don't think these have been disclosed before..

using iclk
http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/
http://pagead.googlesyndication.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/
http://www.googlesyndication.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/
http://googlesyndication.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/
http://google.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/
http://code.google.com/pagead/iclk?sa=l&ai&adurl=http://asdf.com/

using adclick
http://pagead2.googlesyndication.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/
http://pagead.googlesyndication.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/
http://www.googlesyndication.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/
http://googlesyndication.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/
http://google.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/
http://code.google.com/pagead/adclick?sa=l&ai=&adurl=http://asdf.com/

or any other valid google/googlesyndication subdomains

-maluc

Options: ReplyQuote
Re: So it begins - Redirects Edition
Posted by: br0ken
Date: November 18, 2006 03:52PM

Thanks for the welcome maluc :)
good job beating up on google btw lol

I only got one redirect to add right now ...
walmart.com - silly working redirect

//edit
1 more
neoseeker.com



Edited 2 time(s). Last edit at 11/18/2006 04:14PM by br0ken.

Options: ReplyQuote
Pages: Previous1234567891011Next
Current Page: 5 of 11


Sorry, only registered users may post in this forum.