Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Circumventfilter where <>" is encoded and ;\/'= is not
Posted by: HotspotTicket
Date: August 13, 2010 06:29AM

Hi all,

I have an application which on the server side encodes <>" and ;\/'= not. I already tried different character encodings without any usable results. Interesting: <% would produce a 500 which is also not really usable…

The platform is heavily customized Apache/Sling…

Hackvertor did not lead me to any good idea, but a great tool, I must admit...

Any suggestions?

Thx

Options: ReplyQuote
Re: Circumventfilter where <>" is encoded and ;\/'= is not
Posted by: Skyphire
Date: August 13, 2010 06:29PM

What does it do when you enter:

%><% Response.Write Now() %><%

Assuming the 500 error as failure to parse



Edited 1 time(s). Last edit at 08/13/2010 06:30PM by Skyphire.

Options: ReplyQuote
Re: Circumventfilter where <>" is encoded and ;\/'= is not
Posted by: HotspotTicket
Date: August 14, 2010 11:25AM

Right, "500 Request context constructor called with NULL resource."

Same...

<% seems to be the killer...

Options: ReplyQuote
Re: Circumventfilter where <>" is encoded and ;\/'= is not
Posted by: Skyphire
Date: August 14, 2010 06:14PM

Yeah was a long shot.

btw. "500 Request context constructor called with NULL resource." gives only 2 Google results. Pretty awkward.

Options: ReplyQuote
Re: Circumventfilter where <>" is encoded and ;\/'= is not
Posted by: HotspotTicket
Date: August 15, 2010 04:46AM

All that Google has originates from here. Btw. interessting to see, where these posts are also going...

I'll stay away...

Thx Sky...

Options: ReplyQuote


Sorry, only registered users may post in this forum.