Piczo Guestbook/Shoutbox Defacement

Piczo Guestbook/Shoutbox Defacement

By Flaming_figures | 17443 Reads |

0     0

NOTE Some of this information may be out of date on some websites. Either way - how many ethical hacks can you do on people who use piczo - honestly?

Alright, recent article submissions had bad feedback, but oh well. Let's start the new year with a bang. This information is for educational purposes only- in other words- don't screw around.

Now, if you run a piczo website as a free photo dumping website with a guestbook, you know how unsafe it is to post in one. You may also notice by browsing some people have bad conversations about people behind their back in the GB's. This article will show you how to delete and edit posts, and also why it is unsafe to message in them. I will help you have a safer piczo experience as well. Also, as recently informed by god you can also do this to shoutbox entries. Another thing about shoutbox entries, is you can also recieve the ip address of that poster.

Now, to do things to the post, you need two things. A Post ID and a very basic knowledge in javascript injection. VERY basic. It will be explained in here. Firstly, I will explain the guestbook.

[::Receiving the Post ID::]

How to edit messages/delete/post safely. Now, if you have ever posted, you notice there is only a delete button. No edit button. Thats no good is it? Well, if you run a piczo site, you may also notice your ip address is logged with every message. Now sure your saying "Use a proxy!" but if you can't find a working one, or you have already posted, this is for you. All you need to do to edit/delete a message, is to get its id. It is a long number that represents your post. To find this, simply place the cursor over top the |X| button (delete) and look at the bottom of the screen. It should say something like "javascript: delGB(12345678);" that number, is the post ID. Now I know you are wondering, "What if I want to edit someone else's post?" Well this is easily solved. If you take a look in the source and find the post, the number should be sitting right on top. To simplify finding it, hit CTRL-F and type in the first word in the post. Now. What to do with the ID.

[::Doing things to the post::]

Now that you have the Post ID (let's use 25010754 for an example) you may be wondering how this will help you. Well, if you notice, everything touched on the website and added by users, is done via javascript. This led me to find a simple yet effective injection. Now the full injection is

javascript:editPost(25010754)

Replacing 25010754 with your Post ID. Insert that into the URL bar and a pop-up will come up, with the old text in it. Now, what ever IP address this original post used, it will still be there. It should not be replaced with yours. Now you can edit it from here, or you can press the delete button and get rid of it. So now, you can edit any message.

[::Shoutbox Hacking::]

Now, shoutbox hacking is similar, although doesn't use javascript. You find the Post ID the same, or perhaps you need to highlight it and select view selected source for the mozilla people. When you have that, look at the URL bar. At the begining you should see like, pic1.blah blah blah or pic2.blah blah blah. That is the server. Now inject this into the url, as if the server was pic5 and the ID is 47641150.

http://pic5.piczo.com/go/editpostapproval?plpid=47641150

You should come to a screen asking to approve, disaprove or delete the message. Check delete and hit ok.

(Shoutbox information was given by god. Er, the USER god.)

[::Darkside of Piczo Guestbooks::]

This part is simple. Your IP is logged when ever you post. People have been arrested for threats, illegal conversations, etc. So now I will explain how to keep safe.

[::Keeping safe from police and bad hackers::]

Now, using a proxy is good enough, sometimes. But I have gone on with a proxy and received bull from it saying I couldn't post, or my proxy was null. To keep really safe, use another persons post! Thats right. Get a recent post and edit it to your liking :) Anything said will have that person arrested! ;) ;) ;) So, I hope you have fun. Remember, there are many possibilities to why someone would use this. keep an open mind.