Hackvertor explained
Tuesday, 6 November 2007
I’ve been busy…real busy on Hackvertor π so I thought it might be a good idea to explain the ideas behind it. Please note Hackvertor is currently only tested under Firefox. I may support other browsers in future.
What is it?
It’s many things: a conversion utility, browser hacking platform, targeted fuzzing tool, XSS filter testing tool and the list goes on. I developed it because I wanted to incorporate my style of web site testing and instead of using scripts I’ve had all over the place I wanted one platform to perform all my testing.
How do you use it?
The system works with sets of categorised tags which magically perform conversions and character replacement. The idea is you feed it content and tell it to replace parts of the content with stuff that is difficult to convert without running several conversion routines on or manually coding the javascript. Take the following for example {hex}{dec}test{/dec}{/hex}, that example are the required tags in Hackvertor to perform HTML decimal encoding on “test” followed by hexadecimal entity encoding. You place the required text in the input window, select it and then click the required tags. Once that’s complete you simply click convert to perform the operation.
Why use it?
There are so many combinations of characters, XSS combinations and encodings that filtering those out using PHP or other server side languages can prove a impossible task. Perhaps you want to create some random character fuzzing, null entity checking or simply want a random password generator.
The features
Nested tags are now performed from inner most tag outwards, which enables correct encoding and conversion of multiple tags. Multiple lines are also now supported. Here is the current list of tags supported (these can change):-
Encode
base64:Encodes the string as a base64 encoded string.
bin:Converts a number to binary
dec:Converts to decimal html entities
hex:Converts to hexadecimal html entities
hex2rgb:Converts a HTML colour to rgb
uni:Creates a unicode string
oct:Converts the string to octal
enc:Performs url encoding on the string
realenc:Performs a more comprehensive url encoding, which allows “abc” characters to be encoded for example.
htmlent:Converts to standard html entities
Decode
d_base64:Decodes the string from base64
d_bin:Converts binary to decimal
d_dec:Decodes decimal html entities into a string
d_hex:Decodes hexadecimal html entities into a string
d_uni:Converts a unicode string into text
d_oct:Converts a octal string into text
d_enc:Escapes a urlencoded string
d_realenc:A pointer to d_enc performs the same operation
d_htmlent:Decodes html entities
Filter evasion
javachar:Converts a string into a LiveConnect supported java string
concat:Creates a string concatentation of whatever you supply, useful for evading filters which don’t allow javascript: for example
eval:This creates a eval function call without directly specifying eval, it accepts the string inside the tags as input. Useful for constructing obscured eval operations.
tag:Creates a random javascript execution point using a html tag
charcode2str:Converts a standard character code into a string
str2charcode: Does the opposite of above
Convert
2hex:Converts a number to standard hex
2oct:Converts a number to standard octal
Quotes
squote:Encloses single quotes around your payload
dquote:Encloses double quotes
bticks:Encloses back ticks, added for fuzzing purposes
Fuzzing
randchars:Create a random selection of unicode characters. You can specify the amount using the following: {randchars}10{/randchars} which will produce 10 random characters
randnum:Random numbers, the same method can be used above
randletters:Random letters
randletternums:Random letters and numbers
nullents:Produces a random null entity
Hashing
md4:Creates a md4 hash of the string
md5:Creates a md5 hash of the string
sha1:Creates a sha1 hash of the string
Case
ucfirst:Makes the first character uppercase
upper:Makes all characters uppercase
lower:Makes all characters lowercase
mixed:Randomly chooses upper or lower case
No. 1 — November 6th, 2007 at 9:43 pm
Damn found a slight bug with nested tags, you can’t specify the same tag twice within multiple sets. Separate sets work fine though.
No. 2 — November 7th, 2007 at 12:05 am
Wow! π awesome Gareth!
Small question though: I can’t seem to get the Hackvertor to work in Opera, but I get that quite often, any ideas?
No. 3 — November 7th, 2007 at 8:30 am
Thanks Ronald π
Yeah it seems there’s a small bug in the regular expression on Opera, for some reason Opera doesn’t like it. I’ll fix it as soon as I find out what’s causing it.
No. 4 — November 7th, 2007 at 11:53 am
I’ve narrowed down the Opera problems
1. Opera doesn’t seem to like you reading the document object. I can workaround this but the document won’t be traversable under Opera.
2. It doesn’t like my Regular expressions π
output = ‘{hex}test{/hex}’
regexpString = ‘{(hex)}([^]*?){\/(hex)}’;
// Doesn’t like the { in the exp
var re = new RegExp(regexpString);
var matches = ”;
r = re.exec(output);
alert(r);
Any JS reg exp experts in the house willing to suggest something? I’ve tried escaping the “{” and using a character class instead but still no joy.
No. 5 — November 7th, 2007 at 2:46 pm
Fixed it! Whoo hoo π
Done a rewrite of the regular expressions and changed the tag placeholders to make it work in Opera. The document object is now ignore if you’re on Opera.
No. 6 — November 7th, 2007 at 2:51 pm
Cool!
What are the changes? modified or dropped stuff?
No. 7 — November 7th, 2007 at 3:00 pm
Not dropped anything just changed the default tags. Opera will now ignore the document object but the others will traverse it correctly π
No. 8 — November 7th, 2007 at 4:58 pm
Added a real time conversion feature now π
Video here:-
http://www.megafileupload.com/en/file/22266/hackvertor-demo3-mov.html
No. 9 — November 8th, 2007 at 2:18 pm
Wow megafileupload really needs to hire a UI designer.
The countdown on the Download button totally doesn’t show up or draw attention enough. I reloaded the page like 3 or 4 times before I realized that it wasn’t an embedded object and saw the countdown.
No. 10 — November 8th, 2007 at 2:26 pm
Yeah sorry about that Thorin, I’d host the video myself but I don’t want to risk excessive bandwidth charges.
On another note I’ve started to add XSS tags to Hackvertor π I’ve decided to incorporate all my security testing including XSS, SQL injection and remote file includes etc, if anyone wants to suggest any vectors that I miss then please do.