Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: b06-3097.htm

Apnaspace.com - XSS with cookie disclosure



Apnaspace.com - XSS with cookie disclosure
Apnaspace.com - XSS with cookie disclosure



Apnaspace.com (A myspace type site for arab & indian teens)=0D
=0D
Homepage:=0D
http://www.http://www.apnaspace.com=0D 
=0D
Effected files:=0D
=0D
* Comment input box:=0D
=0D
* Posting a blog entry:=0D
- Entry title=0D
- Entry body=0D
=0D
* Viewing a profile=0D
=0D
* Posting a bulletin.=0D
=0D
* Commenting on a picture=0D
=0D
* Sending mail to someone=0D
------------------------------------------------------=0D
=0D
XSS vuln with cookie disclosure via posting a comment:=0D
=0D
Since there a vulnerability in bbcode 1.23.1 and below, we can execute our XSS example and display the cookie info by putting the following in as a comment:=0D
=0D
[img]javascript:alert(document.cookie)[/img]=0D
=0D
This also works when creating a new blog entry too. Just put the above codeinasyour"entry title" or "entry subject"=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/apna1.jpg=0D 
http://www.youfucktard.com/xsp/apna2.jpg=0D 
=0D
Our Cookie:=0D
=0D
TIME=1150153432; switchmenu; apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D; apnaforum_sid=2964cbd2c5a3f3d1a911fbf777c32300; NATIO=luny666;__utma=265362911.794893539.1150148238.1150148238.1150151884.2; __utmc=265362911; __utmz=265362911.1150148238.1.1.utmccn=(referral|utmcsr=dmoz.org|utmcct=/Recreation/Picture_Ratings/|utmcmd=referral; __utmb=265362911=0D
=0D
=0D
The cookie looks pretty much the same as a few of the others I've discussed. I'll just post whats needed:=0D
=0D
Dcoding the Hex value of:=0D
=0D
apnaforum_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2291da4589b012c2fe1ceac1fb2363dbc6%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%223462%22%3B%7D;=0D
=0D
We get:=0D
=0D
a:2:{s:11:"autologinid";s:32:"91da4589b012c2fe1ceac1fb2363dbc6";s:6:"userid";s:4:"3462";}=0D
=0D
What we need:=0D
=0D
91da4589b012c2fe1ceac1fb2363dbc6 (Our md5 hashed password, which is fuckit)=0D
=0D
Our userid is:3462=0D
=0D
Now lets godown to NATIO=luny666 (This is our username)=0D
=0D
Congrats, you now know the md5 hashed pw, which can be cracked, as well as our username from this cookie. Lets move on to other parts of the site that suffer from XSS vulns.=0D
=0D
---------------------------------------------=0D
=0D
Posting a bulletin XSS vuln:=0D
=0D
When postinga bulletin, userinput is not sanatized and filtered before being generated. So, unlike above, where we had to use the sites standard bbcode tags, we can just use normal html tags here. For PoC when submitting a bulletin, try putting  in as your bulletin subject.=0D 
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/apna3.jpg=0D 
http://www.youfucktard.com/xsp/apna4.jpg=0D 
http://www.youfucktard.com/xsp/apna5.jpg=0D 
=0D
----------------------------------------------=0D
=0D
Commenting on a picture:=0D
=0D
Same ast he first XSS vuln, we use bbcode here. ForPoC try putting the following in as your comment when rating a picture:=0D
=0D
[img]javascript:alert(document.cookie)[/img]=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/apna6.jpg=0D 
http://www.youfucktard.com/xsp/apna7.jpg=0D 
=0D
-------------------------------------------------=0D
=0D
Sending someone mail:=0D
=0D
No filtering is needed here,for PoC as your mail title or subject just put:=0D
=0D 
=0D
---------------------------------------------------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH