Idea of HTML Injection

1. Currently, XSS is a cross-site scripting attack. Generally, some problems occur on the client side when there is server interaction. What if there is no server interaction?
2. Many people think that html files are absolutely safe. Is that true?

What is HTML injection:

When there is interaction, a vulnerability occurs. No matter how the interaction is performed, HTML files do not have any interaction as you think, some javascript will still be used in HTML files to achieve some of the dynamic effects you need. In this way, there are still some interaction areas, such as the location parameter in the address bar, user-triggered click events and some dynamic DOM interactions will affect javascript Execution, resulting in the creation of vulnerabilities.

Why HTML injection:

There are a large number of HTML files in Windows. If these HTML files can be injection, you can use the local HTML file to execute javascript in the local domain. The permission is very high.

How to find HTML injection:

Looking for interaction: interaction is where the address bar mentioned above may interact. The most common is the address bar, that is, the location in javascript, so find location in the HTML file. you may find what you need.
Search for dangerous operations: dangerous operations in HTML include document. write, eval, and operations on innerHTML attributes may all cause jnjection. Of course, some other operations that may lead to script execution.

An example is as follows:

If you have installed iis, it is easy to find code similar to the following in c: windowsHelpiisHelpcommon:
The following is a reference clip:
<! Doctype html public "-// W3C // dtd html 3.2 Final // EN">
<Html dir = ltr>
<Head>
<Style>
A: link {font: 9pt/11pt; color: FF0000}
A: visited {font: 9pt/11pt; color: # 4e4e4e}
</Style>
<Meta name = "ROBOTS" CONTENT = "NOINDEX">
<Title> webpage not displayed </title>
<META HTTP-EQUIV = "Content-Type" Content = "text-html; charset = gb2312">
</Head>
<Script>
Function Homepage (){
<! --
// In real bits, urls get returned to our script like this:
// Res: // shdocvw. dll/http_404.htm # http://www.DocURL.com/bar.htm
// For testing use DocURL = "res: // shdocvw. dll/http_404.htm # https://www.microsoft.com/bar.htm"
DocURL = document. URL;
// This is where the http or https will be, as found by searching for: // but skipping the res ://
ProtocolIndex = DocURL. indexOf (": //", 4 );
// This finds the ending slash for the domain server
ServerIndex = DocURL. indexOf ("/", protocolIndex + 3 );
// For the href, we need a valid URL to the domain. We search for the # symbol to find the begining
// Of the true URL, and add 1 to skip it-this is the BeginURL value. We use serverIndex as the end marker.
// Urlresult = DocURL. substring (protocolIndex-4, serverIndex );
BeginURL = DocURL. indexOf ("#", 1) + 1;
Urlresult = DocURL. substring (BeginURL, serverIndex );
// For display, we need to skip after http: //, and go to the next slash
Displayresult = DocURL. substring (protocolIndex + 3, serverIndex );
InsertElementAnchor (urlresult, displayresult );
}
Function HtmlEncode (text)
{
Return text. replace (/&/g ,&). replace (// g, & quot ;). replace (/</g, & lt ;). replace (/>/g, & gt ;);
}
Function TagAttrib (name, value)
{
Return + name + = "+ HtmlEncode (value) + ";
}
Function PrintTag (tagName, needCloseTag, attrib, inner ){
Document. write (<+ tagName + attrib +> + HtmlEncode (inner ));
If (needCloseTag) document. write (</+ tagName +> );
}
Function URI (href)
{
IEVer = window. navigator. appVersion;
IEVer = IEVer. substr (IEVer. indexOf (MSIE) + 5, 3 );
Return (IEVer. charAt (1) ==. & IEVer> = 5.5 )?
EncodeURI (href ):
Escape (href). replace (/% 3A/g, :). replace (/% 3B/g ,;);
}
Function insertElementAnchor (href, text)
{
PrintTag (A, true, TagAttrib (HREF, URI (href), text );
}
// -->
</Script>
<Body bgcolor = "FFFFFF">
<Table width = "410" cellpadding = "3" cellspacing = "5">
<Tr>
<Td align = "left" valign = "middle" width = "360">
<H1 style = "COLOR: 000000; FONT: 12pt/15pt "> <! -- Problem --> unable to display webpage </Td>
</Tr>
<Tr>
& Lt; td width = "400" colspan = "2" & gt;
<Font style = "COLOR: 000000; Font: 9pt/11pt "> the webpage you are trying to access has a problem and cannot be displayed. </Font> </td>
</Tr>
<Tr>
& Lt; td width = "400" colspan = "2" & gt;
<Font style = "COLOR: 000000; FONT: 9pt/11pt ">
<Hr color = "# C0C0C0" noshade>
<P> perform the following operations: </p>
<Ul>
<Li> open
<Script>
<! --
If (! (Window. navigator. userAgent. indexOf ("MSIE")> 0) & (window. navigator. appVersion. charAt (0) = "2 ")))
{
Homepage ();
}
// -->
</Script>

Home Page, and then find the link related to the required information. </Li>
<Li> click <a href = "javascript: location. reload ()"> refresh </a> or try again later. <Br>
</Li>
</Ul>
<H2 style = "font: 9pt/11pt; color: 000000"> HTTP Error 414-request-URI Too long <br> Internet Information Service <Hr color = "# C0C0C0" noshade>
<P> technical information (for support personnel) </p>
<Ul>
<P>
<Li> background <br>
<P> the request URI is too long and the server rejects the request. This happens only in the following situations: </p>
<P> the client mistakenly converts a POST request to a GET request with long query information. </P>
<P> the client encounters a redirection problem (for example, the prefix of the Redirection URL points to its own suffix ). </P>
<P> the server is attacked by a client, which attempts to find security vulnerabilities on servers that use a fixed-length buffer to read or control request Uris. </P>
</Li>
<Li> details: <br> <a href = "asp? Prd = iis & BMI = & pver = 5.0 & pid = & ID = 414 & cat = web & OS = & over = & hrd = & Opt1 = & Opt2 = & Opt3 "> http://www.microsoft.com/ContentRedirect.asp? Prd = iis & BMI = & pver = 5.0 & pid = & ID = 414 & cat = web & OS = & over = & hrd = & Opt1 = & Opt2 = & Opt3 =" target = "_ blank"> Microsoft support </a>
</Li>
</Ul>
</Font> </td>
</Tr>
</Table>
</Body>
</Html>

Note that DocURL = document is used. the URL is also the address bar parameter. These parameters are involved in various operations and operations. After tracking this parameter, we can see that the parameters enter the document. write, but previously htmlEncode, but it still does not matter, we can use javascript: [code] to execute the required code

File: // C:/WINDOWS/Help/iisHelp/common/400.htm# javascript: alert (loveshell )/

A connection will be generated, and the code will be executed if you click it, but you can also note that before that, IE will prompt that code will be executed ......

What are we doing in YY:

In Windows, there are a large number of HTML files, even including HTML files in chm and HTML resource files in dll files. This vulnerability can still be found as long as it is mined, in the old version of IE, you can use the iframe and a tags to reference local files. However, this operation is forbidden in the new version of IE. Note that IE prohibits this operation, what about other programs? Such as realone, such as other protocols hcp?

 

Last edited by Dream