mirror of
https://github.com/ditatompel/insights.git
synced 2025-01-08 03:12:06 +07:00
102 lines
3.5 KiB
Markdown
102 lines
3.5 KiB
Markdown
---
|
|
title: "Lessons from MyBB FB Connect Plugin XSS Attack"
|
|
description: This article aims to share knowledge on how to counter-attack against attackers, specifically those using third-party Facebook applications.
|
|
summary: This article aims to share knowledge on how to counter-attack against attackers, specifically those using third-party Facebook applications.
|
|
date: 2011-12-01T23:53:39+07:00
|
|
lastmod:
|
|
draft: false
|
|
noindex: false
|
|
featured: false
|
|
pinned: false
|
|
categories:
|
|
- Security
|
|
- Privacy
|
|
- TIL
|
|
tags:
|
|
- MyBB
|
|
- XSS
|
|
- Facebook
|
|
images:
|
|
authors:
|
|
- ditatompel
|
|
---
|
|
|
|
A few days ago, I was surprised to see that my website's logs were filled with security testing attempts originating from an IP address in Indonesia. One of these attempts was a successful XSS attack targeting the MyBB plugin within one of my online forums.
|
|
|
|
> _**NOTICE**: In this article, I will not use the actual Facebook attacker's ID and this guide is only for sharing knowledge._
|
|
|
|
As mentioned by **@badwolves1986** at `http://devilzc0de.org/forum/thread-11110.html`, there was a **XSS bug** in the **plugin fbconnect** for **MyBB**.
|
|
|
|
When I discovered the bug, I didn't manage to _'patch'_ the bugs. I only managed to add _"additional permissions"_ to the plugin, which allowed me to update Facebook account status used for registration. Note the image below:
|
|
|
|
|
|
|
|
From there, we can get the attacker's data. Let's look at the database:
|
|
|
|
```bash
|
|
SELECT uid, username, fbuid FROM [usertable] WHERE uid = '[uidattacker]'
|
|
```
|
|
|
|
Please note that the `fbuid` field will automatically exist if you install **FB Connect Plugin** for **MyBB**.
|
|
|
|
From the query above, we get the **Facebook Attacker's User ID**.
|
|
|
|
|
|
|
|
What can we do next? Let's recap again...
|
|
|
|
1. We already have Facebook attacker's user ID.
|
|
2. We already have permission to update status and access data for that user ID, even when offline!
|
|
|
|
That's right, **Facebook API**!
|
|
|
|
We can utilize **PHP Facebook SDK** from [https://github.com/facebook/php-sdk](https://github.com/facebook/php-sdk).
|
|
|
|
After downloading and uploading it to the web server, let's create a simple script to update the attacker's profile status.
|
|
|
|
|
|
|
|
Here is an example of the code:
|
|
|
|
```php
|
|
<?php
|
|
require 'location-pf-facebook-sdk.php';
|
|
/**
|
|
* Facebook
|
|
*/
|
|
$app_id = "[your-app-id]";
|
|
$app_secret = "[your-app-secret]";
|
|
|
|
//build content
|
|
$fbinfo = 'Your message';
|
|
$facebook = new Facebook(array(
|
|
'appId' => $app_id,
|
|
'secret' => $app_secret
|
|
));
|
|
$response = $facebook->api(array(
|
|
'method' => 'stream.publish',
|
|
'uid' => '[attacker-user-id-from-the-database]',
|
|
'message' => $fbinfo
|
|
));
|
|
echo $fbinfo;
|
|
?>
|
|
```
|
|
|
|
After that, upload it to your site and execute the script. Then, you will have successfully updated the Facebook attacker's account status.
|
|
|
|
|
|
|
|
From here, we learn a few things:
|
|
|
|
1. _Covering tracks_ are necessary when performing attacks on a website.
|
|
2. Do not use your real identity during illegal penetration testing.
|
|
|
|
What if I've already given an app permission to access my data?
|
|
|
|
Log in to `http://www.facebook.com/settings/?tab=privacy`, then select **"Edit Settings"** under the **Apps and Websites** menu.
|
|
|
|
In the **"Apps you use"** menu, you can revoke or remove unnecessary apps.
|
|
|
|
For those who want to remain _anonymous_, be cautious with Facebook, as it truly collects our data.
|
|
|
|
> _Don't forget, always use 'extra protection' when performing illegal activities.._
|