Challenge: executing code with only JSON chars

sla.ckers.org is
ha.ckers sla.cking

Q and A for any cross site scripting information. Feel free to ask away.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Challenge: executing code with only JSON chars

Posted by: sirdarckcat

Date: October 11, 2011 09:56PM

Hey guys!

I just got this working today.. so wanna see what other people can come up with!

Objective:

You have this vulnerable code:

function process(input){
function parseJson(str){ var san=str.replace(/\\["\\\/b-u]/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/[,{]\s*[a-zA-Z$_]+[a-zA-Z$_0-9]*\s*:/g, '').replace(/(?:^|:|,)(?:\s*[\[(])+/g,""); if(/^[\]\(\),:{}\s]*$/.test(san)){ return eval('('+str+')'); } else { throw 'n00b: '+san; } };
var res = parseJson(input);
if(typeof res.type == "string"){
   return true;
}
}

execute arbitrary code (js).

I'll give my solution in a week or so.

(note, this is a slightly modified version of shindig's JSON parser which allows parenthesis and unquoted json properties, what could go wrong?).

Good Luck!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Edited 1 time(s). Last edit at 10/11/2011 09:57PM by sirdarckcat.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login