Hi,

Yeah its me again, trying to bypass blogspots security mechanisms. Actually I just wanted to write a short example script, using the mhtml bug to get a valid token and then send a valid request in.

This however does not work. Getting a token is not a problem but the response to my request is something like "we have a problem, something didn't work, send the following code to help us tracking down the issue and fixing it." - which is not what I expected.

The funny thing is, when I write my own HTML form, adressing to http://www2.blogger.com/blog-publishing.do (or similar), it'll be accepted and the command will be executed, provided that in doing so, the right variables are sent with.

So my question is: How comes that XMLHttpRequest doesn't work while a self-made HTML form does? -> Where is the difference?

Regards, Christian

XMLHttpRequest may send cookies along with it, but it does not send other headers afaik. There is a good chance this is the problem.

Watch the headers for a normal request with something like BurpProxy and then copy them in javascript.

var params 'stuff=things&variable=x'
xmlhttp.setRequestHeader('Content-Length', params.length)

Use the same technique for referer, content type, etc.

- Kyran

Okay thanks, I'll try that. Meanwhile, I've found out that I must send the blogID via GET as well, otherwise Blogger sends the error page discribed above.

At the moment the script looks like this:

requestObject.open('POST', 'http://www2.blogger.com/blog-publishing.do?blogID=2680014473523685840', true);
requestObject.setRequestHeader("Content-Type","application/x-www-form-urlencoded");


requestObject.send(
'securityToken=' + token +
'&publishMode=PUBLISH_MODE_BLOGSPOT'+
'&blogID=2680014473523685840'+
'&subdomain=xssvulnerabilities'+
'&pingWeblogs=false'
);

... which still doesn't work, while this works fine: http://nopaste.php-q.net/274834

Any further ideas are welcome.

Edit:
After having analyzed the different headers, I came to the solution that the reason must be the referer. Apparently blogger checks it. How can I manually change the referer?



Edited 1 time(s). Last edit at 02/10/2007 04:44PM by christ1an.

I know you can make the referer be blank by doing this:
http://5diggers.blogspot.com/

Many pages accept empty referers because some people manually disable the referer in their browser. I tried it against a forum before, first it complained about not accepting POST from that domain but by doing that trick it worked.

Thanks hasse!

As I found out, neither the referer nor a different header was the problem. I compared various requests with a programm named Wireshark and the a nice little firefox extension LiveHttpHeaders, which everybody should have installed by the way ;)

Well this whole thread is more or less nonsense because the problem is, like I said, quite far away from XHR, HTML forms or any headers.

To make it short:
On blogger.com, a securityToken looks somehow like this: 4WyU7aPsicovml2oG7gyd5KUoU=:1071549288454, I just picked it up and send it away. Unfortunately with the chars "=" and ":" in the token, the whole thing won't work because they need to be in ASCII format.

That is ASCII, what do you mean? Look here for the ASCII chart: http://ha.ckers.org/ascii.html

- RSnake
Gotta love it. http://ha.ckers.org

Well, how do you express this in english? :)
What I meant was, that I had to replace non-alphanumeric characters (like : and = in the stolen securityToken) with a percent sign followed by two hex digits, to make sure that the whole thing is encoded conform to the application/x-www-form-urlencoded media type. Pretty obvious but it took me several hours.

I think most of us call that hex encoded or url encoded.


Or at least I do. :P

- Kyran

It's actually called URL Encoding.

The same domain policy does not allow xmlHttpRequest to send request to other domain.

http://sec.jiaxu.de

the security token is base64 encoded.!

http://null-byt3.co.uk