Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Piczo Javascript Injection?

  1. Home
  2. Forum
  3. Hacking in general
  4. Piczo Javascript Injection?

ghost's Avatar

ghost

0 0

Hey guys, nice to finally make a post here. I'm quite new to the world of hacking, and am new to the HBH community. I previously have worked on HTS for quite a while. Anyways, to my question. I've read multiple articles on defacing piczo guestbook, shoutbox, and a comment board "hack", yet there are some things I want to try, but don't know if possible or how to go about them.

My first idea was to change the background on someone elses site: javascript:document.bgColorForm.submit() They use this code to change it while in the editing page of your own site.

My second idea was to delete someone's pictures javascript: if (validateForm()) { document.editimageform.isdel.value='y';document.edit.imageformsubmit(); } This I atleast think I typed with right capitals and spaces, but same code they use in the editor.

Third idea, to access someone's trash can using a URL or JVS: http://pic5.piczo.com/go/piclistdetail?dt=trash Once again, from the editor.

Fourth idea, accessing their acocunt settings, password, etc. javascript:openWebsiteSettingsPopup('&show=y') And yes, from editor.

So this was just me trying to figure out how to apply the codes from an editor to someone else's Piczo site. I think I was on the right track.. but if anyone could give me some pointers, tips, insights, or plain just explain how its done, I would be very thankful.

I do realize that this is a noob request, but hey, everyone has to start somewhere. :)

BTW posting this in a few places, not to worry.;)


ghost's Avatar

ghost

0 0

Well ya I have done that, like I can see the javascript doing its thing, but I can't alter it to another site, maybe could you give me a push in right direction?


ghost's Avatar

ghost

0 0

Javascript injections (aka XSS injections) are useful in the fact that they can force the user to do something.

For example, your idea could work if you put some JavaScript on your profile that directed them to a malicious link, something like (this is a totally fake example, I've never used Piczo in my life:

http://www.piczo.com/profile?action=delete&picture=friends.jpg

Then you'd put some JavaScript in your profile, something like this:

markup<script type="text/javascript">window.open("http://www.piczo.com/profile?action=delete&picture=friends.jpg")</script>

This would force the browser to open a new window to the URL which will then delete their pictures.


ghost's Avatar

ghost

0 0

so i guess its samee thing for all my ideas then?


What_A_Legend's Avatar

What_A_Legend

...Legend?
0 0

I think piczo hacking is lame, so please stop posting in this thread


ghost's Avatar

ghost

0 0

Ya i kinda said that in my first post, and i really dont care what u think, we all start somewhere. except for u, you were born with ur talent i suppose. take it easy.


ghost's Avatar

ghost

0 0

Ya i kinda said that in my first post, and i really dont care what u think, we all start somewhere. except for u, you were born with ur talent i suppose. take it easy.