Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Piczo Guestbook/Shoutbox Defacement


Piczo Guestbook/Shoutbox Defacement

By Flaming_figures avatarFlaming_figures | 17857 Reads |
0     0

NOTE Some of this information may be out of date on some websites. Either way - how many ethical hacks can you do on people who use piczo - honestly?

Alright, recent article submissions had bad feedback, but oh well. Let's start the new year with a bang. This information is for educational purposes only- in other words- don't screw around.

Now, if you run a piczo website as a free photo dumping website with a guestbook, you know how unsafe it is to post in one. You may also notice by browsing some people have bad conversations about people behind their back in the GB's. This article will show you how to delete and edit posts, and also why it is unsafe to message in them. I will help you have a safer piczo experience as well. Also, as recently informed by god you can also do this to shoutbox entries. Another thing about shoutbox entries, is you can also recieve the ip address of that poster.

Now, to do things to the post, you need two things. A Post ID and a very basic knowledge in javascript injection. VERY basic. It will be explained in here. Firstly, I will explain the guestbook.

[::Receiving the Post ID::]

How to edit messages/delete/post safely. Now, if you have ever posted, you notice there is only a delete button. No edit button. Thats no good is it? Well, if you run a piczo site, you may also notice your ip address is logged with every message. Now sure your saying "Use a proxy!" but if you can't find a working one, or you have already posted, this is for you. All you need to do to edit/delete a message, is to get its id. It is a long number that represents your post. To find this, simply place the cursor over top the |X| button (delete) and look at the bottom of the screen. It should say something like "javascript: delGB(12345678);" that number, is the post ID. Now I know you are wondering, "What if I want to edit someone else's post?" Well this is easily solved. If you take a look in the source and find the post, the number should be sitting right on top. To simplify finding it, hit CTRL-F and type in the first word in the post. Now. What to do with the ID.

[::Doing things to the post::]

Now that you have the Post ID (let's use 25010754 for an example) you may be wondering how this will help you. Well, if you notice, everything touched on the website and added by users, is done via javascript. This led me to find a simple yet effective injection. Now the full injection is

javascript:editPost(25010754)

Replacing 25010754 with your Post ID. Insert that into the URL bar and a pop-up will come up, with the old text in it. Now, what ever IP address this original post used, it will still be there. It should not be replaced with yours. Now you can edit it from here, or you can press the delete button and get rid of it. So now, you can edit any message.

[::Shoutbox Hacking::]

Now, shoutbox hacking is similar, although doesn't use javascript. You find the Post ID the same, or perhaps you need to highlight it and select view selected source for the mozilla people. When you have that, look at the URL bar. At the begining you should see like, pic1.blah blah blah or pic2.blah blah blah. That is the server. Now inject this into the url, as if the server was pic5 and the ID is 47641150.

http://pic5.piczo.com/go/editpostapproval?plpid=47641150

You should come to a screen asking to approve, disaprove or delete the message. Check delete and hit ok.

(Shoutbox information was given by god. Er, the USER god.)

[::Darkside of Piczo Guestbooks::]

This part is simple. Your IP is logged when ever you post. People have been arrested for threats, illegal conversations, etc. So now I will explain how to keep safe.

[::Keeping safe from police and bad hackers::]

Now, using a proxy is good enough, sometimes. But I have gone on with a proxy and received bull from it saying I couldn't post, or my proxy was null. To keep really safe, use another persons post! Thats right. Get a recent post and edit it to your liking :) Anything said will have that person arrested! ;) ;) ;) So, I hope you have fun. Remember, there are many possibilities to why someone would use this. keep an open mind.

Comments
ghost's avatar
ghost 17 years ago

That's pretty shoddy coding on Piczo's part but well done, great article.

Flaming_figures's avatar
Flaming_figures 17 years ago

Thanks. I was thinking about submitting the bug and may soon in the future. It is pretty weak. And showing every proccess it is doing in plain view? Have you looked at how they protect their source code? Adding null lines :p Dumb Dumb Piczo People

ghost's avatar
ghost 17 years ago

gr8 :D inspired me to do a piczo shoutbox hack :P i'll share it on msn…

ghost's avatar
ghost 17 years ago

didn't work for me…(shoutbox one)…otherwise great

Flaming_figures's avatar
Flaming_figures 17 years ago

I tried the shoutbox and it worked just fine.

Flaming_figures's avatar
Flaming_figures 17 years ago

Remember to change the pic5 to whatever your server is. That can be found in the normal URL… the first PART of the URL. Also remember to chaneg the ID

ghost's avatar
ghost 17 years ago

Nice article, worked swell. :happy:

ghost's avatar
ghost 17 years ago

This is pretty cool, thanks for submitting it. I've known about this exploit for a while (i posted details of it on hackpiczonow.piczo.com a while back :P). I wish I could find a way to add my own html to other piczo sites though. So far I've only been able to access other people's picture trashcans, which is fun, but not very useful. I've heard of people hacking the voting system as well.:o

ghost's avatar
ghost 17 years ago

I know of another trick you can use on piczo shoutboxes (it'll probably work on guestbooks as well). Find out the actual location of the shoutbox (look in the page source for 'shoutbox') It'll look like: http://pic7.piczo.com/go/shoutbox?sb=4862531&sbo=2604191 And then just add this bit to the end of the url and navigate to it: &isedit=y It'll show you the ip addresses of all the messages, and messages that have been disapproved by the site owner.

SySTeM's avatar
SySTeM 17 years ago

Nice, quite an old trick though

Flaming_figures's avatar
Flaming_figures 17 years ago

Pretty cool… I might add it. I just want to add (but am too lazy currently to edit the article) that when you do the guestbook thing, in the pop-up that comes up that you edit in, in the bottom in blue is the posters ip address.

What_A_Legend's avatar
What_A_Legend 17 years ago

i submitted this bug to HBH befor in an article but it got declined. I also released a video of it on youtube

ghost's avatar
ghost 17 years ago

guestbox hack isn't working for me - says Error while updating sigh oh well

Great article! Pretty crappy programming on Piczos part, tho :P

ghost's avatar
ghost 17 years ago

i agree with meltdown , i learned about this a year ago

Flaming_figures's avatar
Flaming_figures 17 years ago

I knew about this before but never thought to submit it. I also didn't see it on any other website so I just thought, meh. Why not. Also- I don't know what is wrong Intocksify. Works fine for me.

ghost's avatar
ghost 17 years ago

hmm…how come all the shoutboxes and guestbooks are disabled?

ghost's avatar
ghost 17 years ago

is it normal i can't edit someone's post? it's not the poster's ip down the box, but mine. and when i click on publish, it says, an error has encountered…

ghost's avatar
ghost 17 years ago

And don't get the Gb thing.. How should the URL look like after you've added javascript:editPost(11111111) ?

ghost's avatar
ghost 17 years ago

Ahhh.. Nevermind :P Got it ;) Thanks, nice trick =)

ghost's avatar
ghost 17 years ago

But, i still get this Error message when i try to edit the guestbook doh.. It works nice to delete it, but not to edit it =( Why?