Tuesday, September 18, 2012

Powershell non alpha numeric


To finish my trip through the world of non alpha numeric code I tried to make a non alpha numeric Python or non alpha numeric Batch script but I wasn't able to do so.

So I switched to Powershell and I have to say, it was too easy.
Here's the short script to execute an ls (just copy&paste it into a open powershell):


The short explanation:

$___++;++$___; # Like in bash, it creats a variable with the number 1, then increase it to 2
_; #make an error
$__="$?"; # In $? is the return code of the command before, saved as true or false. This gets casted to an string
&($__[$___++]+$__[$___++]) # & is like eval, execute a string as command. Now we access the l and the s in false and heres the ls

I didn't have a look how to make other commands, but I think it would be possible.

Have a nice day

Thursday, September 6, 2012

Non Alpha Numeric Shellscript


After finishing the non alphanum php code I thought of doing the same with shellscripts. In the beginning I wasn't sure if it's possible but know I am able to say: It is :)

So lets jump into it. To begin with I built a ls command: 

. .;

1. /????\+?????

This is a regular expression, which I use to search in the / for the lost+found directory. This command will print all directories, which matches the regular expression, to the standard output. 

2.  __=$_

 This will assign to the variable __ the output of the last command . The full definition can be found here

3. . .;

Actually this command throws an error, I just used it to have a return value

4.  ___=$?;

This command saves the return value of . . in ___, which is 1. This will be used as the amount of chars we want to use.

5 ____=___; 

Maybe you think this is wrong, because actually it should be  ____=$___; But that would be boring. So we just save the string ___

6.  ____=$[++____];

This command stores 2 in ____. But wait, ____ just contains a string. This is true, but this command does a double variable expansion: ____ gets to ___ which expands to 1. (I didn't look it up why it does that).

7.  ____=$[++____]

Stores 3 in ____

8.  ${__:___:___}${__:____:___} 

I think its easier with the values:


The first block takes from postion 1 just 1 character which is a l.
The second block takes from position 3 just 1 character, which is s.

And thats how it works.

Non Alpha Numeric PHP Code


After reading the nice Tutorial made by Gareth Heyes Click Here

i tried doing his challenge and to reduce the charset. Here's what I wrote:

$_++; //1
$_=$_.[]; // To Aarray
$__++; // 1
$___=$_[$__];//access the 1 index of the string "1Array" which is "A"
$____=$____=$_[$__];//access the 2 index of the string "1Array" which is "r"
$_____=$____;// assign "r" to a new variable
$_____++;//increment to "s"
$______=$___;//new variable for "e"
$______++;$______++;$______++;$______++;//increment to "e"
$__________=$___;// = e
$__________++;$__________++;$__________++;$__________++;++$__________;++$__________;++$__________;$____________=++$__________ ;//i
++$__________;++$__________;++$__________;++$__________;$_____________=++$__________;++$__________;++$__________; // p
$_=$___.$_____.$_____.$______.$____.++$_____;//concat the strings to form "AssErt"

// Creating the Chr funktion
$__++; //1
$__=$__.[]; // To Aarray
echo $__;
$_______________++; // 1
$___=$__[$_______________++]; // A
$_____=$__[$_______________]; // r

$___++;$___++; // C

// Zahlen anlegen
$_______________________++;$_______________________++; //2
$________________________++;$________________________++;$________________________++; //3
$_________________________=$________________________; //3
$_________________________+=$_______________________; //5
$__________________________=$_________________________+$_________________________; //10

// whitespace
//; =59


It looks more difficult than it is, because I used the chr function for every character which is not necessary. 

Universal XSS in Opera


After Opera patched this nice bug, I will summarize how the this was triggered.

You had to put 65535 Characters before a 3 or 4 byte Unicode sign. Additionally the charset of the document had to be utf-8, which it is most of the time.
In this constellation the Unicode sign disappeared for opera.

An example:

<65530 characters><img %unicode sign%=" onerror=alert(1)//" src="x">

This showed an alert in opera, because in ended up like this:
<img =" onerror=alert(1)//" src="x">