zoukankan      html  css  js  c++  java
  • 【XSS技巧拓展】————21、Location Based Payloads – Part I

    In researching a way to evade a filter which detects and blocks the XSS attempt in the presence of parentheses in a payload, I came to interesting solutions of this problem that will be shared in this post and its subsequent parts.

    It’s worth to note that any encoding of the prohibited characters would not evade the filter.

    To accomplish that I started to use the javascript document location property, which make possible the following raw payload, still not ready for evasion:

    <svg/οnlοad=location=‘javascript:alert(1)’>

    (due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here, *re-typing the quotes*)

    This is easily flagged by any decent filter. So we have another trick, which hides the signature part (“javascript:” and “alert(1)”) in the hash part of the URL because it’s never sent to server:

    <svg/οnlοad=location=location.hash.substr(1)>#javascript:alert(1)

    (due to WP security issues regarding the “javascript:alert(1)”, to test this we need to copy & paste it here)

    Result => javascript:alert(1)

    The “location.hash.substr(1)” returns everything after the hash sign, which responds for the “location.hash.substr(0)”. The “location.hash” returns a string which is splitted by the “substr” method, hence the 0 and 1 parts.

    But we are still using parentheses. So let’s work on it. In order to do that we will first bring the flagged strings back, but splitting them to avoid detection:

    <svg/οnlοad=location=‘javas’%2B‘cript:’%2B
    ‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)

    Try it!

    Result => javas + cript: + ale + rt + (1)

    The %2B is the encoded plus (+) sign, because in its literal form it’s changed to a regular space by browser before submitting. So what we are doing here is adding 2 pieces of the “javascript:” string to another 2 pieces of “alert” string plus the content of the URL after the hash using the “location.hash.substr(1)”.

    In order to avoid the quotes, we can use the “/string/.source” trick as follows:

    <svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B
    /ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)

    Try it!

    Result => javas + script: + ale + rt + (1)

    Nice. But we are still using parentheses.

    So we need another trick: changing it a little bit, parentheses are avoided completely:

    <svg/οnlοad=location=/javas/.source%2B/cript:/.source%2B/ale/.source
    %2B/rt/.source%2Blocation.hash[1]%2B1%2Blocation.hash[2]>#()

    Try it!

    Result => javas + cript: + ale + rt + ( + 1 + )

    As “location.hash” returns a string and because in javascript language every string is an array, we make use of “location.hash[1]” and “location.hash[2]” to point to the positions 1 and 2, respectively, of the “location.hash” array.

    Cool, we could stop here, right? Not if you are not allowed to use “[” and “]” as well.

    So I had to face another problem. And that made me research a whole new set of payloads which will be explored in the next posts of the “Location Based Payloads”.

    #hack2learn

    总会有不期而遇的温暖. 和生生不息的希望。
  • 相关阅读:
    ubuntu上一些好的操作方式 习惯 文件备份
    ubuntu ufw 防火墙的设置
    ubuntu 的SSH 服务
    对一个数组的处理。
    ubuntu 的 crontab 计划任务
    django1.6 apache 项目部署.
    只此荒废的一个半个月。
    myeclipse python插件安装和环境配置(Windows7下)
    ubunt 12.04 64位 english 服务器版安装
    ubuntu sudo自动切换root 无需输入密码
  • 原文地址:https://www.cnblogs.com/devi1/p/13486397.html
Copyright © 2011-2022 走看看