myspace has dodgy content filters... [TBS]

::[Home]

::[News]

::[Challenges]

::[Ranking]

::[My Account]

::[Forum]

::[Chat]

::[Private Messages]

::[Vulnerable Code]

::[Tutorials]

::[Downloads/Scripts]

::[Support]

::[Links]

::[Contact/FAQ]

::[Login]

0 anonymous

Views:	1089147	Challenges:	342
Users:	12689	Online:	10

Page 1 of 2

myspace has dodgy content filters... – 11 Posts

myspace has dodgy content filters...
02/02/2007 09:47

aceldama 4340
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

...now i have no idea on whether this has been done before, but a little something i discovered yesterday after the myspace people decided to remove my flash music player. (seems that they have something agains using content from myflashfetish.com which is where my player is hosted) it's nothing spectacular really, just something i'd like to share. The Code: as i said, i wanted to use an external player form myflashfetish.com as my music player to host more than one profile song and have a bit more functionality. so i logged on did the bits and got the code to use which was: <center><embed src=\"http://myflashfetish.com/myflashfetish-mp3-player.swf?myid=1394802&f=1\" menu=\"false\" quality=\"best\" scale=\"noscale\" bgcolor=\"#ffffff\" wmode=\"transparent\" width=\"218\" height=\"155\" name=\"MyFlashFetish.com\" align=\"middle\" allowScriptAccess=\"sameDomain\" type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" /></center> The Problem: myspace removes all the little things she doesn't like, and the pasted code up like this: <center><embed src=\"http://.../myflashfetish-mp3-player.swf?myid=1394802&f=1\" menu=\"false\" quality=\"best\" scale=\"noscale\" bgcolor=\"#ffffff\" wmode=\"transparent\" width=\"218\" height=\"155\" name=\"...\" align=\"middle\" allowScriptAccess=\"sameDomain\" type=\"application/x-shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" /></center> <img alt="\":wall2:\"" src="%5C"> The solution: Myspace is notorious for it's flaws in the \"sanitation & filtering\" department. first i thought of using the simple method of registering the url at tinyurl.com, thus concealing the flash url completely. but myspace was a step ahead and \"http://tinyurl.com/*\" became \"http://.../*\". yay... <img alt="\":wall:\"" src="%5C"> ...seems i needed a new option, so i tried a redirect exploit by changing the url to \"http://38.113.219.114/cgi-bin/ucj/c.cgi?url=h%74tp://www.my%66lashfetish.com/myflashfetish-mp3-player.swf%3Fmyid=1394802%26f=1\" results! it actually worked! the flash player now loaded with no problems whatsoever. <img alt="\":drink4:\"" src="%5C"> now i have a flash player until myspace wishes to act on my email. 

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

theblacksheep 5610
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Hi, that is really cool. I guess quite a lot of people kept searching for a solution to this problem. Does myspace just remove url's that are in a blacklist or why haven't they removed \"38.113.219.114\"? Shouldn't it be replaced by \"...\", too? Maybe some further research would clear things up. Nevertheless nice dicovery! PS: How did you find the XSS at \"http://38.113.219.114/\" <img alt="\":devil3:\"" src="%5C">

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

i guess a bunch of legitimate websites could just put up a small page to filter content through.. if i were a myspace user i would probably use one of my other hosts, to host a little file that looks sorta like this <pre> <? $whitelist=explode(\",\",\"http:// ...) if($whitelist.contains($_REQUEST[url])) passthru(file($_REQUSET[url])); ?> </pre> however i have no experience with myspace, or any other social networking ... it makes me shiver further more my php syntax is very rusty but if you are willing to try i'm sure it's clear enough to understand my point or perhaps just send out an 302 message with the correct address. (if that's possible cross site)then there is no xss sounds to me it's inherently impossible to manage a blacklist at websites like myspace... it should probably whitelist or nothing .. ow and btw i learned the hard way that that ip has an NSFW front page<img alt="\";)\"" src="%5C">

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

aceldama 4340
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

good one rhican. i guess i should've warned you abut that ip. <img alt="\"LOL\"" src="%5C"> in my defense, that was (at the time) the first site i could find that had a working redirect service. i'm sure there are many SFW ones out there to play with though. but to comment on tbs's theory, yes, they only seem to have a blacklist of cetain words like

Edited by aceldama 02/13/2007 03:50 ago

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

wouldn't be the first time webmasters don't listen ... like when a friend wanted to buy stuff from melanibooks.gr (and thus would have trusted her creditcard details to the website) which in my opinion justifies adding a few ' to the websites url to see if it's half decent ... while there is stuff like http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1 in there defence i must say they have an IDS with session snyping .. http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1 union select 1 but then again they must have cheaped out on the software or on the sysadmins because you can foul it by doing this http://www.melanibooks.gr/showproduct.asp?catid=359%20and%201=1 union/*anything this is an sql comment*/ select 1 btw is session sniping with http traffic not inherrently sensless... i emailed them months ago... nothing only thing that changed after month's that you couldn't login anymore with username:' or '1 password: ' or '1 yes ok it's a bit offtopic but i have been meaning to disclose this just because it pisses me off how unsafe some charlatans are with your details online ...

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

quangntenemy 7120
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Well just pwn them and their eyes will be wide open <img alt="\";D\"" src="%5C">

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

i'm not a pwn'ing kinda guy the worst defacement i ever done was add a \".\" character for about a minute just to make sure that i wasn't in a honeypot

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

HynFaerie 1740
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

just like rhican sayed, you'd be surprised on how many sys admins dont listen. However I realised that in some cases they just dont have any knowledgeble admins... MerchCO-online is one... and they lost a few credit card numbers/paypal numbers because a simple [' or '1] straight to the admin account... *fixed now i believe though... bout bloody time* . Paypal has a nice fraud check thing, and they do listen to holes, which they fix really quickly =) rhican, it's been a while hasn't it?

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

UnknownUser 2,7290
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

I don't really understand your question. however this link might be slightly relevant (although it looks a bit dodgy) http://momby.livejournal.com/

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

quangntenemy 7120
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

Looks like a honeypot to me

Edit

Reply

Quote

0 Likes
02/02/2007 09:47

aceldama 4340
Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified

i didn't know exactly where to put this, so i decided on adding to this thread instead of creating a new one. essencially it's loosely related to the whole myspace theme. social networking sites have always been something interesting to \"get into without geting into\" for me. so recently i've just been poking around and (no, i didn't hack into myspace but) found some site that i assume are run by hackers for the purpose of viewing private profiles if you're willing to blindly part with your cash. these sites can be found here and are both run by (what i asume to be ) the same people (as will become apparent that they didn't change their code framework): -- hxxp://eskobarcartel.com/NEWHACK23.swf -- hxxp://www.myspacegtx.com/main.swf now the interesting thing is in the sourcecode of these swf files. apparently they don't really care about any way or form of sensitive directory disclosure (apart from the assumption that people can't get into an swf file). in the first one the sourcecode looks like this: <pre> ... tries = 3; redirect_url = \"yes\"; sealed_txt = \"Status Sealed, contact your local admin\"; wrong_txt = \"Wrong password or Username, please try again\"; xml_path = \"xml/users.xml\"; ... </pre> note the xml_path variable which yields: <pre> ... <user> fucck <pass>notsomuch111</pass> <url>http://www.myspace.com/tixv3</url> </user> <user> lbaby <pass>muser01</pass> <url>http://www.myspace.com/tixv3</url> </user> <user> matty <pass>wallyhead</pass> <url>http://www.myspace.com/tixv3</url> </user> ... </pre> the second actually uses the exact same directory, though it wasn't saved in the main file. you can find that in the section_5.swf file which was linked from main.swf, yet everything was again completely unencrypted and incidentally uses the exact same code to fetch it. now if you were lazy you could just have checked the headers that were exchanged. there you'll find that both the swf files called users.xml directly using a get request. using firefox's live headers extention it wouldv'e looked like this: <pre> ... GET /xml/users.xml HTTP/1.1 Host: www.myspacegtx.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 ... </pre> now before you get all excited, though this gets you to log in, unfortunately it doesn't get you anywhere except the page that tells you that - had you paid for it - you've probably just wasted about $14 of your hard earned cash... ...moral of the story? 1) don't pay for dodgy services 2) even if you assume that the average joe can't get into your swf files, do't assume no one else can.

Edited by aceldama 05/09/2008 18:27 ago

Edit

Reply

Quote

0 Likes

Page 1 of 2

Impressum Privacy Contact