hi Big George,

Microsoft has worked long and hard in an attempt to
prevent just the sort of thing you are attempting to do.

You might be successful if you can find a way of
disabling or eliminating all the security restrictions
that ms has put in place to avoid a server from messing
with client files -- but maybe not event then.

If you _DO_ find a way to upload files from a client,
(that is, without the client initiating the transfer)
then most likely ms will want to hire you as a security
consultant (for a large consulting fee), just so that
they can close the hole that you discover.

Yes, yes, I know that new "back doors" are found and
posted every day on the "hacker" sites, but ms (and
Mozilla too for that matter) are reading those same
hacker sites, and attempting to close the holes as
fast as they are found...

cheers, jw

That code won't run because the WScript object is not available to the
browser. It is possible, however, to create both a File System Object
and a Shell without it. Just drop the WScript prefix:

set oFSO=CreateObject("Scripting.FileSystemObject")
set oShell=CreateObject("WScript.Shell")

If browser security is sufficiently loose, you can read/write/execute to
your heart's desire. You don't want to do this for your general Internet
zone!

Doesn't take much to make a JavaScript implementation of simple LZW compression work in JScript. Javascript client side compression and decompression is possible, http://www.whak.ca/packer/JavaScript.htm is a tool that creates offline decompression packages packed in HTML (self extracting and executing), the tool does the compression client side too, no server intervention and bypasses security stuff if all done in HTML instead of ASP.

My LZ77 JavaScript converted to JScript (better than LZW):


import System;import System.IO;var args:String[] = System.Environment.GetCommandLineArgs();var filename:String=args[1];var filesave:String=filename+".LZMA.js";var fso=new ActiveXObject("Scripting.FileSystemObject");var ForReading=1;var f1=fso.OpenTextFile(filename, ForReading);var datas:String=www_WHAK_com(f1.ReadAll());f1.close();var fh = fso.CreateTextFile(filesave,true);fh.Write(datas);fh.Close();
function myIndexOf(a,b){var c,d,e=a.length,f=b.length;for(c=0;e>c;c++){for(d=0;f>d&&a[c+d]==b[d];d++);if(d==f)return c}return-1}

function www_WHAK_com(a){var c,_,e,f;var d,b="eval",c={_:"WHAK+com/PaCker=BDEFGIJLMNOQRSTUVXYZbdfghijlnpqstuvwxyz0123456789",_f:String.fromCharCode,pak:function(r){if(null==r)return"";var e,t,o,a,h,f,n,l="",A=0;for(r=c.compress(r);A<2*r.length;)0==A%2?(e=r.charCodeAt(A/2)>>8,t=255&r.charCodeAt(A/2),o=A/2+1<r.length?r.charCodeAt(A/2+1)>>8:0/0):(e=255&r.charCodeAt((A-1)/2),(A+1)/2<r.length?(t=r.charCodeAt((A+1)/2)>>8,o=255&r.charCodeAt((A+1)/2)):t=o=0/0),A+=3,a=e>>2,h=(3&e)<<4|t>>4,f=(15&t)<<2|o>>6,n=63&o,isNaN(t)?f=n=64:isNaN(o)&&(n=64),l=l+c._.charAt(a)+c._.charAt(h)+c._.charAt(f)+c._.charAt(n);return l},com:function(r){if(null==r)return"";var e,t,o,a,h,f,n="",l=0,A=0,p=c._f;for(r=r.replace(/[^A-Za-z0-9\+\/\=]/g,"");A<r.length;)t=c.myIndexOf(_,r.charAt(A++)),o=c.myIndexOf(_,r.charAt(A++)),h=c.myIndexOf(_,r.charAt(A++)),f=c.myIndexOf(_,r.charAt(A++)),t=t<<2|o>>4,o=(15&o)<<4|h>>2,a=(3&h)<<6|f,0==l%2?(e=t<<8,64!=h&&(n+=p(e|o)),64!=f&&(e=a<<8)):(n+=p(e|t),64!=h&&(e=o<<8),64!=f&&(n+=p(e|a))),l+=3;return c.decompress(n)},compress:function(r){if(null==r)return"";for(var e,t,o={},a={},h="",f="",n="",l=2,A=3,p=2,d="",i=0,s=0,u=c._f,C=0;C<r.length;C+=1)if(h=r.charAt(C),Object.prototype.hasOwnProperty.call(o,h)||(o[h]=A++,a[h]=!0),f=n+h,Object.prototype.hasOwnProperty.call(o,f))n=f;else{if(Object.prototype.hasOwnProperty.call(a,n)){if(256>n.charCodeAt(0)){for(e=0;p>e;e++)i<<=1,15==s?(s=0,d+=u(i),i=0):s++;for(t=n.charCodeAt(0),e=0;8>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1}else{for(t=1,e=0;p>e;e++)i=i<<1|t,15==s?(s=0,d+=u(i),i=0):s++,t=0;for(t=n.charCodeAt(0),e=0;16>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1}l--,0==l&&(l=Math.pow(2,p),p++),delete a[n]}else for(t=o[n],e=0;p>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1;l--,0==l&&(l=Math.pow(2,p),p++),o[f]=A++,n=h+""}if(""!==n){if(Object.prototype.hasOwnProperty.call(a,n)){if(256>n.charCodeAt(0)){for(e=0;p>e;e++)i<<=1,15==s?(s=0,d+=u(i),i=0):s++;for(t=n.charCodeAt(0),e=0;8>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1}else{for(t=1,e=0;p>e;e++)i=i<<1|t,15==s?(s=0,d+=u(i),i=0):s++,t=0;for(t=n.charCodeAt(0),e=0;16>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1}l--,0==l&&(l=Math.pow(2,p),p++),delete a[n]}else for(t=o[n],e=0;p>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1;l--,0==l&&(Math.pow(2,p),p++)}for(t=2,e=0;p>e;e++)i=i<<1|1&t,15==s?(s=0,d+=u(i),i=0):s++,t>>=1;for(;;){if(i<<=1,15==s){d+=u(i);break}s++}return d},decompress:function(r){if(null==r)return"";if(""==r)return null;var e,t,o,a,h,f,n=[],l=4,A=4,p=3,d=t="",i=c._f,s=r.charCodeAt(0),u=32768,C=1;for(e=0;3>e;e+=1)n[e]=e;for(t=0,a=Math.pow(2,2),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;switch(t){case 0:for(t=0,a=Math.pow(2,8),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;f=i(t);break;case 1:for(t=0,a=Math.pow(2,16),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;f=i(t);break;case 2:return""}for(e=d=n[3]=f;;){if(C>r.length)return"";for(t=0,a=Math.pow(2,p),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;switch(f=t){case 0:for(t=0,a=Math.pow(2,8),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;n[A++]=i(t),f=A-1,l--;break;case 1:for(t=0,a=Math.pow(2,16),h=1;h!=a;)o=s&u,u>>=1,0==u&&(u=32768,s=r.charCodeAt(C++)),t|=(o>0?1:0)*h,h<<=1;n[A++]=i(t),f=A-1,l--;break;case 2:return d}if(0==l&&(l=Math.pow(2,p),p++),n[f])t=n[f];else{if(f!==A)return null;t=e+e.charAt(0)}d+=t,n[A++]=e+t.charAt(0),l--,e=t,0==l&&(l=Math.pow(2,p),p++)}}};return a=c.pak(a),d='var W,H,A,K=\'var WHAK={_:"WHAK+com/PaCker=BDEFGIJLMNOQRSTUVXYZbdfghijlnpqstuvwxyz0123456789",_f:String.fromCharCode,***@var a,e,t,o,h,c,f="",n=0,i=0,d=WHAK._f;for(r=r.replace(/[^A-Za-z0-9+/=]/g,"");i<r.length;)e\\nt\\nh\\nc\\ne=e<<2|t>>4,t=(15&t)<<4|h>>2,o=(3&h)<<6|c,0==n%2?(a=e<<8,64!=h&&(f+=d(a|t)),64!=c&&(a=o<<8)):(f+=d(a|e),64!=h&&(a=t<<8),64!=c&&(f+=d(a|o))),n+=3;\\b WHAK.d(f)},***@if(""==r)\\b null;for(var a,e,t,o,h,c=[],f=4,n=4,i=3,d="",u="",A=WHAK._f,l=r.charCodeAt(0),w=32768,p=1,u=0;3>u;u+=1)c[u]=u;\\r2$switch(d){case 0:\\r8$h=A(d)\\f1:\\r16$h=A(d)\\f2:\\b""}for(a=u=c[3]=h;;){if(p>r.length)\\b"";\\ri$switch(h=d){case 0:\\r8~1:\\r16~2:\\b u}if(`,c[h])d=c[h];else{if(h!==n)\\b null;d=a+a.charAt(0)}u+=d,c[n++]=a+d.charAt(0),f--,a=d,`}}};$),o=1;o!=t;)e=l&w,w>>=1,0==w&&(w=32768,l=r.charCodeAt(p++)),d|=(e>0?1:0)*o,o<<=1;\\rfor(d=0,t=Math.pow(2,\\n=WHAK._.indexOf(r.charAt(i++)),\\breturn\\f;break;case @:function(r){if(null==r)\\b"";`0==f&&(f=Math.pow(2,i),i++)~$c[n++]=A(d),h=n-1,f--\\f\';for(A in H="~`@\\f\\b\\n\\r$")with(K.split(H[A]))K=join(pop());eval(K);'+b+"(WHAK.com('"+a+"'));",d}