Crazy javascript

Thursday, 15 January 2009

I’ve known for a while that the replace function can call native functions in Firefox and IE. It works something like this:-

‘alert(1)’.replace(/.+/,eval)

So the regexp searches for the alert string and passes the result to the eval function which it receives as an argument. But does it stop there? Well no actually. There’s more. Then we can use unicode escapes to encode the string further like so:-

'\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029'.replace(/\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029/,\u0065\u0076\u0061\u006c)

Remember javascript and regexp both accept unicode strings, this is interesting because we can double encode the vector like the above. The string contains javascript unicode escapes double encoded and the regular expression contains that string encoded. So that’s gotta be it right? C’mon it’s my blog, I wouldn’t just leave it there…

\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0036\u0031\u005c\u0075\u0030\u0030\u0036\u0063\u005c\u0075\u0030\u0030\u0036\u0035\u005c\u0075\u0030\u0030\u0037\u0032\u005c\u0075\u0030\u0030\u0037\u0034\u0028\u0031\u0029')[-1].\u0072\u0065\u0070\u006c\u0061\u0063\u0065(\u0052\u0065\u0067\u0045\u0078\u0070('\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0036\u0033\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0036\u005c\u0075\u0030\u0030\u0033\u0035\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0032\u005c\u0075\u0030\u0030\u0035\u0063\u005c\u0075\u0030\u0030\u0037\u0035\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0030\u005c\u0075\u0030\u0030\u0033\u0037\u005c\u0075\u0030\u0030\u0033\u0034\u005c\u0075\u0030\u0030\u0032\u0038\u005c\u0075\u0030\u0030\u0033\u0031\u005c\u0075\u0030\u0030\u0032\u0039'),\u0065\u0076\u0061\u006c)

The above uses RegExp and eval both of which are unicode escapes. Because the RegExp constructor is used we can pass a string that becomes decoded by javascript but we can then encode again as unicode regular expressions. [-1] signifies the text from the regular expression constructor we use this to replace.

Having trouble decoding? Well Hackvertor can help:-
http://tinyurl.com/hackvertor

The entry 'Crazy javascript' was posted on January 15th, 2009 at 8:58 am and last modified on January 15th, 2009 at 9:00 am, and is filed under javascript, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Crazy javascript”

  1. tonypee writes:
    No. 1 — January 19th, 2009 at 1:36 am

    my head hurts…

  2. Fred writes:
    No. 2 — February 1st, 2009 at 3:15 pm

    It works for safari too.

«
»