Welcome to my blog!
Hacking Bonziworld Tutorial
Hacking Mikraite Gallery
Turing machine
Hacking Trollbox / Pocky Gallery
New Trollbox Exploit!

Hacking Bonziworld Tutorial

2024-09-18 01:01:16

Greetings everyone, I'm Agent Red, the creator of Jeff the Killer virus. In this video I will explain how the virus works and how I made it by walking you through my process and highlighting the important discoveries that led to its creation.

The first step when looking for vulnerabilities in a website is to look at its source. The file we have opened in front of us is the main script from Bonziworld.

First thing we can notice is that the website stores settings data into a cookie as a base 64 encoded JSON string.

If we find a vulnerability that allows us to inject XSS from the cookie, we will be able to run our virus upon the infected user opening the website.

Further inspection didn't prove successful in finding such vulnerabilities, but all hope is not lost yet. There are three fields in the settings object that we might still abuse:

- theme - autojoin - autorun

The theme setting allows us to load arbitrary CSS files upon an infected user joining the chatroom. This gives us the ability to change the visual appearence of the website however we choose.

The autojoin setting can be used to make a user join the chatroom upon opening the website.

The autorun setting is intended to be used by administrators to automatically authenticate upon joining using the "godmode" command. However, due to the design of the functionality, there is nothing preventing us from using it for other purposes.

Specifically, we can use the /heil command to send an arbitrary message upon an infected user joining the chatroom. We can use this to send a malicious link that will infect other unsuspecting users.

All that is left to do now is construct a malicious link that will change the users' setting cookie. This will likely require XSS injection from URL parameters. The website only has the main page and it doesn't use any URL parameters.

However, if we send an image and go to inspect element, we'll notice that the website uses proxy.bonziworld.org to proxy media that has been sent in the chatroom.

This proxy doesn't check for mime type, meaning that we can proxy arbitrary HTML files and execute scripts from them on a subdomain of bonziworld.org. From there we can set the value of the cookie.

The final code looks like this: Upon clicking the malicious link, the opened page redirects to a proxied HTML file. This file then proceeds to set the malicious cookie on bonziworld.org. Finally, the proxied HTML file redirects to another URL to make the URL the user sees in their searchbar less suspicious.

Courtesy of Agent Red