Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Attacks using external.menuArgument

0.00/5 (No votes)
24 Aug 2006 1  
external.menuArgument is very useful property but it can be used as a tool to help hacker to get quick information about your page and application

New way to get all web page information

The idea:  the core idea of this trick that is in Internet Explorer there is little back door to get all information of the web page and change it's content, the trick is in registry  at the key

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\

 

In this key you can add new item to internet explorer context menu for example if you add this key

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\~~~~~~Get All Page Info~~~~

You will have this view 

Sample screenshot

 

The second part of the trick is in the next link

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/properties/menuarguments.asp

 

The Property menuArgument gives you ability to write vb and java scripts that run on the client area and you have to know that menuArgument is part of external object

http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/external.asp

 

if you collect all that together you can write script that will be called by the menu and do what every you want to with the page, here is example that read all cookies information , all forms information and all elements in the forms then save it in text file on C:\Infomation .text

 

<script language=vbscript>
on error resume next
    set EventElement = external.menuArguments.document
    FilesFolder = "C:\MyHacks\GrappedFiles"
    set t=createobject ("SCRIPTING.FILESYSTEMOBJECT")
    if not t.FolderExists(FilesFolder) then t.CreateFolder(FilesFolder)
    strFileName = FilesFolder & "\" & CleanString( EventElement.title & "___"  & date & "_" & Time ) & ".txt"
    set l=t.OpenTextFile(strFileName,8,true)
   
    l.Write "/////////////////////////////// New Hacky ///////////////////////////////"  & vbCrLf
    l.Write "Url is = " & EventElement.url & vbCrLf
    l.Write "Page Title is = " & EventElement.title & vbCrLf
    l.Write  EventElement.cookie & vbCrLf  & vbCrLf  & vbCrLf

   

for i = 0 to EventElement.forms.length -1
    l.Write "_-_-_-_-_-_-_-_-_-_-_-_-_ Form infomration _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_" & vbCrLf
          l.Write " Form Name = " & EventElement.forms.item(i).Name & vbCrLf
          l.Write " Form Action = " & EventElement.forms.item(i).action & vbCrLf
          l.Write " Form Method = " & EventElement.forms.item(i).method & vbCrLf
          l.Write " Elements Count = " & EventElement.forms.item(i).elements.length & vbCrLf
   for ele = 0 to EventElement.forms.item(i).elements.length-1
          l.Write "------------------------- Element infomration ------------------------------" &  vbCrLf
          l.Write " Information for element number " & ele + 1 & vbCrLf
          l.Write " Elements Name = " & EventElement.forms.item(i).elements.item(ele).name & vbCrLf
          l.Write " Elements Value = " & EventElement.forms.item(i).elements.item(ele).value & vbCrLf
   next
next
          l.Write vbCrLf & vbCrLf  & vbCrLf
          l.Write "Thanks to GOD to give me power to learn and teach."
          l.Write "Pray for me to learn more to be able to learn you" & vbCrLf
          l.Write "الحمد لله , الهم أرزقنى علما نافع و رزقا واسع و شفاء من كل داء"
          l.Write vbCrLf & vbCrLf  & vbCrLf 
    l.close
Function CleanString(strTarget) ' this function will clear the unacceptable characters for file name
 strTarget = Replace(strTarget, """", "-")
 strTarget = Replace(strTarget, "'", "-")
 strTarget = Replace(strTarget, "\", "-")
 strTarget = Replace(strTarget, "/", "-")
 strTarget = Replace(strTarget, "|", "-")
 strTarget = Replace(strTarget, ">", "-")
 strTarget = Replace(strTarget, "<", "-")
 strTarget = Replace(strTarget, "*", "-")
 strTarget = Replace(strTarget, ":", "-")
 strTarget = Replace(strTarget, "?", "-")
 CleanString = strTarget
End Function
external.menuArguments.window.alert("All data are in the file " & vbcrlf & vbcrlf & strFileName)
</script>

 

As you can see simple vbscript file that 100% depends on external.menuArguments , it collect the data which you want then save it on TXT file

 

In the upcoming part of this series I will give some tips on how to change in the main document and do what ever you want , it will help so much in some attacks, and I will explain how to protect the web pages against this attacks, before closing here is the steps to install this script and test it

 

Step 1: copy file HackingScript.htm to any folder and get the file path

Step 2: open " regedit " from run and navigate to the key

 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\

Step 3: Add new key with the name "~~~~~~~~~Get All Page information~~~~~~~~"

Step 4: change the default key value to the HackingScript.htm path as you did in the first step

Step 5: open internet explorer and start right click and click on our new menu  

Step 6: you will find file C:\Information.txt contain all information of the page.

 

I wish you like the article, wait for the next part which will contain how to use this type in attack such "Page Simulation" and "Session HiJacking", in the next part I will explain how to protect your application against these attacks, have a nice article ;)

 

Thanks for your time

 

 

Attached to the article 2 files

HackingScript.rar :  contain the HTML file and Registry file which contain all in the article

HackingScript.exe : SFX file which can be installed directly to C:\ and add the menu to IE

 

There is one thing I want to mention somepeople ask what is going to happen if i use this script "it will get MY DATA" I just want to say that this script are able to modify things can't be done without this trick. try to use your imagination and guess what can you do with that, I write more in this topic, because it will be really harmful,:) I will explain later how to protect your web site from such things

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here