Donate to us via Paypal!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Wednesday, October 28, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 111
Guests Online: 111
Members Online: 0

Registered Members: 129455
Newest Member: aeteisu
Latest Articles

View Thread

HellBound Hackers | Computer General | Web hacking

Author

Esacping BB tags


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 00:08
Right on, so I haven't found out a way yet....anyone wanna point me in the right direction?

I know it's been done here...i'm just curious on the concept of esacping BB tags.


Author

RE: Esacping BB tags


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 00:34
when I did it I found that CMS's like older versions of PHP-Fusion, checked the first part of the bb tag such as [color and then closed the tag with the last part ]. Essentially it was possible to put XSS in between the tags [Color <XSS here>]words here[/color]. I am fairly certain these methods are patched on most Open Source CMS's, however if you find a custom CMS it may be possible, especially if they just copied and pasted their source from a tutorial website (as a majority of tutorial sites care more for functionality of their demonstration than security.)


Author

RE: Esacping BB tags


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-05-07 16:16
We'd really need to know the exact implementation before being able to do anything.
For instance I'd created my own implementation of bbcode.
Hosted here: http://www.whiteacid.org/misc/bbcode.php
Source here: http://www.whiteacid.org/misc/bbcode.phps
and here: http://www.whiteacid.org/misc/bbcodes.xml

For a long time it looked really secure, until a flaw was found in the [ url ] (simple and complex) regexes. In the XML file you can see what they are now, here's what they used to be:
Code
<regex>#\[url=([a-z]://)([^\r\n\"\[<]+?)\](.+?)\[/url\]#si</regex>



That's the complex one, you should be able to work out what the simple one was.

SystemOfAHack then told me that [ url=nojavascript...//%0D%0Aalert(document.cookie);]click this.[/url ] would create an injection (I added spaces to prevent it from being parsed). Would that exact injection work in other implementations? Unlikely, it really depends on the regex they use.