Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Loading jscript into img tag

  1. Home
  2. Forum
  3. Web hacking
  4. Loading jscript into img tag

ghost's Avatar

ghost

0 0

Hello. Does anybody know how to load a jscript into an image tag during an onerror event ? ex: <img src="bla.jpg" onerror=\load jscript from some external site\>

Thank you


SySTeM's Avatar

SySTeM

-=[TheOutlaw]=-
20 0

Pretty sure you can only use inline JavaScript, not external scripts.


SySTeM's Avatar

SySTeM

-=[TheOutlaw]=-
20 0

You'd have to be able to create an iframe first though, unless you can use JavaScript's createElement method via the img tag also.


spyware's Avatar

spyware

Banned
0 0

BlaX wrote: What is http://spysballoon.ath.cx/hack/loader.php for ?

I didn't want to bother writing RegEx so I used a loader. You can execute code without it if you use RegEx and add a <script> tag to the page.


ghost's Avatar

ghost

0 0

system_meltdown wrote: … unless you can use JavaScript's createElement method via the img tag also.

You can. IE6 (and possibly IE7) dislike when you do anything DOM-related inside the body of the doc, but no one with any sense uses that browser anymore.

Most importantly, though, you could just skip the whole iframe bit and just use DOM functions to add a script tag with the src of the external script.


elmiguel's Avatar

elmiguel

Member
2,795 1

Couldn't you just point to local js function that imports an external one?

something like:


&lt;script type=&quot;text/javascript&quot;&gt;
function importScript(url){
    var tag = document.createElement(&quot;script&quot;);
    tag.type=&quot;text/javascript&quot;;
    tag.src = url;
    document.body.appendChild(tag);
}
window.onload = function(){
    // imports go here
    importScript(&quot;foo.js&quot;); // example
};
&lt;/script&gt;

ghost's Avatar

ghost

0 0

Also.. Correct me if I'm wrong but if there's a XSS you can use the script tag to create variables, thus if you inject:

&lt;script type=&quot;text/javascript&quot;&gt;
  var doc=document.open(&quot;text/html&quot;,&quot;replace&quot;);
  var txt=&quot;&lt;html&gt;&lt;body&gt;&lt;script src=&#39;source here&#39;&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;&quot;;
  doc.write(txt);
  doc.close();
 
&lt;/script&gt;

Edit: Sorry scratch that, that closes the first script tag.. but perhaps there's a way to get around that?.. Anyway it was just an idea.


ghost's Avatar

ghost

0 0

elmiguel wrote: Couldn't you just point to local js function that imports an external one?

something like: <snip>

Obviously, loading a local js file containing a helper function would be great. Then, of course, there wouldn't be a need for an external script… especially not in the onerror event of an image.

… but this is clearly an XSS question, so no local access.

SaMTHG wrote: I'm wrong but if there's a XSS you can use the script tag to create variables, thus if you inject:

<snip>

Edit: Sorry scratch that, that closes the first script tag.. but perhaps there's a way to get around that? document.write is really a dinosaur nowadays. I can't think of a single reason why anyone should be using it.

The (better) alternative is using DOM functions or, at the very least, hacking something together with document.getElementById / getElementsByName / getElementsByTagName and some lazy innerHTML implementation. In the case of inserting the script tag, you pretty much have to stick to DOM functions. The loader a couple posts up illustrates the concept pretty well.