You want help hacking Piczo? Here's a great article.

Quote Originally Posted by wolfrat from the site http://www.darkmindz.com
PICZO HACKS COLLECTION
.:GaMeBoY::HaCkEr:.
**th January 2007

This is basically a list of all the vulnerabilities and possible methods of attack I have found in the Piczo system. Piczo is a social networking site mostly used by children aged **-*7, and is very poorly coded. There are even spelling mistakes in the code! :O
Piczo currently has seven servers.

Most of the ways in which to exploit Piczo involve JavaScript injection and in-url hacking, where the url string is modified, and hence different data is sent to the Piczo servers.

*.A) Comment ***rd xss attacks.
This is probably the biggest threat to Piczo sites at the moment. All comment ***rds are currently vulnerable to cross site scripting, that is, you can post your own code, and it will be executed on the user’s machine when they view the site. I discovered this vulnerability just the other day, but I’m not sure if anyone else knows about it. I heard another guy called ProRatHack was also ‘hacking’ comment ***rds or something :s

So what can we do with xss on Piczo? Well, you could be a lame n00b and use it for making alerts and pop up boxes on the person’s site, but that wouldn’t be too cool. Here’s the code for it anyway if you want to see it:

alert(" the text goes here");

As you can see it’s pretty simple, just define the code type and do what you want. Don’t forget you can string JavaScript commands together with a semi-colon.
You could also use JavaScript to make the person’s comment ***rd frame redirect to another site (think shock sites ,and you could also affect the parent frame, but I can’t be bothered to explain that now.

Okay, that’s the lame stuff out of the way, think about who normally uses Piczo…logged in Piczo users! And think…they will probably be logged in when they view the comment ***rd…we could redirect them to a cookie stealer and take their session ids sure, but there is an easier and more fun attack we can try…

*.B) Comment ***rd xss attacks – faking
We can post messages as other users, or actually make them automatically post messages when they are viewing the infected comment ***rd. First you have to understand how it works:
[url]http://pic6.piczo.com/go/commenton***rd?cb=62*5256&cbo=*245787&commentername=Santa&text=hello[/url]

Piczo comments for comment ***rds get sent to the servers in an url, very insecure. Now of course, we can change the name that is displayed, but that would be too easy and not very fun. Instead, we can make a logged user in Piczo that visits the site get redirected to the url that posts messages, so if you used the window.location command (window.open is not suitable here as most people have pop-up blockers), they would appear to be posting the message, as the server is getting sent a request from their logged in account

So all we have to do is place one infected bit of code into the comment ***rd, and anyone that visits the site will unwittingly post hundreds if not thousands of messages, and because there is no word limit on the comments, you can bomb the Piczo servers with data by doing this, hopefully resulting in a very primitive form of DoS, basically using up all their bandwith, or even all their physical storage capacity.

So the resulting code would look like this:
window.location="http://pic6.piczo.com/go/commenton***rd?cb=62584*5&cbo=**28***&commentername=Santa&text=awwww you were hacked";

Of course, you would need to change the number after pic# (to define the server with the comment ***rd you want to infect), the cb code, and the cbo code. Of course, you could make the other users post the code as well, which would make the code self replicating, and almost impossible to kill. At he moment I’m working on a better fully fledged version of this code, which will scout out other Piczo sites by scanning the friends’ list on the site, and hopefully spreading through all of Piczo *5*4;

2.Piczo ratings system
Okay, you know those little boxes that people put on their sites, to make you vote for them, the type where there is a row of stars and the voting is instant? These are easy to ruin. All you have to do is view source for the page on which the ratings box is, and then search (Ctrl + F) for ‘ratingsForm’, and it should hopefully lead you to something that looks like this:

<form id="ratingsForm*487054**" name="website_*-*0" action="http://pic4.piczo.com/go/ratemysite" method="POST">
<input type="hidden" name="rating_id" value="57752" />
<input type="hidden" name="rating_score" value="*0"/>
<input type="hidden" name="rating_method" value="component">
<input type="hidden" name="elapsed" value="0"/>
</form>

See what it’s doing? It’s sending data to the address ‘[url]http://pic4.piczo.com/go/ratemysite’[/url], and this is what the url would look like with the data affixed:

[url]http://pic4.piczo.com/go/ratemysite?rating_id=57752&rating_score=*0&rating_method=component&elapsed=[/url] 0

How easy was that? Lol. So basically, we can change that all we want before it gets sent to the server. We can change ‘rating_score’ to *, and vote for one star in the ratings box, and that url can be used for any ratings box with a little adjustment, all that needs to be changed is that pic# server identifier at the start, and the rating_id, which defines which ratings box to vote for. Also remember to change the ‘elapsed’ value to something like 20 000.

Now, how to vote for this site millions of times? The data telling Piczo whether you have voted for a certain site already is stored in a cookie, silly Piczo. So Just disable cookies in your browser (use the Web Developer extension for Firefox), and go to your voting url. Then just keep re*****ing it to vote multiple times. But that would take long, so download the ‘reload every’ extension for Firefox and open that voting url in about 20 tabs. Then set each tab to reload once every minute *5*4;.

*.Shoutbox ‘hacking’
Shoutboxes are very easy to destroy or ruin. You can delete other people’s posts very easily.

*. Find the url of the shoutbox, as you will need to view the actual generated source code for the shoutbox, so go on the Piczo page with the shoutobx, and view source for it, search for ‘go/shoutbox?sb=’, which should lead you to an url that looks like this (it’s tucked away in some iframe tags):
[url]http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787[/url]

2. Now that you have that, navigate your browser to it, and you should see only the full shoutbox on your screen. Now, view source again, and scroll down and look for the messages. Each message will have a unique postView number. Now copy down the numbers for the messages you want to delete, and stick them in this url:
(first you need to replace the sb and sbo numbers with the ones from the shoutbox url you just used, and also use the correct pic# server identifier number, same as your shoutbox url from just now)
Put the postView number of the message in the plpid parameter in the url string, now navigate your browser to it, and the message should get deleted *5*4;

[url]http://pic6.piczo.com/go/editpostapproval?dba=y&shout=y&sbo=*245787&sb=4780*80&plpid=46*707**&approvalstatus=delete[/url]

*.B)Fun but a bit useless
You still have the shoutbox url from earlier right? The one that looked like
[url]http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787[/url] ?
if so, just add ‘&isedit=y’ to the end of the address, so it looks like this:
[url]http://pic6.piczo.com/go/shoutbox?sb=4780*80&sbo=*245787&isedit=y[/url]
Now, navigate to the new address. What do you notice? You can see the ip addresses of all the posters and also any messages that have been disapproved or hidden by the actual site owner :P

Also, you can add ‘&showWelcomeMessage=y’ to the end of the url to show the ‘you are logged in’ message.

4. Guestbook ‘hacking’
Guestbooks can be ‘hacked’ using the same method described for the shoutbox trick. If you can’t work out how to modify the method to use it with guestbooks, you don’t deserver to have a computer. You can also use the javascript method, that is:
deletePost(46*72066)
And replace the number with the correct one.

There are many more ways to ruin Piczo but I can’t be bothered to write anymore