advanced injection filter evasion
Some time ago I have run a web scan against an application using Acunetix Vulnerability Scanner.
The scanner returned a HTTP response splitting vulnerability using the following characters:
%e5%98%8d%E5%98%8a
A graphical example is given below:
I needed to use the following pages to understand how the encoding worked.
https://en.wikipedia.org/wiki/UTF-8
http://www.binaryhexconverter.com/hex-to-binary-converter
http://www.binaryhexconverter.com/binary-to-hex-converter
Basically, taken a character you want to represent in 3 bytes, lets say 0A, you need to take the following steps:
convert character to random 2 bytes rappresentation, lets say 2c0a, and transform it to binary
0010 1100 0000 1010
now, using the wikipedia table
tranform your 2 byte character to 16
11100010 101100 00 1000 1010
Convert it to HEX, using the online converter
that will become E2B08A
add percentage to each byte:
%E2%B0%8A
Your new line encoded in 3 bytes is ready to be used!
If you were using 000A instead of any other XY0A pair, then the server would have understood you were try to cheat him, therefore the encode woudl not have worked.
--------------
another approach is to change 0A to 2 byte encoding, but I did not see it working.
For instance
0000 1010
need to be padded to 11 characters. Lets use zeros:
000 0000 1010
now, by following the table, this has to be come
110 000 00 1000 1010
which in HEX becomes
C08A
Remember that all depends on how the server inteprets the encoded characters.
The scanner returned a HTTP response splitting vulnerability using the following characters:
%e5%98%8d%E5%98%8a
A graphical example is given below:
I needed to use the following pages to understand how the encoding worked.
https://en.wikipedia.org/wiki/UTF-8
http://www.binaryhexconverter.com/hex-to-binary-converter
http://www.binaryhexconverter.com/binary-to-hex-converter
Basically, taken a character you want to represent in 3 bytes, lets say 0A, you need to take the following steps:
convert character to random 2 bytes rappresentation, lets say 2c0a, and transform it to binary
0010 1100 0000 1010
now, using the wikipedia table
| Bits of code point | First code point | Last code point | Bytes in sequence | Byte 1 | Byte 2 | Byte 3 | Byte 4 | Byte 5 | Byte 6 |
|---|---|---|---|---|---|---|---|---|---|
| 7 | U+0000 | U+007F | 1 | 0xxxxxxx | |||||
| 11 | U+0080 | U+07FF | 2 | 110xxxxx | 10xxxxxx | ||||
| 16 | U+0800 | U+FFFF | 3 | 1110xxxx | 10xxxxxx | 10xxxxxx | |||
| 21 | U+10000 | U+1FFFFF | 4 | 11110xxx | 10xxxxxx | 10xxxxxx | 10xxxxxx | ||
| 26 | U+200000 | U+3FFFFFF | 5 | 111110xx | 10xxxxxx | 10xxxxxx | 10xxxxxx | 10xxxxxx | |
| 31 | U+4000000 | U+7FFFFFFF | 6 | 1111110x | 10xxxxxx | 10xxxxxx | 10xxxxxx | 10xxxxxx | 10xxxxxx |
11100010 101100 00 1000 1010
Convert it to HEX, using the online converter
that will become E2B08A
add percentage to each byte:
%E2%B0%8A
Your new line encoded in 3 bytes is ready to be used!
If you were using 000A instead of any other XY0A pair, then the server would have understood you were try to cheat him, therefore the encode woudl not have worked.
--------------
another approach is to change 0A to 2 byte encoding, but I did not see it working.
For instance
0000 1010
need to be padded to 11 characters. Lets use zeros:
000 0000 1010
now, by following the table, this has to be come
110 000 00 1000 1010
which in HEX becomes
C08A
Remember that all depends on how the server inteprets the encoded characters.