Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding

from [ascii] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?
Date: Tue, 22 May 2007 05:00:37 +0200 
Brian Eaton wrote:

(Cracking up that somebody going by the handle ascii is commenting on
character encoding issues. =)


hehe funsec apart, Brian, i can confirm you that the 3APA3A poc works as
expected. i really don't know what benefits can stem from defending asp
(or any other language)

i just installed a (genuine) vanilla windows xp ita plus iss and asp to
replicate the poc on a machine different from the previous one and it
worked too

for convenience here's the screenshots and the video

http://www.ush.it/team/ascii/hack-iis_asp_utf/xss1.png
http://www.ush.it/team/ascii/hack-iis_asp_utf/xss2.png
http://www.ush.it/team/ascii/hack-iis_asp_utf/xss4.png
http://www.ush.it/team/ascii/hack-iis_asp_utf/xss5.png
http://www.ush.it/team/ascii/hack-iis_asp_utf/xss6.png

http://www.filefactory.com/file/c40485/ (fast one)
http://www.ush.it/team/ascii/hack-iis_asp_utf/brian_video.avi (slow)

the tested poc is the unmodified 3APA3A ones

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<%=Request.QueryString("q")%>
<pre>
<h2>3APA3A poc</h2>
http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script>
where test.asp is
< %=Request.QueryString("q")% >
launches javascript
</pre>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

my previous writing was based on a simple empirical test, i took the
above and converted to php and jsp (eg: <?php echo $_GET['q']; ?>) and
it didn't worked

the over php poc is pretty different and reminded me this other poc
http://shiflett.org/blog/2005/dec/google-xss-example

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

<?php
 header('Content-Type: text/html; charset=UTF-7');
 $string = "<script>alert('XSS');</script>";
 $string = mb_convert_encoding($string, 'UTF-7');
 echo htmlentities($string);
?>

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

eg. it uses specific functions to demonstrate a vulnerability and is
obviously different from <?php echo $_GET['q']; ?>

and to clarify i'm not saying that this is anyhow related with
http://www.gamasec.net/english/gs07-01.html as for the use of charset
encoding issues

best regards,
Francesco `ascii` Ongaro
http://www.ush.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Linux big bang theory...., gary sweet
Next by Date:  [Full-disclosure] [SECURITY] [DSA 1281-2] New clamav packages fix denial of service vulnerability, Noah Meyerhans
Previous by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?, Chris Weber
Next by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?, Arian J. Evans
Indexes:  [Date] [Thread] [Top] [All Lists]