Hackvertor explained

I’ve been busy…real busy on Hackvertor 🙂 so I thought it might be a good idea to explain the ideas behind it. Please note Hackvertor is currently only tested under Firefox. I may support other browsers in future.

What is it?

It’s many things: a conversion utility, browser hacking platform, targeted fuzzing tool, XSS filter testing tool and the list goes on. I developed it because I wanted to incorporate my style of web site testing and instead of using scripts I’ve had all over the place I wanted one platform to perform all my testing.

How do you use it?

The system works with sets of categorised tags which magically perform conversions and character replacement. The idea is you feed it content and tell it to replace parts of the content with stuff that is difficult to convert without running several conversion routines on or manually coding the javascript. Take the following for example {hex}{dec}test{/dec}{/hex}, that example are the required tags in Hackvertor to perform HTML decimal encoding on “test” followed by hexadecimal entity encoding. You place the required text in the input window, select it and then click the required tags. Once that’s complete you simply click convert to perform the operation.

Why use it?

There are so many combinations of characters, XSS combinations and encodings that filtering those out using PHP or other server side languages can prove a impossible task. Perhaps you want to create some random character fuzzing, null entity checking or simply want a random password generator.

The features

Nested tags are now performed from inner most tag outwards, which enables correct encoding and conversion of multiple tags. Multiple lines are also now supported. Here is the current list of tags supported (these can change):-

Encode

base64:Encodes the string as a base64 encoded string.
bin:Converts a number to binary
dec:Converts to decimal html entities
hex:Converts to hexadecimal html entities
hex2rgb:Converts a HTML colour to rgb
uni:Creates a unicode string
oct:Converts the string to octal
enc:Performs url encoding on the string
realenc:Performs a more comprehensive url encoding, which allows “abc” characters to be encoded for example.
htmlent:Converts to standard html entities

Decode

d_base64:Decodes the string from base64
d_bin:Converts binary to decimal
d_dec:Decodes decimal html entities into a string
d_hex:Decodes hexadecimal html entities into a string
d_uni:Converts a unicode string into text
d_oct:Converts a octal string into text
d_enc:Escapes a urlencoded string
d_realenc:A pointer to d_enc performs the same operation
d_htmlent:Decodes html entities

Filter evasion

javachar:Converts a string into a LiveConnect supported java string
concat:Creates a string concatentation of whatever you supply, useful for evading filters which don’t allow javascript: for example
eval:This creates a eval function call without directly specifying eval, it accepts the string inside the tags as input. Useful for constructing obscured eval operations.
tag:Creates a random javascript execution point using a html tag
charcode2str:Converts a standard character code into a string
str2charcode: Does the opposite of above

Convert

2hex:Converts a number to standard hex
2oct:Converts a number to standard octal

Quotes

squote:Encloses single quotes around your payload
dquote:Encloses double quotes
bticks:Encloses back ticks, added for fuzzing purposes

Fuzzing

randchars:Create a random selection of unicode characters. You can specify the amount using the following: {randchars}10{/randchars} which will produce 10 random characters
randnum:Random numbers, the same method can be used above
randletters:Random letters
randletternums:Random letters and numbers
nullents:Produces a random null entity

Hashing

md4:Creates a md4 hash of the string
md5:Creates a md5 hash of the string
sha1:Creates a sha1 hash of the string

Case

ucfirst:Makes the first character uppercase
upper:Makes all characters uppercase
lower:Makes all characters lowercase
mixed:Randomly chooses upper or lower case