So today we will know about the special technique of Exploit, which is named Paste-Jacking and can control any clipboard and run any kind of malicious code in terminal or Windows command prompt, systems, computers etc and how is it works and prevent it?
Paste-Jacking
Paste-jacking is method that malicious websites use to gain control of the clipboard on your computer and change that content into malicious content without your knowledge. Clipboard hijacking is an exploit in which a person's clipboard content is replaced by malicious data, such as a link to a malicious website, maclicious code or commands. what is PasteJacking and how is it works and prevent it?
So, i have decided we will paste-jacking exploit via javascript and you can also do it through metasploit framework, but a lot of metasploit has been fixed due to which we will use javascript.
Why is Pastejacking dangerous?
Suppose you copy and paste content on a certain web page into Microsoft Word. When you press Ctrl + C or Ctrl + V , the websites "assign" some commands to your clipboard to create and execute Macros.
More dangerous is when you paste the content directly into the control panel like PowerShell or Command Prompt. Mac users can choose some security options if using iTerm.
iTerm is a simulation that allows Mac users to replace the default console. When using iTerm, it will ask users if they really want to paste the content containing the 'newline' character. Users can choose Yes or No, depending on what they are doing.
The Newline character is really just 1/2 the Enter key. The Enter key is described by a left arrow key. Enter key is a combination of Newline characters (change to the next line) and Return.
When you press the Enter key, any command on the control panel is executed. Depends on the console to request confirmation.
The Command Prompt window will not require confirmation with most commands, but only requires confirmation in case you use the DEL command or the FORMAT command. For commands like RENAME , ., the Command prompt will not require confirmation.
In any case, if the site replaces the commands on the Clipboard with the Enter key (/ n / r where / n is newline and / r is return), the console or any application can run commands directly. If these commands are dangerous, they can 'destroy' your computer and network.
How To Make a Paste-Jacking tool via javascript
we are building a website here, whose server will be hosted on our localhost system ( 127.0.0.1 ) and it's a PHP website via use HTML, CSS, Javascript.
website code provided here :- code
And we will save this file in the name of pastejacking.php
After this we will open the terminal in the same directory in which we have saved the file and start the PHP server.
and type " php -S 127.0.0.1:80 pastejacking.php "in terminal without quotes and hit enter.
and copy the URL http://127.0.0.1:80
How To Work ?
copy the URL and paste into Browser :- this look like ...
and then, copy the code like apt-get update or apt-get upgradept list --upgradable or apt-get upgrade
and paste into terminal or any editor or any place.
after copy paste the code, you will see here a lot of text with URL has been copied separately along with the code.
so we here have told you that the way paste-jacking works via javascript, you can apply your technique and mind through a lot of malicious code and you can do with via metasploit.
How To Prevent it ?
If you're using Mac OS X, you can use iTerm emulation to protect your device in a safe state. iTerm will prompt and notify you in case of pastejacking.For Windows users must check what websites have assigned to the clipboard on their computer. To do this, first paste the content into Notepad. Notepad only allows users to paste clipboard as text (text), so you can see everything on the clipboard. If you see what you copied
You can paste those content anywhere you want. This means you will have to take one more step, but otherwise you will avoid Pastejacked. Note that using Word to check the clipboard can be dangerous because this program uses Macros.
And of course if the content you copy and paste in Notepad but you can not see the format, font, style . this means the content you paste in Plain text format.
With images, it is best to right-click on the image you want to download or copy and then select Save As . it is safer to copy the command.
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)
Disclaimer
This was written for educational purpose and pentest only.The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
- Hacking Truth by Kumar Atul Jaiswal
