'javascript'에 해당되는 글 2건

  1. 2009.06.10 URL Encoding by CEOinIRVINE
  2. 2009.06.09 Hacking with Javascript 2005.FEB. by CEOinIRVINE

URL Encoding

Hacking 2009. 6. 10. 14:47

HTML URL Encoding Reference

Previous Next

URL encoding converts characters into a format that can be safely transmitted over the Internet.

URL - Uniform Resource Locator

Web browsers request pages from web servers by using a URL.

The URL is the address of a web page like: http://www.w3schools.com.

URL Encoding

URLs can only be sent over the Internet using the ASCII character-set.

Since URLs often contains characters outside the ASCII set, the URL has to be converted. URL encoding converts the URL into a valid ASCII format.

URL encoding replaces unsafe ASCII characters with "%" followed by two hexadecimal digits corresponding to the character values in the ISO-8859-1 character-set.

URLs cannot contain spaces. URL encoding normally replaces a space with a + sign.

Try It Yourself

If you click the "Submit" button below, the browser will URL encode the input before it is sent to the server. A page at the server will display the received input.


Try some other input and click Submit again.

URL Encoding Functions

In JavaScript, PHP, and ASP there are functions that can be used to URL encode a string.

In JavaScript you can use the encodeURI() function. PHP has the rawurlencode() function and ASP has the Server.URLEncode() function.

Click the "URL Encode" button to see how the JavaScript function encodes the text.


Note: The JavaScript function encodes space as %20.

URL Encoding Reference

ASCII CharacterURL-encoding
space %20
! %21
" %22
# %23
$ %24
% %25
& %26
' %27
( %28
) %29
* %2A
+ %2B
, %2C
- %2D
. %2E
/ %2F
0 %30
1 %31
2 %32
3 %33
4 %34
5 %35
6 %36
7 %37
8 %38
9 %39
: %3A
; %3B
< %3C
= %3D
> %3E
? %3F
@ %40
A %41
B %42
C %43
D %44
E %45
F %46
G %47
H %48
I %49
J %4A
K %4B
L %4C
M %4D
N %4E
O %4F
P %50
Q %51
R %52
S %53
T %54
U %55
V %56
W %57
X %58
Y %59
Z %5A
[ %5B
\ %5C
] %5D
^ %5E
_ %5F
` %60
a %61
b %62
c %63
d %64
e %65
f %66
g %67
h %68
i %69
j %6A
k %6B
l %6C
m %6D
n %6E
o %6F
p %70
q %71
r %72
s %73
t %74
u %75
v %76
w %77
x %78
y %79
z %7A
{ %7B
| %7C
} %7D
~ %7E
ƒ %83
ˆ %88
Š %8A
Ž %8E
˜ %98
š %9A
œ %9C
ž %9E
Ÿ %9F
¡ %A1
¢ %A2
£ %A3
¥ %A5
| %A6
§ %A7
¨ %A8
© %A9
ª %AA
« %AB
¬ %AC
¯ %AD
® %AE
¯ %AF
° %B0
± %B1
² %B2
³ %B3
´ %B4
µ %B5
· %B7
¸ %B8
¹ %B9
º %BA
» %BB
¼ %BC
½ %BD
¾ %BE
¿ %BF
À %C0
Á %C1
à %C3
Ä %C4
Å %C5
Æ %C6
Ç %C7
È %C8
É %C9
Ð %D0
Ñ %D1
Ò %D2
Ó %D3
Ô %D4
Õ %D5
Ö %D6
Ø %D8
Ù %D9
ß %DF
à %E0
á %E1
â %E2
ã %E3
ä %E4
å %E5
æ %E6
ç %E7
è %E8
é %E9
ê %EA
ë %EB
ì %EC
í %ED
î %EE
ï %EF
ð %F0
ñ %F1
ò %F2
ó %F3
ô %F4
õ %F5
ö %F6
÷ %F7
ø %F8
ù %F9
ú %FA
û %FB
ü %FC
ý %FD
þ %FE
ÿ %FF

URL Encoding Reference

The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL.

ASCII CharacterDescriptionURL-encoding
NUL null character %00
SOH start of header %01
STX start of text %02
ETX end of text %03
EOT end of transmission %04
ENQ enquiry %05
ACK acknowledge %06
BEL bell (ring) %07
BS backspace %08
HT horizontal tab %09
LF line feed %0A
VT vertical tab %0B
FF form feed %0C
CR carriage return %0D
SO shift out %0E
SI shift in %0F
DLE data link escape %10
DC1 device control 1 %11
DC2 device control 2 %12
DC3 device control 3 %13
DC4 device control 4 %14
NAK negative acknowledge %15
SYN synchronize %16
ETB end transmission block %17
CAN cancel %18
EM end of medium %19
SUB substitute %1A
ESC escape %1B
FS file separator %1C
GS group separator %1D
RS record separator %1E
US unit separator %1F

'Hacking' 카테고리의 다른 글

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say  (0) 2009.09.04
Penetration Testing Service  (0) 2009.09.04
Hacking with Javascript 2005.FEB.  (0) 2009.06.09
How to find Addresses in Gunz  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
Posted by CEOinIRVINE
To: bugtraq@securityfocus.com
Date: Wed, 09 Feb 2005 13:43:23 +0000


This tutorial is an overview of how javascript can be used to bypass
simple/advanced html forms and how it can be used to override cookie/session


1. Bypassing Required Fields

        Surely you have met a webpage that requires you to fill all fields in a
form in order to submit it. It is possible to bypass these types of
restrictions on any webpage. If you take a look at the webpage's source and
follow it down to the form's code, you will notice the onsubmit form
attribute. Hopefully by this time you have experienced the power of
javascript and you know that javascript has control over every single
element in a webpage, including forms.We can use javascript to our advantage
in every page we view for we can modify, delete, or add any element to the
webpage. In this case we wish to clear the form's onsubmit attribute in
order for the form to be submitted successfully.

        The onsubmit attribute generally points to a function that checks the form
to have the correct format. A function that does this may look something
like this:

                function formSubmit(x)
                        if(x.email.value=="") return false;
                        return true;


                <form name="spamform" method=post action="process.php" onsubmit="return

        I will not go into great detail about how the formSubmit function works.
You should know that if the (textfield/optionfield/option/..) field is left
blank, the form will not be submitted to process.php. Now comes the moment
of truth, how do we modify the form so that onsubmit returns true everytime?
The way we can access the form with javascript and do this is:

                document.forms[x].onsubmit="return true;";


                document.spamform.onsubmit="return true;";

        Both of these 'queries' will allow you to submit the form free of
restrictions. The secret is how to execute this. I do this using my
browser's Location bar. All you have to do is enter this text into the
location bar and press enter:

                javascript:document.spamform.onsubmit="return true;";

        The above statement will not work because the 'query' will return a value
javascript doesn't know what to do with it so it dumps the returned value on
the screen. We need a way to use this value and escape it from passing on to
javascript. I know the exact way to do this, with alert()!

                javascript:alert(document.spamform.onsubmit="return true;");

        You will see an alertbox with "return true;" instead of dumping this value
out to the webbrowser. Once you have executed this query you will be able to
enter whatever value into whatever field in spamform.

2. Changing Fields' Values

        If you have managed to change a form's onsubmit attribute to let you do
whatever the *** you want, what are the limits? Of course now you know that
you can modify the onsubmit attribute of a form from the location bar, same
goes for any attributes of any object in the page. This is how you can do

                javascript:alert(document.spamform.fieldname.value="Dr_aMado was here!");


                javascript:alert(document.forms[x].fieldname.value="Dr_aMado was here!");

        But of course, you already knew that. Didn't you? You can change the
values of pretty much anything inside a form, including radios, checkboxes,
selects, hidden values, buttons, anything!


1. Using Forms to Your Advantage

        You probably already know about sql injection, my goal is to explain how
vulnerable forms can be if not handled correctly. When targeting a system,
most times you will start off with 0 code to exploit. The only thing you
have is a constructed webpage to break to pieces and successfully find
vulnerabilities to use to your advantage.


        A very logic way of acquiring system information from a website's database
is by causing errors in the sql queries. These errors can be created
through search forms, dynamic links, or session cookies. Most sql injection
papers explain how dynamic links and text boxes can be used to execute sql
queries but in my opinion, this vulnurability is more common in other input
types (select boxes, hidden fields, checkboxes and radio buttons, and

        Mixing data types generally crashes a webpage if it's not well coded. Take
for example a link to "memberinfo.php?o_id=1". If your goal is to crash that
page it would be a good idea to stick in a " or a ' in the o_id variable.
If you're lucky you will get a debug message containing the crippled sql
query. After you have all the information you need and you know what you're
going after you're ready to hack the hell out of every page that you have
access to.


        The first form you think of is the profile page. Most profile pages ignore
a user's intellectuals and don't mask out,for example, select boxes. A way
of exploiting this vulnerability is by injecting a sql query in the value
property of the field.

WHERE user_id=1#");

        If we assume that the server side sql query looks something like this:

                "UPDATE user_data SET
WHERE user_id=$user_id";

                Then the final query will look somewhat like this:

                "UPDATE user_data SET
                user_id=1 #' WHERE user_id=7382";

                # Is a sql comment operator.

2. Bypassing Session Cookies


        Most of the time session handling is done with the use of cookies. The
cookies tell the webpage who you are and what you have access to and what
you don't have access to. If the page does not handle session cookies
correctly a hacker might be able to change their identity to that of
another user's. Cookies are stored in "window.document.cookie". With
javascript we are able to erase,edit,create cookies for any website. This
task is more complicated than regular types of attacks. I will not go into
great detail about how it's done.

                To View the Cookie:

                To Change Cookie Data:

? c.indexOf(";") :
name:",""),prompt("replace this value:",""),prompt("with::","")));

                So If You are logged in as "John Doe" in www.ima13370h4x0r.net and your
session cookie reads:


        The cookie is actually serialized but you should be able to recognize
"75959" as your user_id. Some of the time you will find a website that
stores data (like user_id) in cookies but does not typecast the data. This
is a serious hole in the site's code because any user is able to change
their user_id to any other user or administrator user_id.

        Changing the cookie value is easy once you have declared the window.c
function. First change s:5:"75959" to s:x:"ADMINID" where x is the length of
the new value. So if you want to change 75959 to 1. You must change
s:5:"75959" to s:1:"1" :-) Sometimes you will need to change 75959 to "13 or
1=1" in order to bypass any WHERE statements any sql session queries used to
keep you logged in the website.

        In-line javascript statements can be added to your browser's favorites for
easier access to your own functions.
        It is possible to declare your own functions for use in extended hacks.
Declare the function as a method of window. "alert(window.newfunction =
function (){...})"

am hictor
thnk you rodhedor

'Hacking' 카테고리의 다른 글

Penetration Testing Service  (0) 2009.09.04
URL Encoding  (0) 2009.06.10
How to find Addresses in Gunz  (0) 2009.06.09
Lolhackerstic.dll (godmode)  (0) 2009.06.09
How to Hack a Yahoo Mail Password  (0) 2009.05.26
Posted by CEOinIRVINE