How To: Embed data inside a URL

20 12 2006

I was poking around the web today and I found this post:

Hackszine.com: RFC 2397 – Embed image data inside a URL

Which basically states that there is a URL that starts with “data:”

data:image/jpeg;base64,base_64_encoded_jpeg_goes_here

Seems easy enough. The example givin is if you want to encode a jpeg into a URL. Now wordpress is really persnikety about the code you can post and “data: URI” is one of the bits that it won’t let you post.  It also fucks up all the base64 encoding so I really can’t post any data: URI’s here.

The article had one link that would encode a ‘data: URI’ for you but that was all 404, so I found a better one:

The data: URI Kitchen

It will encode a file (image or whatever) or HTML into a ‘data: URI’ URL. That is how I made the black parade gif link above. Now lets say you want to send someone an excel file but don’t want all those pesky antivirus filters or deal with uploading the file somewhere.

You can embed Linrider2 into and excel spread sheet.  Now imagine you want to hack someone with the SWF vulnerability. You can put javascript into an SWF file that will execute malicious code.
Now lets see how far down the rabbit hole this little hack will go.  Can you can use applications or exe files. What does the ietf have to say:

data:[mediatype]/[;base64],[data]

The is an Internet media type specification (with optional parameters.)

The appearance of “;base64” means that the data
is encoded as base64. Without “;base64”, the data (as a sequence of
octets) is represented using ASCII encoding for octets inside the
range of safe URL characters and using the standard %xx hex encoding
of URLs for octets outside that range. If is omitted, it
defaults to text/plain;charset=US-ASCII. As a shorthand,
“text/plain” can be omitted but the charset parameter supplied.

Some applications may use the “data” URL scheme in order to provide
setup parameters for other kinds of networking applications. For
example, one might create a media type
application/vnd-xxx-query

whose content consists of a query string and a database identifier
for the “xxx” vendor’s databases. A URL of the form:
data:application/vnd-xxx-query,select_vcount,fcol_from_fieldtable/local
could then be used in a local application to launch the “helper” for
application/vnd-xxx-query and give it the immediate data included.

I have tried some small SWF files on their own to no avail, but you can send EXE or executable files. It just downloads the exe directly.

There now wasn’t that fun?!? I will keep on working on some hacks for this that are a little less obivous. In the meanwhile, go an be naughty.


Actions

Information

One response

15 06 2012
Ronaldinho

I do believe all the ideas you’ve presented in your post. They’re very convincing and will certainly work. Still, the posts are too short for starters. May just you please lengthen them a little from next time? Thank you for the post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: