Threaded Mode | Linear Mode

***JJoe*** · (This post was last modified: Apr. 15, 2010 02:06 PM by JJoe.)

The Match

Quote:($TST(script=1*)(*</script)+{1,*}(^*<script)$SET(script=)
|$TST(script=*)($TST(\1=\")$SET(1=\\x22)|$TST(\1=\')$SET(1=\\x27))
|(^$TST(script=*))(^$TST(\1=*))$SET(1=")
|)$SET(3=$TST(script=[1s]*)JS)
($TST(displayM=none)$SET(5=inline)|$SET(5=none))
($TST(tAnc=1*|j)$SET(tAnc=)$SET(6=</a>)|$TST(script=*)$SET(6=<a></a>)|)
($TST(volat=*.log:2*)$ADDLST(Log-Main,[$DTM(d T)]\tWEB Flash\t\0 \3 \t\u)|)

I have seen an odd 404. Changing \\x to \x has fixed it but....

Later

Edit: Removed Test filter and some code.

**whenever** · Apr. 15, 2010, 05:05 AM

(Apr. 14, 2010 04:34 PM)JJoe Wrote: ...I have seen an odd 404. Changing \\x to \x has fixed it but....

But what?

I don't understand the filter and javascript but I do see 22 is the hex value for " and 27 for '. Maybe \xnn works in javascript to represent the character with the hex value nn?

On the other hand, \x has a special meaning in the replacement text which refers to the URL command prefix. I guess that's why the filter add a backslash to suppress the special meaning of the follwing \.

***JJoe*** · Apr. 15, 2010, 02:02 PM

(Apr. 15, 2010 05:05 AM)whenever Wrote: But what?

Mostly what you said and I was out of time.

The 404 addresses have http://local.ptron/killed.gif added to them.
I thought the extra \ might be a typo and the filter might be off but I think not now.

Ah, it may be browser bug for Firefox.

(Apr. 15, 2010 05:05 AM)whenever Wrote: Maybe \xnn works in javascript to represent the character with the hex value nn?

Maybe not for Firefox 3.6.2.
Firefox 3.6.2 and
http://www.cbssports.com/nba/scoreboard
for the curious.

I will have to chase it later...
Thanks

***JJoe*** · Apr. 15, 2010, 08:46 PM

(Apr. 15, 2010 02:02 PM)JJoe Wrote: I will have to chase it later...

It doesn't always happen but when it does http://local.ptron/.pinfo/urls/ shows:

Code:

Closed    672    404    text/html    17856    http://www.cbssports.com/nba/%5Cx22http://local.ptron/killed.gif%5Cx22

Closed    671    200    text/html    0    http://www.cbssports.com/nba/+image_server+

http://www.cbssports.com/nba/+image_server+ is also a mistake, I think.

With Firefox only, so far.

***sidki3003*** · (This post was last modified: May. 24, 2010 09:19 PM by sidki3003.)

Yes, it has to be a double backslash. The respective line in the original filter is:

Code:

|$TST(script=*)($TST(\1=\")$SET(1=\\x22)|$TST(\1=\')$SET(1=\\x27))

Wonder what went wrong here...

And yep, \x22 and \x27 are supposed to stand for double quote and single quote, respectively. Hex representation has shown to be more robust on injection than the escaped notation.