Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 34
Guests Online: 27
Members Online: 7

Registered Members: 82878
Newest Member: defcon812
Latest Articles

Piczo Guestbook/Shoutbox Defacement

Arrow Image Ever wonder a safe way to post in a piczo guest book or shoutbox, or totally erase every message in one? Well this ones for you!



**NOTE**
***Some of this information may be out of date on some websites. Either way - how many ethical hacks can you do on people who use piczo - honestly?***

Alright, recent article submissions had bad feedback, but oh well. Let's start the new year with a bang. This information is for educational purposes only- in other words- don't screw around.

Now, if you run a piczo website as a free photo dumping website with a guestbook, you know how unsafe it is to post in one. You may also notice by browsing some people have bad conversations about people behind their back in the GB's. This article will show you how to delete and edit posts, and also why it is unsafe to message in them. I will help you have a safer piczo experience as well. Also, as recently informed by god you can also do this to shoutbox entries. Another thing about shoutbox entries, is you can also recieve the ip address of that poster.

Now, to do things to the post, you need two things. A Post ID and a very basic knowledge in javascript injection. VERY basic. It will be explained in here. Firstly, I will explain the guestbook.

[~::Receiving the Post ID::~]

How to edit messages/delete/post safely. Now, if you have ever posted, you notice there is only a delete button. No edit button. Thats no good is it? Well, if you run a piczo site, you may also notice your ip address is logged with every message. Now sure your saying "Use a proxy!" but if you can't find a working one, or you have already posted, this is for you. All you need to do to edit/delete a message, is to get its id. It is a long number that represents your post. To find this, simply place the cursor over top the |X| button (delete) and look at the bottom of the screen. It should say something like "javascript: delGB(12345678);" that number, is the post ID. Now I know you are wondering, "What if I want to edit someone else's post?" Well this is easily solved. If you take a look in the source and find the post, the number should be sitting right on top. To simplify finding it, hit CTRL-F and type in the first word in the post. Now. What to do with the ID.

[~::Doing things to the post::~]

Now that you have the Post ID (let's use 25010754 for an example) you may be wondering how this will help you. Well, if you notice, everything touched on the website and added by users, is done via javascript. This led me to find a simple yet effective injection. Now the full injection is

javascript:editPost(25010754)

Replacing 25010754 with your Post ID. Insert that into the URL bar and a pop-up will come up, with the old text in it. Now, what ever IP address this original post used, it will still be there. It should not be replaced with yours. Now you can edit it from here, or you can press the delete button and get rid of it. So now, you can edit any message.

[~::Shoutbox Hacking::~]

Now, shoutbox hacking is similar, although doesn't use javascript. You find the Post ID the same, or perhaps you need to highlight it and select view selected source for the mozilla people. When you have that, look at the URL bar. At the begining you should see like, pic1.blah blah blah or pic2.blah blah blah. That is the server. Now inject this into the url, as if the server was pic5 and the ID is 47641150.

http://pic5.piczo.com/go/editpostapproval?plpid=47641150

You should come to a screen asking to approve, disaprove or delete the message. Check delete and hit ok.

(Shoutbox information was given by god. Er, the USER god.)

[~::Darkside of Piczo Guestbooks::~]

This part is simple. Your IP is logged when ever you post. People have been arrested for threats, illegal conversations, etc. So now I will explain how to keep safe.

[~::Keeping safe from police and bad hackers::~]

Now, using a proxy is good enough, sometimes. But I have gone on with a proxy and received bull from it saying I couldn't post, or my proxy was null. To keep really safe, use another persons post! Thats right. Get a recent post and edit it to your liking :) Anything said will have that person arrested! ;) ;) ;) So, I hope you have fun. Remember, there are many possibilities to why someone would use this. keep an open mind.

Comments

mastergameron January 04 2007 - 18:55:45
That's pretty shoddy coding on Piczo's part but well done, great article.
Flaming_figureson January 04 2007 - 20:35:03
Thanks. I was thinking about submitting the bug and may soon in the future. It is pretty weak. And showing every proccess it is doing in plain view? Have you looked at how they protect their source code? Adding null lines Pfft Dumb Dumb Piczo People
godon January 04 2007 - 20:50:53
gr8 Grin inspired me to do a piczo shoutbox hack Pfft i'll share it on msn...
end3ron January 04 2007 - 21:45:50
didn't work for me...(shoutbox one)...otherwise great
Flaming_figureson January 05 2007 - 00:35:24
I tried the shoutbox and it worked just fine.
Flaming_figureson January 05 2007 - 00:36:23
Remember to change the pic5 to whatever your server is. That can be found in the normal URL... the first PART of the URL. Also remember to chaneg the ID
th3wh173h47on January 05 2007 - 01:17:43
Nice article, worked swell. :happy:
robertgameon January 05 2007 - 15:33:56
This is pretty cool, thanks for submitting it. I've known about this exploit for a while (i posted details of it on hackpiczonow.piczo.com a while back Pfft). I wish I could find a way to add my own html to other piczo sites though. So far I've only been able to access other people's picture trashcans, which is fun, but not very useful. I've heard of people hacking the voting system as well.Shock
robertgameon January 05 2007 - 16:00:46
I know of another trick you can use on piczo shoutboxes (it'll probably work on guestbooks as well). Find out the actual location of the shoutbox (look in the page source for 'shoutbox'Wink It'll look like: http://pic7.piczo.com/go/shoutbox?sb=4862531&sbo=2604191 And then just add this bit to the end of the url and navigate to it: &isedit=y It'll show you the ip addresses of all the messages, and messages that have been disapproved by the site owner.
system_meltdownon January 05 2007 - 19:55:40
Nice, quite an old trick though
Flaming_figureson January 05 2007 - 19:58:01
Pretty cool... I might add it. I just want to add (but am too lazy currently to edit the article) that when you do the guestbook thing, in the pop-up that comes up that you edit in, in the bottom in blue is the posters ip address.
What_A_Legendon January 06 2007 - 17:01:05
i submitted this bug to HBH befor in an article but it got declined. I also released a video of it on youtube
Intocksifyon January 06 2007 - 22:14:02
guestbox hack isn't working for me - says Error while updating *sigh* oh well Great article! Pretty crappy programming on Piczos part, tho Pfft
_xTc_on January 07 2007 - 13:43:08
i agree with meltdown , i learned about this a year ago
Flaming_figureson January 07 2007 - 23:51:33
I knew about this before but never thought to submit it. I also didn't see it on any other website so I just thought, meh. Why not. Also- I don't know what is wrong Intocksify. Works fine for me.
ZeckOwneron January 08 2007 - 06:02:03
hmm...how come all the shoutboxes and guestbooks are disabled?
holydog1on January 09 2007 - 00:02:05
is it normal i can't edit someone's post? it's not the poster's ip down the box, but mine. and when i click on publish, it says, an error has encountered...
mcmakon January 10 2007 - 17:28:04
And don't get the Gb thing.. How should the URL look like after you've added javascript:editPost(11111111) ?
mcmakon January 10 2007 - 17:29:35
Ahhh.. Nevermind Pfft Got it Wink Thanks, nice trick =)
mcmakon January 10 2007 - 17:34:30
But, i still get this Error message when i try to edit the guestbook doh.. It works nice to delete it, but not to edit it =( Why?
mcmakon January 10 2007 - 17:41:21
Got the same problem as holydog1 to Sad((
kalach89on February 23 2007 - 23:56:28
yea same one error while editing it ....
Flaming_figureson May 08 2007 - 21:51:45
Ya, I have started receiving that error. They must have very slowly caught on. I know your ip appears in the box and for me it was their IP that gets posted. RobertGame and I have talked about some more tricks and he released an article with some more information on how to do other stuff.
R3M0T3 H4CK3Ron February 17 2008 - 02:06:11
almost 3 years ago i found some of those exploits for piczo and sent them patches, obviously they still haven't done anything about them. honestly their coders are so incompetent its almost criminal.
Flaming_figureson March 31 2008 - 21:47:10
Ya, I sent in a fix and they did nothing a while ago, unless this is why the errors are coming in. Really, when you have flaws, and someone offers you an answer, take it damnit!
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.