eaglelegend Posted May 15, 2008 Share Posted May 15, 2008 Hey, I have just well guessed, getting the XSS from the site I got it from, I assume this is right? Much help is appreciated. and urgent! original register code <?php $username = $_POST['username']; $password = $_POST['password']; $password_confirm = $_POST['password_confirm']; $email = $_POST['email']; register code after <?php function RemoveXSS($username) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $username = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $username); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $username = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $username); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $username = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $username); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $username_before = $username; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab])'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13])'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $username = preg_replace($pattern, $replacement, $username); // filter out the hex tags if ($username_before == $username) { // no replacements were made, so exit the loop $found = false; } } } return $username; } = $_POST['username']; original XSS code from a site: function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab])'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13])'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/ Share on other sites More sharing options...
BlueSkyIS Posted May 15, 2008 Share Posted May 15, 2008 what problem are you having? Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542446 Share on other sites More sharing options...
eaglelegend Posted May 15, 2008 Author Share Posted May 15, 2008 is logging out heh, the code they gave me on the other page has given me trouble to log out so I cant test this, besides, heh im no good at hacking see I wont be able to test it, anyway, is that right? because I had to pratically guess what was what I had to do Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542448 Share on other sites More sharing options...
eaglelegend Posted May 15, 2008 Author Share Posted May 15, 2008 ??? well... Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542458 Share on other sites More sharing options...
BlueSkyIS Posted May 15, 2008 Share Posted May 15, 2008 i'm trying to understand your english. you have no way of testing this code and you want someone to test it for you? ??? Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542461 Share on other sites More sharing options...
eaglelegend Posted May 15, 2008 Author Share Posted May 15, 2008 im not asking for anyone to test it, I mean, is that how it is supposed to work/function? Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542463 Share on other sites More sharing options...
BlueSkyIS Posted May 15, 2008 Share Posted May 15, 2008 ah, sorry. i don't know xss from a hole in the ground. maybe someone else here does. Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542466 Share on other sites More sharing options...
Guardian-Mage Posted May 15, 2008 Share Posted May 15, 2008 Please don't make useless posts BlueSkyIS. Honestly, how did you post help anyone? Eaglelegend, one step would be looking each function used up on php.net, than you should try making a similar function from scratch. It will be better than copying someone else's work. I can never understand someone else's script as good as my own Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542467 Share on other sites More sharing options...
gizmola Posted May 15, 2008 Share Posted May 15, 2008 Ok, so basically you are concerned about XSS exploits of your site? You might want to read a bit about what they are. Typically XSS is just some html/javascript that someone can embed into a page you render. This happens a lot in forums and places where people can post blocks of input. That routine does seem to prevent XSS exploitation, although I only scanned it quickly. You are probably a lot better off reading the documentation of the routine, or corresponding with the original author in regards to any questions you might have. Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542471 Share on other sites More sharing options...
eaglelegend Posted May 15, 2008 Author Share Posted May 15, 2008 I would, heh the problem is, it dont tell me any way how to do it, it dont like say, step one do this, then this etc., it just dives streight in with the code >_< Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542474 Share on other sites More sharing options...
gizmola Posted May 15, 2008 Share Posted May 15, 2008 Yes, but you can go line by line, using the reference manual and try and understand their techniques. Mostly what they are doing is looking for certain characters and stripping them out or converting them to something banal. As html needs to use things like script blocks etc., they are converting those to things that can't be executed. It uses a variety of techniques actually (the script) but as I stated, I'm not planning to delve in an make an academic study of it. As for the use of it -- it's certainly possible to use it without understanding fully what it does, although I've always found that exploring what you don't understand is a great way to learn. Link to comment https://forums.phpfreaks.com/topic/105835-xss-is-this-correct/#findComment-542485 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.