[LUAU] How Does this Work?
Eric Hattemer
hattenator at imapmail.org
Thu Apr 29 21:20:03 PDT 2004
From a more technical explaination, you can refer to rfc1738 among
others, if that kind of thing excites you:
http://www.faqs.org/rfcs/rfc1738.html . I can't explain that particular
URL. The URL RFC explains that there are several special characters
including @, :, & that aren't considered normal text. Also, %HEXHEX
represents the character of that numerical value.
@ is a simple, yet somewhat obvious method. When a site asks for a
password, you can either wait for it to ask, or you can type
http://user:password@site.com. You can leave the password out if you
want. If the site doesn't actually require a user/password, it will
ignore it. So you can use anything you want in the username.
www.microsoft.com at www.google.com will take you to google, and microsoft
has no effect.
Domain names don't have to be used. http://216.239.57.104 will take you
to www.google.com just as well. However, even non-technical people know
what an IP is, so that's too obvious in some cases. IP's can be written
in other forms with hex or octal and in some cases the .'s can be omitted.
The & sign depends on the browser. Old versions of IE and other
browsers used to read an & as "ignore everything before this", so
www.microsoft.com/stuff/stuff/stuff&www.ijusthackedyou.com wouldn't get
you to microsoft. The & is much less obvious than the @, but doesn't
seem to work anymore, or at least not on mozilla.
http usernames and passwords don't really work with '/' marks. So
www.microsoft.com/support at eric.com would fail or get you to an error
page within microsoft.
%HEXHEX makes any charater, printable or not. %00 is NULL or \0. NULL
is used to terminate a string in most programming languages. If you
fill char[40] with "abc\0def" and leave the other 33 chars as the
default, the 'string' in that array is "abc". If you print
www.microsoft.com/stuff/%00 at www.hacks.com shows up as
www.microsoft.com/stuff in some cases. Otherwise you can print entire
URL's in %xx%yy%zz format.
You can easily abuse javascript for some purposes. A lot of URL's are
of the form <a>this link</a> but some are of the form
<a>www.stuff.com</a>. Although the second is the same as the first, and
that text could be anything, people are convinced that if the link
contains a url, it must point to that url. Javascript pseudo code
something like: onMouseOver: statusBar.print(url)
will print the url in the status bar when you point the mouse at it.
This emulates the normal behavior when you point to a link in most web
browsers.
There are other tricks, but I don't know all of them offhand.
-Eric Hattemer
More information about the LUAU
mailing list