Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How to get the client to perform a request?
Posted by: hkm
Date: June 28, 2009 12:53PM

Hello, I was wondering how many ways are there to get the client to perform a GET/POST request.

By visiting a webpage:

-HTML tags with attributes src and *src

<img src=http://lala.com/>
<embed src=//site.com>
<bgsound src="//slackers">
-Meta refresh

<meta http-equiv="refresh" content="0;URL=http://www.site.com/"/>
-CSS's url()

-Other HTML tags calling for images

<body background="">
-HTTP Redirects

Location: //newsite.com
Refresh: 0;URL=//newsite.com

-Params in Objects

<OBJECT classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E33" ID=dsoComposer HEIGHT=0 WIDTH=0><PARAM NAME="Server" VALUE="http://"><PARAM NAME="Connect" VALUE="dsn=music;uid=guest;pwd="></OBJECT>
-java applet

<APPLET CODE="com.ms.xml.dso.XMLDSO.class" ID="xmldso" WIDTH="0" HEIGHT="0" MAYSCRIPT="true"><PARAM NAME="URL" VALUE="http://"></APPLET>

new Image().src="//other.com"
-Inside embeded content

<embed src="redir.swf">
//flash, silverlight, java, acrobat, quicktime, etc..

Innocuous filetypes that support requests:
* .url Shortcut to webpage
* .swf Shockwave flash application
* .wmf Windows Meta File
* .mov Quicktime Movie
* .mpg Microsoft Portable Graphics (MPEG)
* .pdf Acrobat PDF reader

Dangerous extensions:
* .hta HTML Application
* .inf Info file (autorun.inf)
* .bat BATCH file
* .exe Executable file
* .com COM 16 bites executable file

Edited 4 time(s). Last edit at 06/29/2009 08:45PM by sirdarckcat.

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: sirdarckcat
Date: June 29, 2009 08:47PM

Its very difficult, every 5 seconds a new way comes to my mind.. haha

http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: Anonymous User
Date: June 30, 2009 02:33AM

You can modify opensearch plugin update URIs and set the interval to 1 - then you have a CSRF pinging once an hour :)

Plus you can change the DTD spec URL - each time someone validates your site the request is being fired - but of course by the validation server... unless you use a firefox extension for validating.

As sdc stated - there are gazillion++ ways to make the client fire requests.

Options: ReplyQuote
Re: How to get the client to perform a request?
Posted by: PaPPy
Date: June 30, 2009 06:47AM

i typically create a folder called photo.jpg
then place my attack inside the index file
so its accessable from http://evilsite.com/photo.jpg

and then use a hidden IFRAME in there


Options: ReplyQuote

Sorry, only registered users may post in this forum.