Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Read content of an iframe !
Posted by: Ryonan
Date: October 18, 2009 06:55AM

Yes, i know you guy talked about this in some older thread, i did try but it doesn't work. Here is my case :
i use XSS to change a text into a frame ( by innerHTML ), and then try to read the content of that frame. but it's seem hopeless.
what i try :
alert(parent.document.frames['new_frame'].body.innerHTML);
thanks for your help!

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: ademix
Date: October 18, 2009 10:43AM

See contentDocument element of HTMLIFrameElement on some javascript documentation.

http://www.ademix.net/

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: Ryonan
Date: October 20, 2009 04:23AM

hahaha, that's incredible ....
i dont know if some1 need this but if you change the inner HTML of any object on the victim's site into a frame, you will need a little time to wait for the frame's loading. and then you can read the content of that frame.
And here is the simple script :
################################################
setTimeout('alert(document.frames["hello"].document.body.innerHTML)',5000);
################################################
in my case, i use this to load the user list page from XSS page and then grab the user name, insert them into message list and the worm will send infected message to them.
and i'm feeding my worm now.
thanks you guys.

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: sirdarckcat
Date: October 21, 2009 10:09AM

<iframe onload="
<iframe onreadystatechange="

ondomcontentloaded

IE has something with the scroll..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: GaSmo
Date: October 22, 2009 09:12AM

sry, i don't get it.

for example, i work with an cms, found a xss hole in one site of the backend - but want to get information from another site - this will work as long as both sites
are on same domain?

admin.php?function=pictures&name=XSS <- xssable site
admin.php?function=database <- site with informations i need, for example:
<input type="text" name="user" value="admin123">

XSS Code would be:
<frame name="xssframe" src="admin.php?function=database">
<script>
(pseudocode :|)
getFramebyName("xssframe")getElementByName("user")
</script>

?

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: Ryonan
Date: October 22, 2009 10:09PM

as long as you have the frame in the XSS page, you can read its contents.

Options: ReplyQuote
Re: Read content of an iframe !
Posted by: Anonymous User
Date: October 23, 2009 04:51AM

http://de.wikipedia.org/wiki/Same_Origin_Policy

Options: ReplyQuote


Sorry, only registered users may post in this forum.