Small XSS hole

Hi I was recently messing around on my college website and I found a few security holes and stuff which are quite serious i think.

You have to log in to use the college email thing which means if i send via email a link to a page that iv xss'd then i could do loads of stuff.

I also found out that the users md5 pass hashes are stored in a hidden from in the edit profile page, and that to change your pass you only need to be logged in, you dont need to reenter your password or anything!!!.

Im not sure how i could do this so any help would be appreciated but how could i get an external script to grab the users md5 hashQ i think it would be easiest with javascript but im not sure. also the edit profile pages and stuff have the same url for everyone which makes it simpler

i dont plan on causing any damage, just messing with it for the sake of knowledge.

thanks in advance

You could do a CSRF that loads the edit profile page and then run a script that takes the hash thru DOM and parse it into your own logger? Or just thru XSS you can do a location.href i think it is and point it to your website with a cookie logger…

or

document.body.innerHTML("HTML CODE HERE");

like:

document.body.innerHTML("<HTML><BODY onload="cookielogger_script()"></BODY></HTML>);

something like that…

i dont think i explained it properly, i dont need the cookies. I just want to know how i could grab the page source of another page using xss.

thanks for the replys anyway

oh lol

well maybe you could do something like this:

vieww-source:URL

and then copy the contents of the URL into a txt file…

but that's kinda complicated I think (and I don't even know if that would work…)

ok thanks, im doing some research and stuff, trying to find out about it but if anyone knows how; it would really be appreciated

why do you need a script to copy the source of a page anyway? Can't do it manually?

no, il explain it again but a bit better this time i hope

when you are logged in and you goto the edit profile page the md5 password hashes are in a hidden form which you can only see in the source or using the webdeveloper toolbar.

I found an xss hole that i think il be able to entice other users to click whilst logged in. i want to make some script which will be executed when they go to the xss'd page that will grab the source of the edit profile page.

i could do it manually as you said but i would only be getting my own hash which would be pointless.

oh I see…so when an admin logs in and clicks that link, it logs their hash?

I think you can do that..do you know what variable the hash is set to?

Skunkfoot wrote: oh I see…so when an admin logs in and clicks that link, it logs their hash?

I think you can do that..do you know what variable the hash is set to?

you mean like the form idQ because iv got that heres the snippet of source code for the profile edit page

<INPUT TYPE="hidden" NAME="verifyPassword" VALUE="md5 hash here">```

i want to be able to get the values from them from another page is that do-ableQ

you mean like the form idQ because iv got that heres the snippet of source code for the profile edit page

<INPUT TYPE="hidden" NAME="verifyPassword" VALUE="md5 hash here">```

i want to be able to get the values from them from another page is that do-ableQ[/quote]

hmmm...

could you do some js or something?

EX:
javascript:void(document.body.form_name.password="admin md5 hash");

I don't know how you'd write that to a txt file though...someone here knows, just not me :)

Easy, first store the md5 hash into a variable and set it as a cookie using Javascript. Now, just continue with your cookie-logging method and your done.

ok thanks il get coding some js and il let you know if it works or not.

thanks again for all the replys

sure man :P

Correct me if im wrong here but….Couldnt he get in quite a great bit of trouble regaurdless of any damage done? I mean i recall someone who would putz around a bit with various sites to find wholes and then actully report them to the site so that they could fix them and even he got in quite a bit of shit…I dont know i just wouldnt think messing around with a colleges site would be a grand idea…especially if its your own college. But hey i dont know i could be wrong

noober wrote: Correct me if im wrong here but….Couldnt he get in quite a great bit of trouble regaurdless of any damage done? I mean i recall someone who would putz around a bit with various sites to find wholes and then actully report them to the site so that they could fix them and even he got in quite a bit of shit…I dont know i just wouldnt think messing around with a colleges site would be a grand idea…especially if its your own college. But hey i dont know i could be wrong

This is called "hacking".

It's very safe and legal, I'm sure if you ask an AOL representative about it they will confirm that there's no harm to be done, and sysadmins are open and friendly to "hackers".

Happy trails!

lmao

he's absolutely right though. Unless a sysadmin's stuff gets messed up, they usually won't care what you try. Especially if, when you find something exploitable, you tell them about their vulnerability and/or how to fix it. :D

i suppose, just doesn't always seem to hold true such as in the case i mention.

well man if i was a sysadmin and a hacker emailed me about a vul. in my website and how to fix it….man i would be very thankfull he helped me…..i dunno….maybe just me :) i think most people like being helped hahah

noober wrote: i suppose, just doesn't always seem to hold true such as in the case i mention.

that's why you don't tell them, and thus don't get caught.

Alternative (and easier/more foolproof method) would be to use a norma lcookie stealer, except document.body.innerHTML instead of document.cookie. Then make a PHP script that parses the ourput and stores just the MD5 hash – maybe a sessionID too if you wanted to add in document.cookie ans another value or whatever for the cookie logger. I made one just to see how it works, took me about 10 minutes. PM me if you want the code.