LinkBack URL
About LinkBacks
Found it the other day.
Told XiRaX about it earlier today, And as of about....5 minutes ago, Patched.
But, for those of you in underground silver who saw my documenting of XSS properties in gaiaonline, this should give you some insight.
It worked out Very well, In this video I only did two demonstrations, One was the html of gaia`s cashshop history viewer (AKA email exploit) And the other was just the d8silo index.
Amazing how quick gaia is at patching, Probably a good thing too, This could have raised some hell.
Results 1 to 18 of 18
- 25 Sep. 2011 07:58pm #1
Since its patched now, Here is some live XSS on gaiaonline. Last edited by Aleena; 25 Sep. 2011 at 08:02pm.
Gaiaonline Exploit Log:
http://d8silo.b1.jcink.com/index.php?act=Pages&pid=12
The day I re-wrote gaias homepage:
http://rankmyhack.com/userview.php?user=Nirvash
- 25 Sep. 2011 08:00pm #2
Smooth move, Aleena.
Last edited by The Unintelligible; 25 Sep. 2011 at 08:02pm.
- 25 Sep. 2011 08:02pm #3Donator
Global Moderator Glamorous
- Join Date
- Apr. 2011
- Location
- 192.168.2.1
- Posts
- 990
- Reputation
- 584
- LCash
- 1.17
- Awards
Everything we touch on Gaia get's patched. We should of took action while we had the chance.
- 25 Sep. 2011 08:02pm #4 Fix`d
Originally Posted by The UnIntelligible 
thankies sir.
Edit:
Fixed XXSGaiaonline Exploit Log:
http://d8silo.b1.jcink.com/index.php?act=Pages&pid=12
The day I re-wrote gaias homepage:
http://rankmyhack.com/userview.php?user=Nirvash
- 25 Sep. 2011 10:30pm #5
Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member. Originally Posted by The UnIntelligible 
moteSerious:
- 25 Sep. 2011 10:38pm #6Most Posts 2012
- Age
- 97
- Join Date
- Nov. 2009
- Location
- In the computer
- Posts
- 11,186
- Reputation
- 1029
- LCash
- 0.31
- Awards
-
Huh. ? Originally Posted by Skrillex Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member.moteSerious:
- 25 Sep. 2011 10:42pm #7 ...? I dont think he was insulting me o.0 Originally Posted by Skrillex Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member.moteSerious:
Though if he was *shrugs* Whatever he needs to feel good about himself.
Its not like I dont have a handfull of other exploits still functional.
Here are some of my toys found and patched in the last two months
--------------------------------------
Banning users from flashgames using moddog
Admin panel access
Email / cash purchase history lookup
Send false ban requests in moddog
Cashshop editor
Create secondary password
Crypto bypass method for secondary password
Enabling / Disabling admin panel functions for public use
Enabling / Disabling test server public use.
Editing / Creating pages in gaiaonline
Editing event pages
And today, XSS through the event editing page
Hell, There are still exploits not patched.
(Only posting one which I posted publicly last week, Others stay UG)
http://gaiaonline.com/admin/flash/vj_utils.swf
And dont worry, I will toss out some more stuff in UG in the near future, Just trying to decide what would be a good one to start with that wouldn't adversely effect the others.Gaiaonline Exploit Log:
http://d8silo.b1.jcink.com/index.php?act=Pages&pid=12
The day I re-wrote gaias homepage:
http://rankmyhack.com/userview.php?user=Nirvash
- 25 Sep. 2011 11:01pm #8 Wasn't what I meant by 'smooth move', but OK. Originally Posted by Skrillex Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member.moteSerious:
Anyways, just an FYI - I've been here longer than you have.
- 25 Sep. 2011 11:10pm #9 Just a FYI Looks like you made a account and left. Then came back all of a sudden. Date you joined doesn't mean anything. Originally Posted by The UnIntelligible
- 25 Sep. 2011 11:39pm #10 Oh, but it does mean something when you directly stated that I'm a new member. Which was false, might I add. Something ironic to throw on-top of that is the fact that I've been here longer than you, which gives you no sense of entitlement whatsoever to tell me what you told me. Originally Posted by Skrillex Not everything can be held onto. Smart one. Atleast he posted about it. And not just kept it to himself. Learn how to be a good new member.moteSerious:
- 25 Sep. 2011 11:50pm #11 You know. I like your user title. The UnIntelligible Originally Posted by The UnIntelligible
I'm new
- 26 Sep. 2011 01:12am #12Donator
Administrator Best Avatar Award
- Age
- 32
- Join Date
- Nov. 2009
- Location
- Buenos Aires, Argentina
- Posts
- 6,251
- Reputation
- 790
- LCash
- 0.65
- Awards
-
Kids, don't make me lock another thread.
- 26 Sep. 2011 01:16am #13 I sowwy Drak. I be good now. Okz? I just wanted my opinion to go out. Originally Posted by Drakonid
- 26 Sep. 2011 02:00am #14
Yee. We don't want a 1337 thread like this being locked, now do we?
But just so you know, Skrill, your opinion(s) will and always will be absolutely meaningless. Just putting that out there so you know that what you said/say isn't worth getting this thread locked over.
- 26 Sep. 2011 02:03am #15
I lol'd .
yup this is really me gamersoul AVA
- 26 Sep. 2011 02:37am #16 You said the right word for u coming in here like u are god..... Meaningless Originally Posted by The UnIntelligible
- 26 Sep. 2011 03:52am #17Donator
Global Moderator Glamorous
- Join Date
- Apr. 2011
- Location
- 192.168.2.1
- Posts
- 990
- Reputation
- 584
- LCash
- 0.56
- Awards
-
Just stop this shit, holy fuck.
- 26 Sep. 2011 12:10pm #18 Thanks drak, You know I dont like my threads closed. Originally Posted by Drakonid
Everyone kiss and makeup now.Gaiaonline Exploit Log:
http://d8silo.b1.jcink.com/index.php?act=Pages&pid=12
The day I re-wrote gaias homepage:
http://rankmyhack.com/userview.php?user=Nirvash
Reply With Quote
