YAHOO! VULNERABILITIES + TIPS AND TRICKS

1. Webmessenger China

- Eternul csrf

http://cn.webmessenger.yahoo.com - o aplicatie ce pare destul de normala pentru Yahoo!. Nu este chiar asa. Versiunea webmessenger din China nu este nici pe departe la fel cu versiunea de pe http://webmessenger.yahoo.com.

Care este totusi problema?

Logati-va cu un user pe http://cn.webmessenger.yahoo.com.
Logati-va cu un alt user pe clientul normal de messenger al Yahoo!. Aveti grija ca userul cu care sunteti logat pe clientul de messenger sa fie in lista de prieteni a userului logat pe webmessenger.
Setati pe clientul de messenger sa fiti online si puneti in status urmatorul cod:

Code: [Select]

Surpriza. Codul este executat in browserul pe care sunteti logat cu celalalt user.
Impact: tinand cont ca este vorba de csrf un atacator va poate fura sesiunea de logare sau va poate introduce un cod malitios fara a va putea da seama ca se intampla asa ceva.



2. My Chatroom trick

Stiati ca va puteti folosi de serviciile Yahoo! pentru a va creea propriul vostru serviciu de mesagerie?
Intrati pe http://cn.messenger.yahoo.com/webmsgr/code.php. Dupa logare vi se da un cod html ce contine un link. Ce puteti face cu acel link? Simplu. Sa luam spre exemplu  acest link:
http://cn.webmessenger.yahoo.com/index.php?t=1&to=eWlkPXJvb3QuZmxvb2Q-&sig=63761f8f753f4857bf8a275e46d7b3175cba5585

Daca sunteti logati veti incepe o discutie normala cu userul ce a creeat acel link insa daca nu ati fost logati de dinainte si accesati acel link veti primi un nume aleatoriu cu care ii veti putea trimite acelui user mesaje, fara a intampina vreo problema.
Incercati si veti vedea.



3. Webmessenger.yahoo.com

Browser DOS

Am incercat sa aplic si aici vulnerabilitatea gasita in webmessenger varianta chineza insa rezultatele au fost diferite. Cu toate ca accepta anumite statusuri ce contine tag-uri html, aplicatia aflata la adresa webmessenger.yahoo.com nu suporta tag-uri gen . Rezultatul incercarilor de acest fel va fi acelasi indiferent ce browser veti folosi. O eroare flash9.ocx ce duce la inchiderea browserului. Pur si simplu este cel mai bun booter pentru versiunea web a faimosului Yahoo! messenger.
Nota: Versiunea din Yahoo! mail beta nu este vulnerabila.



4. Change password trick - interesant dar inutil

Voi explica pe scurt urmatoarea posibila problema. Stiti ca pentru a ajunge la pagina de schimbare a parolei trebuie mai intai sa reintroduceti parola? Probabil cei care fura cookies la greu stiu asta foarte bine. Ei bine pentru a ajunge la pagina respectiva este nevoie doar sa accesati urmatorul link https://edit.yahoo.com/config/change_pw?.src=ym (dupa ce v-ati logat deja in mail). Dupa cum spuneam, este interesant dar inutil atata timp cat nu stiti parola actuala.



5. Trick - Lista de messenger (nu address book)

Logati-va pe contul vostru. Accesati urmatorul link:
http://i.cn.yahoo.com/invites/picker.html?imp=yim

Veti vedea lista voastra de messenger pe pagina respectiva. Este util si in cazul in care v-ati logat folosind doar un cookie.


6. Trick - link catre avatar

Pentru a vedea avatarul unui user folositi urmatorul link:
http://img.msg.yahoo.com/avatar.php?yids=INTRODUCETIUSERULAICI& format=png

Pentru a vedea avatarul creeat de un user pe http://avatars.yahoo.com  folositi urmatorul link:
http://lookup.avatars.yahoo.com/wimages?yid=INTRODUCETIUSERULAICI& size=medium&type=jpg


7. Csrf - cum sa activezi mail beta folosind image tag (trick).

Trimiteti cuiva ce foloseste Yahoo! mail Classic un attachement html cu urmatorul continut:


Dupa ce va vizualiza mesajul vostru mailul sau va trece automat pe varianta beta.

Csrf – Cum sa dezactivezi mail beta folosind image tag

Trimiteti cuiva ce foloseste Yahoo! mail beta un attachment html cu urmatorul continut:



Dupa ce va vizualiza mesajul vostru mailul sau va trece automat pe varianta Classic.

Atentie: la mail beta este posibil sa trebuiasca dat manual la imagini deoarece mail beta are optiunea block images.


8. Linkuri utile pentru hotii de cookies:

De cate ori s-a intamplat sa intrati in mailul cuiva iar acesta sa aiba mail beta activat si sa intrati pe id-ul de messenger al victimei fara sa vreti. Care este cea mai buna solutie pentru a nu avea de-a face cu messengerul deja prezent in versiunea mail beta dar in acelasi timp sa nici nu lasati urme cand schimbati voi manual versiunea de mail? Pentru ca victima poate accesa mailul oricand si sa observe schimbarea versiunii acestuia. Ei bine exista solutia "switch to classic mail just one time". Solutia este foarte simpla si depinde de... un url. Cand bagati cookie in browser aveti grija sa nu va mai logati din prima pe mail.yahoo.com. Folositi linkul:

http://us.mg1.mail.yahoo.com/ym/login?ymv=0

Acesta va accesa mailul classic fara a schimba permanent setarile originale pe care proprietarul contului le-a lasat. Simplu nu?

Pentru cultura voastra generala aruncati o privire si pe
http://us.mg1.mail.yahoo.com/dc/system_requirements?browser=unsupported


9. Trick - cum sa te loghezi folosind un simplu link

Nu stiu la ce v-ar putea folosi insa uitati 2 linkuri de logare:

http://n16.login.scd.yahoo.com/config?login=USERNAME&passwd=PASSWORD
http://edit.india.yahoo.com/config/login?.patner=sbc&passwd=PASSWORD& login=USERNAME&.save=0


10. Yahoo! Wiki - phishing cu ajutorul Yahoo!

Stiai de existenta Yahoo! Wiki? Probabil ca nu. Iata pentru ce a fost creeat:
http://developer.yahoo.net/hackday-wiki/index.cgi?action=revisions& page_name=HomePage&revision_id=22


Si iata cum se mai poate folosi:
http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE

Notiunea de url spoof este foarte cunoscuta pentru majoritatea. Insa uneori nici nu mai e nevoie de asa ceva. Va puteti creea singuri o pagina pe acel wiki si sa introduceti orice content. Puteti injura pe cineva sau puteti cere userele si parolele celor ce citesc pagina respectiva. Frumusetea este ca puteti personaliza linkul folosit la phishing. Spre exemplu pagina:

http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE va fi creeata in clipa in care o voi accesa. Voi da edit si voi pune continutul meu (spre exemplu I'm a legit Yahoo service. Just send me your password athacker@yahoo.com)
Oare in zilele noastre cati oameni ar crede un mesaj de tip phishing hostat pe o pagina a Yahoo? Presupun ca extrem de multi. O asemenea scapare nu ar trebui sa existe tocmai din partea uneia dintre cele mai atacate companii din lume.


11. Necunoscute sunt caile sesiunilor
Surpriza! Stiti ca exista limita de 24 de ore dupa care cookie-ul expira? Ei bine nu e chiar asa. Slick a descoperit o metoda sa ii prelungeasca viata cu mult mai mult de atat. Multi se simteau intr-o falsa siguranta cand se gandeau ca in cazul in care devin victime xss vor scapa de probleme in 24 de ore. Acum totul s-a schimbat. Metoda este si va ramane privata.

FULL DETAILED BASIC SQL INJECTION

An SQL Injection, is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc.
In this Tutorial, we'll be looking for the Admin Panel's credentials. Keep in mind, I said Admin Panel, not control panel. While performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily. 

DarkComet 3.2 FWB

Hello everyone, this is my first tutorial, I'll explain how use DarkComet 3.2 FWB.

STEP 1:
First, go to the official website of Darkcomet, here. And click on "Download", like on this picture.


STEP 2:After clicking "Download", choose the version of DarkComet that you want on the following image, I choose DarkComet FWB 3.2.


STEP 3:Check all before downloading.


STEP 4:After starting DarkComet you must accept the "Terms and condition".


STEP 5:Now, let Darkcomet aside for a moment, You need to register No-IP, by clicking here.
After completing your registration form, you must go on "Manage Hosts".


STEP 6:Now click on "Add a Host".


STEP 7:After clicking "Add a Host" you must choose a "Hostname".


STEP 8:Now you'll need to download "No-IP Dynamic Update Client v3.0.4" but in first, choose your "Operating System".


STEP 9:Now that you've chosen your "Operating System"you can download.


STEP 10:Now, you'll need to install No-IP.

---

STEP 11:Now, choose the install location and click on "Next >".


STEP 12:Now, choose start menu folder, and click on Install.


STEP 13:Now you will configure No-Ip, start it and enter your E-mail address & password entered on No-IP.org.


STEP 14:Now you must select you Host, check you Host and click on Save.


STEP 15:It's OK, you can start up DarkComet 3.2 FWB. Now you must add server socket.


STEP 16:Now you edit your server, you will choose the "Server module (634,50 KB)".
After clicking on "Server module (634,50 KB) a window called "Server Editor - Installer version <3.0.2>" will appear.


STEP 17:Now you start to edit the server.


STEP 18:Now, must enter your No-IP and test it, if the message is green, it's OK.
After, you can click on "Build module".


STEP 19:Now, you can create the server, save it, and open it.


STEP 20:By opening your server, if it worked,a message at the bottom right of your screen will appear.

---

Here is the final result.

This is a test, therefore, by following this tutorial you created a single server, I'll let you customize to your liking.
I spent a long time, so if you could vote for the topic and give me a reputation point if I am worth it, it would be cool!
I hope help.

Thank's in advance,

Common Methods To Hack A Website

Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.

The Simple SQL Injection Hack

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT’
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '’
Two things you need to know about this:
['] closes the [user-name] text field.
'' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,
evidently


But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
admin'—
') or ('a'='a
”) or (“a”=”a
hi” or “a”=”a
… and so on.

Cross site scripting ( XSS ):

Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a websiteto gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Learn more about it . LINK : http://www.hackforum....php?tid=347923 , great thread , made by Ghost Hacker

Denial of service ( Ddos attack ):
A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

-What is a Denial Of Service Attack?

A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.
If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking

-Types of denial of service attacks

There are several general categories of DoS attacks.Popularly, the attacks are divided into three classes:

bandwidth attacks,
protocol attacks
logic attacks

-What is Distributed Denial of Service Attack?

To hack a website An attacker launches the attack using several machines. In this case, an attacker breaks into several machines, or coordinates with several zombies to launch an attack against a target or network at the same time.
This makes it difficult to detect because attacks originate from several IP addresses.
If a single IP address is attacking a company, it can block that address at its firewall. If it is 30000 this is extremely difficult.

-Damages made By Denial of service attack:

Over past years Denial of service attack has made huge amount of damage,Many of the have been victimed of this attack
Its Real,On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off.

This attack also recently hit twitter on 6th August 2009,lot of people had trouble on logging on twitter,It was brought down by denial of service attack,They tired up there server so no one can get on log on it.Websites like facebook,ebay etc have also been slave of this attack.

Cookie Poisoning:

Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies

Javascript:alert(document.cookie)

Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");

It is also many versions of this kind... like for example

'

'1'='1'

'OR'1'='1

'OR'1'='1'OR'

and so on...

You may have to try 13 things before you get it completely right...

Password Cracking
Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it.
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

-Brute Force Attack

Brute Force Attack is the most widely known password cracking method. This attack simply tries to use every possible character combination as a password. To recover a one-character password it is enough to try 26 combinations (‘a’ to ‘z’). It is guaranteed that you will find the password

.. but when? How long will it take? The two-character password will require 26*26=676 combinations. The number of possible combinations (and therefore required time) grows rapidly as the length of the password increases and this method quickly becomes useless. Do you ready to wait for two months while your 9-character password is cracked? What about one hundred years for an 11-character password? Besides the maximal length of the character set you should also specify the character set i.e. the list of characters that will be included in the combinations. The longer the character set is, the longer the required period of time is. Here is the problem: usually you have no idea of what characters are present in the password. On the one hand, you should specify all possible characters. On the other hand, this can slow things down very much. Unfortunately, there are no common ways to determine what character set to use. It is more a question of luck and intuition. The only thing I can recommend is to begin with trying short passwords using the full character set. Then you can increase the length of password simultaneously decreasing the character set to keep the required time good acceptable.

If the password is case sensitive (this is the most common situation), there is another problem with the case.

There are three options:
1) you can assume that the password was typed in lower case (this is most likely). In this case, the required time will stay the same but if the password contains upper case letters it will not be recovered.

2) you can try all combinations.

The password is guaranteed to be found, but the process slows down significantly. A 7-character lower case password requires about 4 hours to be recovered but if you would like to try all combinations of upper case and lower case letters, it will require 23 days. 3) The third method is trade-off. Only the most probable combinations are taken into consideration, for example "password", "PASSWORD" and "Password". The complicated combinations like "pAssWOrD" are not. In this particular case the process slows down to one third of original speed but there is still a possibility to fail.

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes.