PDA

Bekijk Volledige Versie : (MSIE)A rather old trick for web server is now played on MSIE.



Liu Die Yu
26/12/02, 22:56
(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)

[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}


[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.swf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]



[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.

so the oldest XSS trick works on MSIE.

that's all.

[how]
(real show)

first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.

(very few steps)

[more?]
this trick may work on other browsers, but i can't test it at present.

[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.

[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )