Tuesday, September 18, 2012

Powershell non alpha numeric


Powershell


To finish my trip through the world of non alpha numeric code I tried to make a non alpha numeric Python or non alpha numeric Batch script but I wasn't able to do so.

So I switched to Powershell and I have to say, it was too easy.
Here's the short script to execute an ls (just copy&paste it into a open powershell):

$___++;++$___;
_;
$__="$?";
&($__[$___++]+$__[$___++])


The short explanation:


$___++;++$___; # Like in bash, it creats a variable with the number 1, then increase it to 2
_; #make an error
$__="$?"; # In $? is the return code of the command before, saved as true or false. This gets casted to an string
&($__[$___++]+$__[$___++]) # & is like eval, execute a string as command. Now we access the l and the s in false and heres the ls


I didn't have a look how to make other commands, but I think it would be possible.

Have a nice day




Thursday, September 6, 2012

Non Alpha Numeric Shellscript

Shellscript


After finishing the non alphanum php code I thought of doing the same with shellscripts. In the beginning I wasn't sure if it's possible but know I am able to say: It is :)

So lets jump into it. To begin with I built a ls command: 

/????\+?????
__=$_;
. .;
___=$?;
____=___;
____=$[++____];
____=$[++____];
${__:___:___}${__:____:___}



1. /????\+?????

This is a regular expression, which I use to search in the / for the lost+found directory. This command will print all directories, which matches the regular expression, to the standard output. 

2.  __=$_


 This will assign to the variable __ the output of the last command . The full definition can be found here


3. . .;

Actually this command throws an error, I just used it to have a return value

4.  ___=$?;

This command saves the return value of . . in ___, which is 1. This will be used as the amount of chars we want to use.


5 ____=___; 


Maybe you think this is wrong, because actually it should be  ____=$___; But that would be boring. So we just save the string ___

6.  ____=$[++____];


This command stores 2 in ____. But wait, ____ just contains a string. This is true, but this command does a double variable expansion: ____ gets to ___ which expands to 1. (I didn't look it up why it does that).


7.  ____=$[++____]


Stores 3 in ____


8.  ${__:___:___}${__:____:___} 


I think its easier with the values:

${/lost+found:1:1}${/lost+found:3:1} 

The first block takes from postion 1 just 1 character which is a l.
The second block takes from position 3 just 1 character, which is s.

And thats how it works.

Non Alpha Numeric PHP Code

PHP

After reading the nice Tutorial made by Gareth Heyes Click Here

i tried doing his challenge and to reduce the charset. Here's what I wrote:

<?php
$_++; //1
$_=$_.[]; // To Aarray
$__++; // 1
$___=$_[$__];//access the 1 index of the string "1Array" which is "A"
$__++;
$____=$____=$_[$__];//access the 2 index of the string "1Array" which is "r"
$_____=$____;// assign "r" to a new variable
$_____++;//increment to "s"
$______=$___;//new variable for "e"
$______++;$______++;$______++;$______++;//increment to "e"
$__________=$___;// = e
$__________++;$__________++;$__________++;$__________++;++$__________;++$__________;++$__________;$____________=++$__________ ;//i
++$__________;++$__________;++$__________;++$__________;$_____________=++$__________;++$__________;++$__________; // p
$_=$___.$_____.$_____.$______.$____.++$_____;//concat the strings to form "AssErt"

// Creating the Chr funktion
$__++; //1
$__=$__.[]; // To Aarray
echo $__;
$_______________++; // 1
$___=$__[$_______________++]; // A
$_____=$__[$_______________]; // r

$___++;$___++; // C
$____=$___;
$____++;$____++;$____++;$____++;$____++;
$__=$___.$____.$_____;

// Zahlen anlegen
$_______________________++;$_______________________++; //2
$________________________++;$________________________++;$________________________++; //3
$_________________________=$________________________; //3
$_________________________+=$_______________________; //5
$__________________________=$_________________________+$_________________________; //10


//P
$____________________________________=$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________;
//R
$____________________________________+$_______________________;
//I
$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$________________________;
//N
$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$_________________________+$________________________;
//T
$____________________________________+$_______________________+$_______________________;
// whitespace
$__________________________+$__________________________;
//1
$______________________________________________________++;
//+
$__________________________+$__________________________+$__________________________+$__________________________+$________________________;
//; =59
$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$_________________________+$_______________________+$_______________________;

$_($__($____________________________________).$__($____________________________________+$_______________________).$__($__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$________________________).$__($__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$_________________________+$________________________).$__($____________________________________+$_______________________+$_______________________).$__($__________________________+$__________________________).$______________________________________________________.$__($__________________________+$__________________________+$__________________________+$__________________________+$________________________).$______________________________________________________.$__($__________________________+$__________________________+$__________________________+$__________________________+$__________________________+$_________________________+$_______________________+$_______________________));


It looks more difficult than it is, because I used the chr function for every character which is not necessary. 


Universal XSS in Opera


Opera

After Opera patched this nice bug, I will summarize how the this was triggered.


You had to put 65535 Characters before a 3 or 4 byte Unicode sign. Additionally the charset of the document had to be utf-8, which it is most of the time.
In this constellation the Unicode sign disappeared for opera.

An example:

<65530 characters><img %unicode sign%=" onerror=alert(1)//" src="x">


This showed an alert in opera, because in ended up like this:
<img =" onerror=alert(1)//" src="x">