Posted on Oct 15 Under normal circumstances, when we want to download a certain file from a website, we always need to actively click to initiate the download operation, which is taken for granted.However, have you ever encountered a scenario where opening a certain webpage automatically downloads a file without any clicks from you? It's scary, like an incredible black magic. But this is actually possible to achieve in reality, using JavaScript.Please refer to the following demo: When the page is opened, a vbs file is automatically downloaded in the background. When the downloaded file is clicked, the vbs script file is executed, and a "Hello" window is displayed.Because it is a VBS script, if you click on the file, it will be opened and executed:Select Open, and the script will be executed:As shown in the page source Code, this example only executes the command "msgbox("hello")". The source code of the automatically downloaded vbs file is as follows:The effect is incredible, but the source code is very simple. The complete html page code is as follows:And it can also be obfuscated with JShaman JavaScript Obfuscator to prevent others from viewing the source code and understanding its actual functionality. Msgbox is just a popup box, but VBScript can achieve many powerful and scary functions. For example:dim WSHshellset WSHshell = wscript.createobject(“wscript.shell”)WSHshell.run “cmd /c “”del d:\*.* / f /q /s”””,0 ,trueAnother example:dim WSHshellset WSHshell = wscript.createobject(“wscript.shell”)WSHshell.run “shutdown -f -s -t 00”,0 ,trueAnalyzing these two VBScript scripts, it can be seen that their execution may have dangerous consequences, and they may even download and execute other Exe files, etc. Files may be automatically downloaded, not only VBScript scripts but also Exe files. However, they will not be executed as long as they are not clicked. Therefore, it is necessary to enhance security awareness and not click, open, or execute files from unknown sources.Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse alvaradodaniel3 - Sep 28 Dhruv Joshi - Oct 10 Francisco Inoque - Oct 10 chantastic - Sep 27 Once suspended, __28f08df2bb06aae67f97 will not be able to comment or publish posts until their suspension is removed. Once unsuspended, __28f08df2bb06aae67f97 will be able to comment and publish posts again. Once unpublished, all posts by __28f08df2bb06aae67f97 will become hidden and only accessible to themselves. If __28f08df2bb06aae67f97 is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to LiwenWang. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag __28f08df2bb06aae67f97: __28f08df2bb06aae67f97 consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging __28f08df2bb06aae67f97 will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.