一个不错的IE漏洞查找（HTML源码）

雪风

1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
   
2. <!-- saved from url=(0060)http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html -->
   
3. <HTML><HEAD><TITLE>DOM-Hanoi v0.2</TITLE>
   
4. <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
   
5. <SCRIPT>
   
6. /*
   
7. ---===[ DOM-Hanoi v0.2
   
8. 
   
9. H D Moore :: hdm[at]metasploit.com
   
10. Aviv Raff :: avivra[at]gmail.com
    
11. 
    
12. (c) 2006 All rights reserved.
    
13. 
    
14. ]===---
    
15. */
    
16. var ctrls = new Array(
    
17. "a",
    
18. "abbr",
    
19. "acronym",
    
20. "address",
    
21. //"applet",
    
22. "area",
    
23. "b",
    
24. "base",
    
25. "basefont",
    
26. "bdo",
    
27. "bgsound",
    
28. "big",
    
29. "blink",
    
30. "blockquote",
    
31. "br",
    
32. "button",
    
33. "caption",
    
34. "center",
    
35. "cite",
    
36. "code",
    
37. "col",
    
38. "colgroup",
    
39. "comment",
    
40. // "custom", use XMLNS ?
    
41. "dd",
    
42. "del",
    
43. "dfn",
    
44. "dir",
    
45. "div",
    
46. "dl",
    
47. "dt",
    
48. "em",
    
49. "embed",
    
50. "fieldset",
    
51. "font",
    
52. "form",
    
53. "frame",
    
54. "frameset",
    
55. "head",
    
56. "h1",
    
57. "h2",
    
58. "h3",
    
59. "h4",
    
60. "h5",
    
61. "h6",
    
62. "hr",
    
63. "html",
    
64. "i",
    
65. "iframe",
    
66. "img",
    
67. 
    
68. "input",
    
69. /* "input type='button'",
    
70. "input type='checkbox'",
    
71. "input type='hidden'",
    
72. "input type='image'",
    
73. "input type='password'",
    
74. "input type='radio'",
    
75. "input type='reset'",
    
76. "input type='submit'",
    
77. "input type='text'",
    
78. */
    
79. "ins",
    
80. "isindex",
    
81. "kbd",
    
82. "label",
    
83. "legend",
    
84. "li",
    
85. "link",
    
86. "listing",
    
87. "map",
    
88. "marquee",
    
89. "menu",
    
90. "meta",
    
91. "nobr",
    
92. "noframes",
    
93. "noscript",
    
94. "object",
    
95. "ol",
    
96. "optgroup",
    
97. "option",
    
98. "p",
    
99. "param",
    
100. "plainText",
     
101. "pre",
     
102. "q",
     
103. "rt",
     
104. "ruby",
     
105. "s",
     
106. "samp",
     
107. "script",
     
108. "select",
     
109. "small",
     
110. "span",
     
111. "strike",
     
112. "strong",
     
113. "style",
     
114. "sub",
     
115. "sup",
     
116. "table",
     
117. "tbody",
     
118. "td",
     
119. "textarea",
     
120. "tfoot",
     
121. "th",
     
122. "thead",
     
123. "title",
     
124. "tr",
     
125. "tt",
     
126. "u",
     
127. "ul",
     
128. "var",
     
129. "wbr",
     
130. "xml",
     
131. "xmp"
     
132. )
     
133. 
     
134. var maxLevel=0;
     
135. var removeElement=false;
     
136. 
     
137. function appendAllTags(obj, level, top) {
     
138. for (var i in ctrls) {
     
139. try {
     
140. var t=document.createElement(ctrls);
     
141. var newTop=top+" - "+ctrls;
     
142. updateStatus("Adding "+newTop);
     
143. if (level<maxLevel) {
     
144. //window.setTimeout(function () { appendAllTags(t, level+1, newTop);obj.appendChild(t);if (removeElement) obj.removeChild(t);}, 15);
     
145. appendAllTags(t, level+1, newTop);
     
146. }
     
147. obj.appendChild(t);
     
148. if (removeElement) {
     
149. obj.removeChild(t);
     
150. }
     
151. }
     
152. catch (e) { }
     
153. }
     
154. }
     
155. 
     
156. function go() {
     
157. var cbxRC=document.getElementById("cbxRC");
     
158. removeElement=cbxRC.checked;
     
159. var maxLevelCont=document.getElementById("maxLevel");
     
160. maxLevel=parseInt(maxLevelCont.value);
     
161. var dcont=document.getElementById("dcont");
     
162. //window.setTimeout(function () { appendAllTags(dcont, 0, ""); }, 15);
     
163. appendAllTags(dcont, 0, "");
     
164. }
     
165. 
     
166. function updateStatus(status) {
     
167. var dStatus=document.getElementById("dStatus");
     
168. dStatus.innerText="Status: "+status;
     
169. window.status=status;
     
170. }
     
171. </SCRIPT>
     
172. 
     
173. <META content="MSHTML 6.00.2800.1555" name=GENERATOR></HEAD>
     
174. <BODY>
     
175. <H3>Welcome to <A
     
176. href="http://metasploit.com/users/hdm/tools/domhanoi/">DOM-Hanoi</A>.</H3>
     
177. <DIV>DOM-Hanoi is a community-developed utility for verifying browser integrity,
     
178. written by H D Moore and Aviv Raff.<BR>DOM-Hanoi will look for common DHTML
     
179. implementation flaws by adding/removing DOM elements, in a similar way to the
     
180. known <A href="http://en.wikipedia.org/wiki/Tower_of_Hanoi" target=_blank>Tower
     
181. of Hanoi</A> game.<BR>This utility may cause the browser to "freeze" for a long
     
182. period of time, this is OK, and interrupting the process will prevent all the
     
183. tests from completing. Some browsers will raise a warning if a script is taking
     
184. too long to execute - you will need to click "No, do not abort" or the
     
185. equivalent to allow all tests to complete. <BR></DIV><BR>Maximum recursion
     
186. level: <INPUT id=maxLevel value=3><BR><INPUT id=cbxRC type=checkbox
     
187. CHECKED><LABEL for=cbxRC>Remove element after append</LABEL><BR><BR><INPUT onclick=go() type=button value="Start Testing"><BR>
     
188. <DIV id=dStatus></DIV>
     
189. <DIV id=dcont style="VISIBILITY: hidden"></DIV></BODY></HTML>
     

复制代码

ansinjay

······好久没看见雪风哥发贴了，难得呀，我在论坛找雪风大哥以前的教程，好多都是以前博客去下载的，但那个博客似乎不存在了，所以我求雪风哥以前发布过的教程，比如修改鸽子那个14课，我在论坛里面找了好久才找到了6课，是只出了6课还是什么原因我不清楚，还有就是那个修改鸽子为专用上线教程，我不想自己的DAT被别人拿去乱用，你的那个博客我去了，但好像已经不存在，打不开了，哪么多经典的教程就那样付之东流了，好可惜，所以在这里，我求雪风大哥以前发布过的所有教程，只要是你出的，不管什么，我都要，希望雪风大哥给个下载地址谢谢，黑狼和雪风我是永远支持的@！！！！！我的邮箱：kofzjf@tom.com

ayatanhk

是保存一个页面，然后在空间上运行的吗？

frman

感觉不错来看下