Content / guestbook spamming : how to information
What is content spamming? Well, if you run a guestbook, blog, shoutbox etc... you have no doubt seen the messages from anonymous users which usually display some url's to various websites. The spammer (usually) doesnt actually visit your site to leave these messages. How do they do this...well I will show you a real world example with working exploit code.
Lets get spamming...OK, Lets find a guestbook to spam, for the sake of this paper I have set one up here: DL's guestbook version 2: content spam test. Now this guestbook has some basic security checks to avoid abuse by spammers such as referer checking and random number checks. The idea here is that the user must call the guestbook.php script from the digi-dl.com domain (therefore they must use MY form) and each time the page is loaded a random number is generated for the user to enter in order to post a message. So how do we spam this...I have some example code below: (Note these scripts only run in Linux, must have wget installed)
1) This content spamming script will generate a form with necessary values needed to spam the board..but the guestbook IS set to do referer checking so this script wont be able to spam the board...try it for yourself. The generated page will be opened in Mozilla...if this does not suit your system then change the code.
2) This content spamming script will bypass the referer checking and spam the guestbook with pre set values.
3) This content spamming script will bypass the referer checking and spam the guestbook with random messages.
4) This content spamming script will bypass the referer checking and spam the guestbook with random messages every 5 seconds! Yikes. In the messages you will note that I attempted things like entering
www.spamking.com. This would display www.spamking.com if entered directly into the guestbook (not via shell/wget)...this trick is often used to insert XSS injection code. Scripts often look for the < and > type of script tags or for strings such as "www" or ".com". It will ban these types of entries but they often times dont check everything.
Why is this so easy to pull off??? Well, first of all the random number appears in plain text within the code of the HTML doc. So all we really have to do is download the code (wget) and pull out the number, then we use that number in our request. There are ways to *almost* prevent this by using images to display the random numbers/text etc...The exploit scripts will not work against the current guestbook. If you want to write a script to exploit the version 3 guestbook then you can find a demo here: Guestbook version 3: content spam test. If you are able to successfully spam the board i would like to see the code used...really a simple perl script that can parse out the number will still do the job ;) I have plans to change this once again so the actual number is NEVER in plain text form except for what is visable via browser.