===================================================================================
Dominant Creature BBG/RPG browser game XSS vulnerabilities
===================================================================================
# Exploit Title: Dominant Creature BBG/RPG browser game XSS vulnerabilities
# Author: M.Jock3R
# Script support: http://www.bbgdev.com/
# Script Download: http://sourceforge.net/projects/dcreature/
# Dork: core engine by Dominant Creature
# Category:: webapps
# Tested on: windows XP Sp2 FR
===================================================================================
Examples:
---------
1) http://creatures.site88.net/
2) http://dixieandtheninjas.net/goofing/DC/
3) http://tux.isa-geek.org/rpg/dm/login.php
Vuln file: msg.php
Vuln code:
---------
$m = new Msg;
if (isset($_GET["p"]) && isset($_GET["write"])) {
$m->Write();
}
else {
$m->Inbox();
}
}
Exploit:
---------
-You must first login :(
You can enter this account .. For test :)
http://raw.bplaced.net/games/dominantcreature/
username: m.jock3r
password: 01230123
Go to :
Duel opponents ==> Search for opponents : choose any user and enter Write message
In message box write :
<script>alert(document.cookie)</script>
Click Send message.
-Enjoy playing with XSS :)
===================================================================================
Greets To :
adelsbm / attiadona / the-code.tk
Email : madrido.jocker@gmail.com
THANKS TO ALL ALGERIANS HACK3RS
===================================================================================
