Wednesday, 19 September 2007
Most of these techniques were used whilst hacking/playing with the PHPIDS and I got addicted to finding new ways of doing things. I’ve followed a question and answer format for this post as I think it is easier to follow rather than one big post of techniques.
What can you do if you can’t use eval()?
x=eval; x();// calls eval
Geko based browsers also allow you to call the eval function like this:-
So you can do stuff like, use your imagination:-
How do I get round using certain characters/words?
Hex decimal encoding can also be used like the following:-
alertString = 'a\x6cert(1)';
You can also use eval to convert the character for you, for example the following produces the letter ‘a':-
charNumber = 141; stringQuote = "'"; backslash = "\\"; alert(eval(stringQuote + backslash + charNumber + stringQuote));
How do you call anonymous functions?
The code above creates a new anonymous function and passes the string ‘alert(1)’ which is embedded into the newly created function, it then calls executes the function. You can also combine the techniques mentioned, like using different characters encodings to pass the string information , you also don’t need to specify ‘new’ e.g.
What can you use as variable names?
How can you create a string?
Strings are defined using String(), ” and “” etc. What you might not have known though is that regular expressions can also be used to create a string, like the following examples:-
newString = /XSS/.source; newString = /XSS/ + ''; newString = newString + newString + newString;
I really need this character but it’s not allowed, how do I get it?
Think around the problem, rather than try to access the character directly get the information from another source. Like for example say you wanted the colon character and you tried urlencodings and various character encodings, you can use the URL property to gain this information. Example:-
I like the document.URL technique, what else is possible using similar techniques?
Surprisingly often you don’t even need to call the document object to access some functions, so URL is available within the context of the HTML element:-
In Internet Explorer you can even set the URL property to cause XSS like this:-
Test XML string; alert(textXML.text());