Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Sitestats.gif

  1. Home
  2. Forum
  3. Web hacking
  4. Sitestats.gif

ghost's Avatar

ghost

0 0

There's this certain site I love, but I'm in a little trouble with the webmaster now… I found this script at the bottom of the page:

 var jv=1.0;
//--></script>
<script language=Javascript1.1><!--
 jv=1.1;
//--></script>
<script language=Javascript1.2><!--
 jv=1.2;
//--></script>
<script language=Javascript1.3><!--
 jv=1.3;
//--></script>
<script language=Javascript1.4><!--
 jv=1.4;
//--></script>
<script><!--
 function SiteStats_7134(){
  var t=new Date();
  var o='o='+t.getTimezoneOffset()+';';
  t=t.getTime();
  var isNN4=(document.layers)?true:false;
  var isCSS=(document.all)?true:false;
  var t='t='+t+';';
  var b='b='+(isCSS?(document.body.clientWidth+'x'+document.body.clientHeight):isNN4?(innerWidth+'x'+innerHeight):'')+';';
  var s='s='+(isCSS||isNN4?(screen.width+'x'+screen.height):'')+';';
  var c='c='+(isCSS||isNN4?screen.colorDepth :'')+';';
  var j='j='+jv+';'
  var p='p='+escape(location.href)+';';
  var r='r='+escape(document.referrer)+';';
  var u='http://www.thatwebsite.com/cgi-bin/sitestats.gif?'+t+b+s+c+j+o+p+r;
  document.write('<img src='+u+' width=1 height=1 style="position:absolute">');
  var f='var e=new Date();e=e.getTime();var I=new Image(1,1);I.src="'+u+'e="+e+";";';
  window.onunload=new Function(f);
  setTimeout('alive_7134("'+u+'")',0x249F0);
 }
 function alive_7134(u){
  var e=new Date();var I=new Image(1,1); I.src=u+'alive=1;t='+e.getTime(); setTimeout('alive_7134("'+u+'")',0x249F0);
 }
 SiteStats_7134();
//--></script><noscript><img src=http://www.thatwebsite.com/cgi-bin/sitestats.gif?p=http%3A%2F%2Fwww.thatwebsite.com%2Ffolder%2Fpage.htm;r=http%3A%2F%2Fwww.thatwebsite.com%2Ffolder%2F; width=1 height=1></noscript>```

What it seemed to do is log the page I'm viewing, and probably also my IP. So, for fun, I tried to add a message to the logs in the form of a URL by going to http://www.thatwebsite.com/cgi-bin/sitestats.gif?p=INSERT%20MY%20MESSAGE%20HERE

Now, the webmaster reports that he can no longer view the IP addresses of individual users on his site from his site stats page. Could this truly have been a direct result of my injection? Because I now notice I forgot to add a value for the variable r... But any piece of code that can fall apart by an injection with one missing value, or maybe mention of a non-existant page, shouldn't be used anyways, correct?

EDIT: Never mind. One way or another, the webmaster resolved it.