This is a quick script I wrote for converting to Unicode and back when using string.fromCharCode() to circumvent filters in Cross Site Scripting attacks.
[shell]Usage: -auh
Simple tool to convert from ASCII to Unicode and back for use with String.fromCharCode().
arguments:
-h, –help Show this help message and exit.
-a ASCII_STRING Enter the ASCII string for conversion contained within ” “. Any ” in the string itself must be escaped with a \ or simply use ‘ instead.
-u UNICODE_CHARS Enter the Unicode values for conversion contained within ” “. Script will take comma separated values as well as just spaced.
[/shell]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
#!/usr/bin/python2.7
import argparse
import sys
import re
def CharCode(text):
print "<script>eval(String.fromCharCode(",
for count, letter in enumerate(text): #setting up a for loop, so we can iterate through the string and get the unicode value for each char. enumerate() gets the count of the character and assigns it to count. We can then use these to add commas after each value.
Unicode_values = ord(letter) #ord is the built in function that gets the unicode value for an ascii character
sys.stdout.write(str(Unicode_values))
if count < len(text) -1: #basically saying here, if we are at any value but the last, add a comma after it.len is an inbuilt function that gets the length of a string'''
sys.stdout.write(', ')
else:
sys.stdout.write('))</script>')
sys.stdout.write('\r\n') #adding a new line at the end so it looks tidier in the bash shell
def CharDecode(unicode_chars):
ASCII_chars = ""
for code in unicode_chars.split(' '): #.split() breaks up a string based on the separator you specify (in this case a space).
if "," in code:
code = code.replace(',', '') #here we remove any commas from input
ASCII_chars += chr(int(code)) #chr is the built in function that converts from unicode to ascii
print "ASCII string is:", ASCII_chars
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Simple tool to convert from ASCII to Unicode and back for use with String.fromCharCode().', usage = '-auh') #argparse let's us take input via flags
parser.add_argument("-a", dest = "ascii_string", action = "store", help = '''Enter the ASCII string for conversion contained within " ". Any " in the string itself must be escaped with a \ or simply use ' instead.''', required = False)
parser.add_argument("-u", dest = "unicode_chars", action = "store", help = '''Enter the Unicode values for conversion contained within " ". Script will take comma separated values as well as just spaced.''', required = False)
args = parser.parse_args() #this makes args the method of the argparser class, so we can access any usersupplied variables with args.variablename'''
if not (args.ascii_string or args.unicode_chars): #checking to make sure some input is supplied
parser.error("Input is required! Usage: -a ASCII string, -u Unicode values, -h help.")
if args.ascii_string:
CharCode(args.ascii_string)
if args.unicode_chars:
CharDecode(args.unicode_chars)
|
Example usage:
[shell]# ./charcode.py -a “alert(‘hey’)”
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 104, 101, 121, 39, 41))</script>[/shell]