Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Challenge: executing code with only JSON chars
Posted by: sirdarckcat
Date: October 11, 2011 09:56PM

Hey guys!

I just got this working today.. so wanna see what other people can come up with!


You have this vulnerable code:

function process(input){
function parseJson(str){ var san=str.replace(/\\["\\\/b-u]/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/[,{]\s*[a-zA-Z$_]+[a-zA-Z$_0-9]*\s*:/g, '').replace(/(?:^|:|,)(?:\s*[\[(])+/g,""); if(/^[\]\(\),:{}\s]*$/.test(san)){ return eval('('+str+')'); } else { throw 'n00b: '+san; } };
var res = parseJson(input);
if(typeof res.type == "string"){
   return true;

execute arbitrary code (js).

I'll give my solution in a week or so.

(note, this is a slightly modified version of shindig's JSON parser which allows parenthesis and unquoted json properties, what could go wrong?).

Good Luck!

http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Edited 1 time(s). Last edit at 10/11/2011 09:57PM by sirdarckcat.

Options: ReplyQuote

Sorry, only registered users may post in this forum.