|
Message-ID: <20120605173935.GB19645@openwall.com> Date: Tue, 5 Jun 2012 21:39:35 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: HTML encoding, PHP magic_quotes_gpc encoding (was: Using Twitter to build password cracking wordlist) On Tue, Jun 05, 2012 at 10:10:53AM -0600, Stephen John Smoogen wrote: > On a different dictionary hacking thing, I ran into last night... but > is probably well known except to me :). This is definitely known to some people, but is often overlooked during actual cracking runs even by those who are aware of it. > I found that sites that use only webapps to interact with passwords > will sometimes "encode" all the possible dangerous characters to HTML > code before sending it to the crypt function. So where your dictionary > might have '123456#' the $1$ string is actually '123456#' > > The bulk of them seem to be > " --> " > # --> # > & --> & > ' --> ' > ( --> ( > ) --> ) > > with various numbers of 0's added in depending on how UTF the app is feeling :). I think HTML entities such as & are also sometimes used. This means that when/if we implement this in JtR, we need one-to-many translation. Another curious conversion that we could support is matching PHP's magic_quotes_gpc. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.