02-03-2011, 06:14 AM
Hidden Content
(Source from
[To see links please register here]
(Only Japanese))Ex1) Yahoo Mail (2005.11)
Hidden Content
Ex2) Hotmail (2006.8)
Hidden Content
[/*]
- Internet Explorer can use UNICODE or Double Byte to write "expression( )" or "url()"
---
Ex) Double Byte
Hidden Content
Ex) Unicode
You can use Character to write expression or url.
Hidden Content
Hatena Diary (2005.12)
Hotmail?Windows Live Mail (2006.11)
SquirrelMail (2006.12)[/*]
- Internet Explorer all Disregard Null Charactor in HTML.
Hidden Content
- Internet Explorer 0x0B or 0x0C treated as SPACE in HTML.
Hidden Content
- Mozilla FireFox 1.5.0.4 and Prior version disregard BOM (U+FEFF; ZERO WIDTH NO-BREAK SPACE).
Hidden Content
- MFSA 2006-42: Web site XSS using BOM on UTF-8 pages
- MFSA 2006-42: Web site XSS using BOM on UTF-8 pages
- Outlook Express is also Disregard first bit of 7bit charactor such US-ASCII or ISO-2022-JP.
Hidden Content
- by using ZERO WIDTH or Control Charactors a part of file name can make looks like same file name.
- Invisible Charactors.
- U+200B ( ZERO WIDTH SPACE )
- U+200C ( ZERO WIDTH NON-JOINER )
- U+200D ( ZERO WIDTH JOINER )
- U+FEFF ( ZERO WIDTH NO-BREAK SPACE )
- U+202A ( LEFT-TO-RIGHT EMBEDDING )
[/*]
- Invisible Charactors.
- Unicode has backslash (U+005C) and Yen mark(U+00A5).[/*]
- Yen mark(U+00A5) can use for file name.[/*]
- Yen mark(U+00A5) convert to Shift-JIS and be backslash(0x5C)[/*]
- Therefore, in the application not to treat the file name with Unicode Directory Traversal might be happen.
Ex) DoS might be generated.if application that recurrently enumerates the file .
and If the folder like "..\".
Ex)
- Namazu 2.0.15 (for Windows) prior
- Hyper Estraier Version 1.0.2 (for Windows) prior
- Becky! Ver.2.22 prior
[/*]
- Therefore, in the application not to treat the file name with Unicode Directory Traversal might be happen.
- Registry entry can use UNICODE,so you can use ZERO WIDTH Charactors to camouflaged by using ZERO WIDTH Charactors ,same as file name HACK #7.
[/*]
- Unicode has "bidirectional algorithm" function.
show characters to right directional to left directional.
U+202E(RIGHT-TO-LEFT OVERRIDE; RLO) into file name,file name after RLO,charactors are left side right.
- Ex) RLO with file name
Real file name: this-(U+202E)txt.exe
File name shown:this-exe.txt
- Ex) RLO with file name
- Summary
- permitted characters are the MANAGED white list.
- Character string is inspection are after regularized.
- Don't change after regularized.[/*]
- Dont cheated by Unicode that looks like.
- The behaviour of difference between a Browser and MUA.(if possible)
- permitted characters are the MANAGED white list.
- Reference
[To see links please register here]
[To see links please register here]
[/*]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[To see links please register here]
[/hide]
Great stuff. :smile:
Just to let people know, the exe-spoofing will not work in (at least) Windows 7, when you have hide known extensions enabled.