Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Bypassing striphtmlchars()

  1. Home
  2. Forum
  3. Hacking in general
  4. Bypassing striphtmlchars()

ghost's Avatar

ghost

0 0

Basiaclly I was wondering if anyone knows how to properly bypass this. I know that if I encode the html tag (<script>) into: Decimal NCRs:*script Hexadecimal NCRs:<script> And probebly more like UTF-7/8 or something but when I try stuff like(Decimal NCRs - "><script>alert(1)</script>): "scriptalert(1)/script On the site it allows it to be added but the alert isn't there (it wil say something like: No results found for "><script>alert(1)</script>) So if anyone could help me out that would be great. Edit: Decimal NCRs: = <script> encoded in Decimal NCRs:same with Hexadecimal NCRs: where it says (Decimal NCRs - "><script>alert(1)</script>): it means "><script>alert(1)</script> encoded in Decimal NCRs thats where it says "scriptalert(1)/script (to avoid XSS on the forum) Sorry for being such a twat/moron/imbecile/retard/spaz I wasn't thinking :( I hang my head in shame P.S a place to convert them http://rishida.net/scripts/uniview/conversion.php Once again sorry Thanks SaMTHG:)


spyware's Avatar

spyware

Banned
0 0

Can't understand a thing you're trying to say. Also; smileys.


ghost's Avatar

ghost

0 0

Sorry I didn't think. HBH filters decoded the encoded script


Night_Stalker's Avatar

Night_Stalker

Member
0 0

SaMTHG wrote: Basiaclly I was wondering if anyone knows how to properly bypass this. I know that if I encode the html tag (<script>) into: Decimal NCRs:*script Hexadecimal NCRs:<script> And probebly more like UTF-7/8 or something but when I try stuff like(Decimal NCRs - "><script>alert(1)</script>): "scriptalert(1)/script On the site it allows it to be added but the alert isn't there (it wil say something like: No results found for "><script>alert(1)</script>) So if anyone could help me out that would be great. Thanks SaMTHG:)

Only incompetent fools put smilies inside their scripts, and end their posts with their name even though it is included in their sig…

EDIT: Wait, I was thinking you were yous3lf, I was going to come to congradulate you on another worthless post, but then realized you aren't him… But the smiles do make it look like a foolish, incompetent homosexual posted it…


ghost's Avatar

ghost

0 0

Night_Stalker wrote: Only incompetent fools put smilies inside their scripts, and end their posts with their name even though it is included in their sig…

EDIT: Wait, I was thinking you were yous3lf, I was going to come to congradulate you on another worthless post, but then realized you aren't him… But the smiles do make it look like a foolish, incompetent homosexual posted it…

Okay, okay, a simple "disable your smilies when you post code" would've sufficed. It's not like you have any grounds to judge anyone else here, anyways.