Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

this is fun?
From: Jeffrey Denton <dentonj () gmail com>
Date: Sun, 20 Feb 2005 12:10:06 -0700

On Sun, 20 Feb 2005 14:51:48 +0100, Christian <evilninja () gmx net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brandy Simon wrote:
http://picserv.on.zoy.org/IM39571.jpg

hm, what exactly is it?

$ wget http://picserv.on.zoy.org/IM39571.jpg
- --14:45:06--  http://picserv.on.zoy.org/IM39571.jpg
           => `IM39571.jpg'
Resolving picserv.on.zoy.org... 80.65.228.129
Connecting to picserv.on.zoy.org[80.65.228.129]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
14:45:06 ERROR 404: Not Found.


Sometimes you have to have to use a sniffer.  Grabbed with lynx and ethereal:

GET /IM39571.jpg HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e

. . .

POST /index.php HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/IM39571.jpg
Content-type: application/x-www-form-urlencoded
Content-length: 28

content=&send=1&refer=&user=

. . .

GET /lm.php HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/IM39571.jpg

. . .

GET /lm.php?CLICK+ME=CLICK+ME HTTP/1.0
Host: picserv.on.zoy.org
Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg,
image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm,
image/gif, application/postscript, */*;q=0.01
Accept-Encoding: gzip, compress
Accept-Language: en
User-Agent: Lynx/2.8.5rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7e
Referer: http://picserv.on.zoy.org/lm.php

The page lm.php sets a number of variables depending on the User-Agent
string, but only does something different if you are using IE.

var nom = navigator.appName.toLowerCase();
var agt = navigator.userAgent.toLowerCase();
var is_major  = parseInt(navigator.appVersion);
var is_minor  = parseFloat(navigator.appVersion);
var is_ie     = (agt.indexOf("msie") != -1);
var is_ie4up  = (is_ie && (is_major >= 4));
var is_nav    = (nom.indexOf('netscape')!=-1);
var is_nav4   = (is_nav && (is_major == 4));
var is_mac    = (agt.indexOf("mac")!=-1);
var is_gecko  = (agt.indexOf('gecko') != -1);
//  GECKO REVISION
var is_rev=0
if (is_gecko) {
temp = agt.split("rv:")
is_rev = parseFloat(temp[1])

. . .

<input type="submit" value="CLICK ME" name="CLICK ME" style="width:
2000px; height: 2000px; background-image: url('pooped.jpg'
);"
src="hello.jpg" height="300" width="300" onmouseover="if(is_ie)
{showModelessDialog('procreator.php'); return true; }document.goatse
.reset();playBall();return true;"
onclick="if(is_ie) {showModelessDialog('procreator.php'); return true;
} playBall();return true;"
onmouseout="if(is_ie) {showModelessDialog('procreator.php'); return
true; } else{procreate();} playBall();return true;">


And so on...  I haven't looked at all of the other .php pages yet.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]