Hacking ch.1 (Theory and Practice)

Glossary

General theory

First of all I want to note that each chat is original and unique (except for replicated copies of one tsitshka, of course). Because absolutely universal ways of hacking there. Practically in each chat there are features that need to be taken into account, and without which, blunt templates will not work.

First of all, what do I actually understand by hacking the HTML chat? This is not a banal flood, and no attacks on the IP chat. By hacking, we mean an unauthorized change to the HTML of the chat document, or access to hidden parts of it (for example, privates), i.e. Such an impact on the chat, which was not provided and allowed for users. This applies not only to chats, but also to forums, guest books, etc. (Where all the described methods work, and even better, because these forms are protected, as a rule, worse than chats).

All of the above applies only to HTML chats. Hacking Java chats is a separate and completely different song. I hope you can distinguish one type of chat from another ).

So, we stand on the threshold of HTML chat. Let's say that we want to test it for "strength." What should I do first? First of all we connect through an anonymous proxy (I hope you know what it is). This is necessary for two reasons: firstly, we provide our anonymity (that would be the uncle's admin did not push on the ass), and secondly, if the admin does not like our experiments and he closes the chat window, we could switch Their proxy to other IP addresses and again go into the chat. The truth here is one thing: the entrance to some chat rooms is not allowed through public proxies.

Next, we need to find out what kind of weapons we have, that is, what attributes can be set by the user. As a rule, in all chats you can enter the user's nickname, as well as the user's COLOR. In addition, sometimes you can set the user's SOAP, his home page, sex, frequency of updating the chat, etc. In practice, such fields as color, nickname, soap and user's home page are of interest. They are inserted directly into the body of the document, and therefore it is through them that you can attack the chat. It should be noted that some chats need registration, and some of the attributes are set at registration, and a part is just before entering the chat (or already inside the chat). Chats with the registration, as a rule, are more steeply heaped up and better protected.

> Denote for yourself possible ways of hacking. First of all, we'll sharpen the code fragment of the form, which sets the color of our messages (by the way, the color can be set separately for the nickname and for the text of the messages. You need to check both of them, because they can be analyzed in different ways by chat). Why are we primarily interested in color? Because the color is indicated inside the tags, in their parameters, unlike, for example, the nickname, which most often appears in the body of the tags. And for hacking chat, we need to get into the parameters of the tag, so that you can change its attributes or insert your script (sometimes of course any tags can be written simply in the text of messages, until recently it was, for example, chat.rambler chat . Ru , but this option is so dumb that probably no longer exists such chats, and I do not consider it).

We are interested in what kind of information about the color is sent to the server. The least secure string type is when the color is passed in the form of its own name. For example:

This chat, as a rule, breaks down to some extent . A worse option if the color is returned in the form of a numeric code:

In such a chat, perhaps , there are filters on all symbols except digits, the # sign and the letters A, B, C, D, E and F. Then you have to forget about hacking through the color.

And finally the worst option, when the color is simply transferred as a number from the list of acceptable colors:

As a rule, such a chat through color can not be hacked (and often even impossible). This is the most secure option (by the way, I recommend the developers of chat rooms).

Next, we need to change the HTML code so that we can freely send arbitrary values ​​of attributes to the server. To do this, save the site on your disk and change the login form to chat (or register) in the following way: change the relative address of the form action parameter to the full address. We replace all tags of type hidden with type text , and select tags with input . In addition, you need to remove the restrictions on the length of the input value (if any). For example, if the original form had the form:

Then after the appropriate substitutions, we get:

Note that the document can be created dynamically via functions like document.write () , then, most likely, you will have to convert it to a static view. In addition, it often happens that after saving HTML to the disk, the chat does not want to open. This can be caused by the fact that the site was not completely saved, if it consisted of frames. In this case, you need to better understand the structure of the page and keep everything right. Another reason may be that the server keeps track of the referer field of the request header of the http, and it detects that we are not coming from its page. In this case, you need to use other methods, which we will discuss in the chapter "Hacking at the level of http".

Now we can experiment with chat. First of all, you need to find out which filters are at the input values ​​(first for color and nickname). We are primarily interested in the following symbols:

We enter them into the color field and the nickname, go into the chat room (if we are allowed to go there with such attributes, if not, we'll have to go through the characters one by one), and see what symbols were missed by the filter (writing to the chat that "hello" thread, and Having shamed in the HTML text what color and nickel symbols are present). Some chat rooms simply delete filtered characters, some replace them with other symbols, and some convert to an encoded form of the type < or ' . Such transformed symbols do not suit us, because HTML does not accept them (however, see the chapter "Some more hacking of the long-suffering chat T" for more details).

As a result, we need to have a list of characters to be skipped for each attribute of the registration form.

Next, we have the task of getting inside any tag in order to change its pramatra or insert its script there. There are two fundamentally different ways to do this: the first is that the code we need is passed through attributes that are already inside the tag (that is, between the angle brackets) - for example, through the color or address of the soap. The second is to break the structure of HTML code in such a way that the code we need is inside the tag. How to do this is determined by analyzing the specific structure of the chat code and the set of unfiltered symbols for our attributes. We will consider various variants of hacking in the following examples. In the meantime, I would like to dwell on some features of HTML, which actually allow you to produce interesting "effects."

Features of HTML

The biggest trouble (and at the same time, the strength) of HTML is that it does not have a single standard. That is, it seems to be there, but the standards are so different, and so many are intertwined in HTML, that no one thoroughly knows it (and often does not know what it is). In addition, the competition among browsers and the heterogeneity of sites leads to the fact that browsers try to support as many standards and technologies as possible. And the lack of common standards has led to the fact that web masters even on one page manage to mix in different ways in different styles: o (.However, this allows hackers to hack HTML, and gives a lot of headaches to developers.

A simple question: what are the delimiters in HTML and JavaScript? Even I can not immediately and unequivocally answer this question. Consider an example:

Here everything is clear and obvious. There is a tag that has a click event handler written in JavaScript, the text of which is enclosed in double quotes. The fact that JavaScript is used can be specified explicitly:

The delimiters of the string in these examples are double quotes. However, you can do without them. Since after onclick = only a static handler string can go, HTML allows to omit quotes (this applies to many cases where the argument can only be a string-constant). So this design also works:

And now instead of an empty message we will insert something meaningful:

Opening the demonstration link shows that this example does not work. The reason is this: the body of the handler can be not enclosed in quotation marks, but in that case the first space is considered the end of the line-processor (even if the space itself is inside the quotation marks). Therefore, the browser considers only the alert fragment ('Hello , and finding an open quotation marks an error message, why does the browser not respond to the space inside the quotes? I think the reason is that there are two languages ​​mixed here: HTML and JavaScript. The browser "saw" that there was no quotation after the sign and therefore looked for a space as the end of the handler, but the interior of the handler did not interest him at that moment, since it was not related to HTML, but to JavaScript. Accepted a space for the end of the parameter value. The following constructions work without errors:

Note an important feature: if the value of the tag parameter is in quotation marks, then the space before the next parameter can be omitted (the third line of the example). The fourth line of the example also works (in the sense that the browser does not swear, but the script certainly does not work), because the browser does not consider the contents of the JavaScript attribute color , and therefore does not swear on the open quote, although only the alert (' Hi (as the color in HTML can be an arbitrary string, in this case the browser converts the string into a certain numerical value, which is considered a color).

Whether there are other characters - delimiters of the processor without quotes (except for a blank and a symbol > ) - a question opened. I do not know such people, but I admit that they can be.

As you can see from the examples above, line delimiters can be double and single quotes. This applies equally to both HTML and JavaScript, however, it turns out there is at least one more character that is the delimiter of strings in HTML (but not in JavaScript!). This is the symbol of the reverse apostrophe ` (usually located on the same key as the letter E ). You can verify the following example:

I swear that at least 90% of webmasters do not know about it! In any case, I have not yet seen that anyone would use a reverse apostrophe. This symbol is a find for a hacker ).

It often happens that it is necessary to use quotes inside some - other. And this is difficult, especially if the chat skips only one kind of quotes. But it turns out JavaScript allows you to insert string constants inside other string constants, and at the same time using the same quotes! For example:

The example uses nested single quotation marks, but the error interpreter does not. I note that the contents of internal quotes are not arbitrary: they should not contain spaces, and at the end some symbols are not allowed, for example ; Or ) .

Now let's talk about links. First of all, it is necessary to note such detail: the development of the Internet occurred in such a way that completely different technologies were mixed in it. Access to information can occur through a large number of different protocols. Therefore, when specifying the full path of the document (URL), it is allowed to specify any of the protocols familiar to the browser. It is noteworthy that javascript is also referred to as protocols (although it is not, but apparently the developers considered that it would be too bold to allocate a separate concept for scripts, and they were listed as protocols). Therefore, wherever you can specify a URL in an HTML document, you can insert a script. And this script will run as soon as the user (or the browser itself) requests this link. For example:

Interestingly, in addition to operators, in a JavaScript reference, you can simply specify a string (or numeric) value (however, necessarily after the operators, if any). When you click on such a link, the browser first executes the ahead operators, and then opens a new document and places the value of the last line in the link:

Hacking R chat

I will give you an example of one of the first chats I hacked. This chat was very simple, and hacked what is called from the first call ).

And a little now there are chats in which it passes. Although I thought of these methods myself, but then I found them in hacker magazines.

The input form of this chat exactly corresponded to the form given in the chapter "General theory". After converting and saving the form to disk, I checked which characters in the color attribute pass. It turned out that the following symbols pass (from those that interest us-see the "General Theory" chapter):

And of course all the numbers and letters passed. The length of the line-value of color was not limited. Next, I looked where exactly the color is inserted in the message frame. Here is a fragment of this frame:

As you can see, the color is inserted without surrounding quotes. That suited me. I logged in under the nickname Shram (well, or almost under such a nickname;)) and the color red size = 20 . My post looked like this:

It was displayed in a very large font, which surprised the population of the chat ).

Thus, in spite of the fact that we can not directly insert the tags, but the permission to enter a space in the color attribute allowed us to specify unauthorized parameters of the tag. However, this was of course not enough for me. Change the font size is certainly cool, but really something useful can be done only using scripts. I could not insert the script tag directly (or rather at that time I did not yet know how to do it). But I could set the handler to some event tag. That's what color I asked for, what would remove some nerd from the chat:
#A0A000 onmouseover=parent.frames[2].forms[0].ExitChat.click() size=30. And then I sent him a long long message to privat. The color of the message I picked up in such a way that it would not differ from the background color. And the size of the font and the length of the message were so huge that the victim probably walked at least once with the mouse on the message, as a result of which my onmouseover handler pressed the "leave chat" button instead of the user ).

However, gradually there were clever people who had figured out the trick, and deliberately did not move the cursor over the chat window. My script did not always work (At first I thought that there was no way out, because I can insert the script only as an event handler, then if this event does not work, then the script does not work.) But, digging into the "annals", I found a solution (now it has already become trivial And it is widely known.) It turned out that in the style attribute you can specify the URL of the wallpaper for the tag, and where you can specify the URL, you can write down the script there, and most importantly, the background image was downloaded by itself when the HTML document was loaded! To show the alert to the chat participants, I logged in with the following color:

It should be noted an important detail: since the structure of most HTML chats is such that the page is updated regularly, the script sent in this way is executed more than once, and many, until our message disappears from the screen.

But here is how the value of the color attribute for dropping out of the chat looked:

You need to remember: the script sent in private, will see not only your "interlocutor", but you yourself, so you need to know how to protect yourself from the influence of the script. This can be done in two ways: either put yourself in ignore (and then we will not see your own messages), or in the browser settings to prohibit the display of pictures. Then the script that fires through the background image will not work.

Now I want to show some useful scripts that can be used in hacked chats:

Javascript: parent.frames [2] .document.location = 'http: //myserver.ru' - loads myserver.ru into one of the frames.

Javascript: for (;;) open () - opens an infinite number of windows (if not navigated in time, it leads to the hang of the machine and subsequent reboot).

Javascript: document.write ('<script> alert () </ script>') - replaces the current frame with a script, which is then executed. Note: if chatnets skip the symbols <and> (and this is the overwhelming number of chats) then we can not insert such a script. But there is a way out. This is an application of the unescape () function, which converts the ASCII code of a character into a character. We replace the angle brackets with the unescape () function with the corresponding codes, then our script will look like this:

(Note: While I was already a bit short with the short hyphen character, I still found cases when it appears: It appears only as a hyphen, that is, if there is a short hyphen inside the word and if this word is at the end of the line, then the word after the hyphen can Be moved to the next line, and the hyphen itself becomes visible! Thus, it is possible that the hyphen is invisible - the preemptive feature of the microsoft (which does not, however, reduce its usefulness in burglary ). The truth is not clear why does it still remain always visible in other applications?)