Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How to get the client to perform a request?
Posted by: hkm
Date: June 28, 2009 12:53PM

Hello, I was wondering how many ways are there to get the client to perform a GET/POST request.

By visiting a webpage:


-HTML tags with attributes src and *src
Quote

<img src=http://lala.com/>
<embed src=//site.com>
<bgsound src="//slackers">
-Meta refresh
Quote

<meta http-equiv="refresh" content="0;URL=http://www.site.com/"/>
-CSS's url()
Quote

elem{content:url(http://www.asdf.com/);background:url(http://www.asdf.com/);}
-Other HTML tags calling for images
Quote

<body background="">
-HTTP Redirects
Quote

Location: //newsite.com
Refresh: 0;URL=//newsite.com
-Objects
Quote

<OBJECT DATA="http://" HEIGHT=0 WIDTH=0>
-Params in Objects
Quote

<OBJECT classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E33" ID=dsoComposer HEIGHT=0 WIDTH=0><PARAM NAME="Server" VALUE="http://"><PARAM NAME="Connect" VALUE="dsn=music;uid=guest;pwd="></OBJECT>
-java applet
Quote

<APPLET CODE="com.ms.xml.dso.XMLDSO.class" ID="xmldso" WIDTH="0" HEIGHT="0" MAYSCRIPT="true"><PARAM NAME="URL" VALUE="http://"></APPLET>
-javascript
Quote

location="//cool.com";
new Image().src="//other.com"
-Inside embeded content
Quote

<embed src="redir.swf">
//flash, silverlight, java, acrobat, quicktime, etc..

Innocuous filetypes that support requests:
* .url Shortcut to webpage
* .swf Shockwave flash application
* .wmf Windows Meta File
* .htm HTML/HTM/XHTM/XML
* .mov Quicktime Movie
* .mpg Microsoft Portable Graphics (MPEG)
* .pdf Acrobat PDF reader

Dangerous extensions:
* .hta HTML Application
* .inf Info file (autorun.inf)
* .bat BATCH file
* .exe Executable file
* .com COM 16 bites executable file



Edited 4 time(s). Last edit at 06/29/2009 08:45PM by sirdarckcat.

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: sirdarckcat
Date: June 29, 2009 08:47PM

Its very difficult, every 5 seconds a new way comes to my mind.. haha

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: Anonymous User
Date: June 30, 2009 02:33AM

You can modify opensearch plugin update URIs and set the interval to 1 - then you have a CSRF pinging once an hour :)

Plus you can change the DTD spec URL - each time someone validates your site the request is being fired - but of course by the validation server... unless you use a firefox extension for validating.

As sdc stated - there are gazillion++ ways to make the client fire requests.

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: PaPPy
Date: June 30, 2009 06:47AM

i typically create a folder called photo.jpg
then place my attack inside the index file
so its accessable from http://evilsite.com/photo.jpg

and then use a hidden IFRAME in there

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote


Sorry, only registered users may post in this forum.