Cheating with obfuscation

Sometimes I find strange lines in my webservers log, like this one:

“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1”

Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.

<?php

$s=”%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%32%33%29%3B%3C%2F%73%63%72%69%70%74%3E”;

echo htmlspecialchars(urldecode($s));
?>

As we can see the human readable output of the script above gave us this string (a simple XSS test):

<script>alert(23);</script>

From time to time I also find obfuscate IP addresses:
All of these 3 (Dword, Hex and Octal) strange looking lines are URLs to google.com. Don’t believe me? Than try it in your browser.

http://1089059683
http://0x40.0xe9.0xbb.0x63
http://0100.0351.0273.0143

Advertisements

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: