Follow us on Twitter!
Few are those who can see with their own eyes and hear with their own hearts. - Albert Einstein
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 24
Guests Online: 21
Members Online: 3

Registered Members: 82889
Newest Member: Geriztul
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Sitestats.gif


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 28-06-06 23:14
There's this certain site I love, but I'm in a little trouble with the webmaster now... I found this script at the bottom of the page:

Code
<script><!--
 var jv=1.0;
//--></script>
<script language=Javascript1.1><!--
 jv=1.1;
//--></script>
<script language=Javascript1.2><!--
 jv=1.2;
//--></script>
<script language=Javascript1.3><!--
 jv=1.3;
//--></script>
<script language=Javascript1.4><!--
 jv=1.4;
//--></script>
<script><!--
 function SiteStats_7134(){
  var t=new Date();
  var o='o='+t.getTimezoneOffset()+';';
  t=t.getTime();
  var isNN4=(document.layers)?true:false;
  var isCSS=(document.all)?true:false;
  var t='t='+t+';';
  var b='b='+(isCSS?(document.body.clientWidth+'x'+document.body.clientHeight):isNN4?(innerWidth+'x'+innerHeight):'')+';';
  var s='s='+(isCSS||isNN4?(screen.width+'x'+screen.height):'')+';';
  var c='c='+(isCSS||isNN4?screen.colorDepth :'')+';';
  var j='j='+jv+';'
  var p='p='+escape(location.href)+';';
  var r='r='+escape(document.referrer)+';';
  var u='http://www.thatwebsite.com/cgi-bin/sitestats.gif?'+t+b+s+c+j+o+p+r;
  document.write('<img src='+u+' width=1 height=1 style="position:absolute">');
  var f='var e=new Date();e=e.getTime();var I=new Image(1,1);I.src="'+u+'e="+e+";";';
  window.onunload=new Function(f);
  setTimeout('alive_7134("'+u+'")',0x249F0);
 }
 function alive_7134(u){
  var e=new Date();var I=new Image(1,1); I.src=u+'alive=1;t='+e.getTime(); setTimeout('alive_7134("'+u+'")',0x249F0);
 }
 SiteStats_7134();
//--></script><noscript><img src=http://www.thatwebsite.com/cgi-bin/sitestats.gif?p=http%3A%2F%2Fwww.thatwebsite.com%2Ffolder%2Fpage.htm;r=http%3A%2F%2Fwww.thatwebsite.com%2Ffolder%2F; width=1 height=1></noscript>




What it seemed to do is log the page I'm viewing, and probably also my IP. So, for fun, I tried to add a message to the logs in the form of a URL by going to http://www.thatwebsite.com/cgi-bin/sitestats.gif?p=INSERT%20MY%20MESSAGE%20HERE

Now, the webmaster reports that he can no longer view the IP addresses of individual users on his site from his site stats page. Could this truly have been a direct result of my injection? Because I now notice I forgot to add a value for the variable r... But any piece of code that can fall apart by an injection with one missing value, or maybe mention of a non-existant page, shouldn't be used anyways, correct?

EDIT: Never mind. One way or another, the webmaster resolved it.

Edited by on 29-06-06 00:30