hacktricks/pentesting-web/unicode-injection/README.md

# Kuingiza Unicode

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Utangulizi

Kulingana na jinsi mfumo wa nyuma/mbele unavyotenda wakati unapokea **herufi za unicode zisizo za kawaida**, mshambuliaji anaweza kuweza **kuepuka ulinzi na kuingiza herufi za kiholela** ambazo zinaweza kutumika kudukua udhaifu wa kuingiza kama vile XSS au SQLi.

## Ulinganishaji wa Unicode

Ulinganishaji wa unicode hufanyika wakati **herufi za unicode zinalinganishwa na herufi za ASCII**.

Hali moja ya kawaida ya udhaifu wa aina hii hutokea wakati mfumo unapobadilisha **kuingiza** cha mtumiaji **baada ya kukagua**. Kwa mfano, katika lugha fulani, wito rahisi wa kufanya **kuingiza kuwa herufi kubwa au ndogo** kunaweza kulinganisha kuingiza kilichotolewa na **unicode itabadilishwa kuwa ASCII** na kuunda herufi mpya.\
Kwa maelezo zaidi angalia:

{% content-ref url="unicode-normalization.md" %}
[unicode-normalization.md](unicode-normalization.md)
{% endcontent-ref %}

## `\u` hadi `%`

Kawaida, herufi za unicode huwakilishwa na **kiambishi cha `\u`**. Kwa mfano, herufi `㱋` ni `\u3c4b`([angalia hapa](https://unicode-explorer.com/c/3c4B)). Ikiwa mfumo wa nyuma **unabadilisha** kiambishi cha `\u` kuwa `%`, herufi inayopatikana itakuwa `%3c4b`, ambayo inaondolewa URL: **`<4b`**. Na, kama unavyoona, **herufi `<` imeingizwa**.\
Unaweza kutumia mbinu hii kuingiza aina yoyote ya herufi ikiwa mfumo wa nyuma una udhaifu.\
Angalia [https://unicode-explorer.com/](https://unicode-explorer.com/) ili kupata herufi unazohitaji.

Udhaifu huu kimsingi unatokana na udhaifu ambao mtafiti aligundua, kwa maelezo zaidi angalia [https://www.youtube.com/watch?v=aUsAHb0E7Cg](https://www.youtube.com/watch?v=aUsAHb0E7Cg)

## Kuingiza Emoji

Mifumo ya nyuma mara nyingi inatenda kwa njia isiyotarajiwa wakati inapokea **emoji**. Hiyo ndiyo iliyotokea katika [**makala hii**](https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209) ambapo mtafiti alifanikiwa kudukua XSS na mzigo kama huu: `💋img src=x onerror=alert(document.domain)//💛`

Katika kesi hii, kosa lilikuwa kwamba seva baada ya kuondoa herufi mbaya **iligeuza herufi ya UTF-8 kutoka Windows-1252 kuwa UTF-8** (kimsingi kuingiza na ubadilishaji wa kuingiza ulikuwa tofauti). Kisha hii haikutoa < sahihi tu herufi ya unicode isiyotarajiwa: `‹`\
``Kwa hivyo walichukua matokeo haya na **kubadilisha tena sasa kutoka UTF-8 hadi ASCII**. Hii ilifanya `‹` kuwa `<` ndio jinsi udanganyifu ulivyoweza kufanya kazi kwenye mfumo huo.\
Hii ndio iliyotokea:
```php
<?php

$str = isset($_GET["str"]) ? htmlspecialchars($_GET["str"]) : "";

$str = iconv("Windows-1252", "UTF-8", $str);
$str = iconv("UTF-8", "ASCII//TRANSLIT", $str);

echo "String: " . $str;
```
Orodha ya Emoji:

* [https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv](https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv)
* [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								# Kuingiza Unicode
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
 								<details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 								* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
 								</details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Utangulizi
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kulingana na jinsi mfumo wa nyuma/mbele unavyotenda wakati unapokea **herufi za unicode zisizo za kawaida**, mshambuliaji anaweza kuweza **kuepuka ulinzi na kuingiza herufi za kiholela** ambazo zinaweza kutumika kudukua udhaifu wa kuingiza kama vile XSS au SQLi.
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Ulinganishaji wa Unicode
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Ulinganishaji wa unicode hufanyika wakati **herufi za unicode zinalinganishwa na herufi za ASCII**.
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Hali moja ya kawaida ya udhaifu wa aina hii hutokea wakati mfumo unapobadilisha **kuingiza** cha mtumiaji **baada ya kukagua**. Kwa mfano, katika lugha fulani, wito rahisi wa kufanya **kuingiza kuwa herufi kubwa au ndogo** kunaweza kulinganisha kuingiza kilichotolewa na **unicode itabadilishwa kuwa ASCII** na kuunda herufi mpya.\
 								Kwa maelezo zaidi angalia:
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
 								{% content-ref url="unicode-normalization.md" %}
 								[unicode-normalization.md](unicode-normalization.md)
 								{% endcontent-ref %}
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## `\u` hadi `%`
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Kawaida, herufi za unicode huwakilishwa na **kiambishi cha `\u`**. Kwa mfano, herufi `㱋` ni `\u3c4b`([angalia hapa](https://unicode-explorer.com/c/3c4B)). Ikiwa mfumo wa nyuma **unabadilisha** kiambishi cha `\u` kuwa `%`, herufi inayopatikana itakuwa `%3c4b`, ambayo inaondolewa URL: **`<4b`**. Na, kama unavyoona, **herufi `<` imeingizwa**.\
 								Unaweza kutumia mbinu hii kuingiza aina yoyote ya herufi ikiwa mfumo wa nyuma una udhaifu.\
 								Angalia [https://unicode-explorer.com/](https://unicode-explorer.com/) ili kupata herufi unazohitaji.
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Udhaifu huu kimsingi unatokana na udhaifu ambao mtafiti aligundua, kwa maelezo zaidi angalia [https://www.youtube.com/watch?v=aUsAHb0E7Cg](https://www.youtube.com/watch?v=aUsAHb0E7Cg)
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								## Kuingiza Emoji
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Mifumo ya nyuma mara nyingi inatenda kwa njia isiyotarajiwa wakati inapokea **emoji**. Hiyo ndiyo iliyotokea katika [**makala hii**](https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209) ambapo mtafiti alifanikiwa kudukua XSS na mzigo kama huu: `💋img src=x onerror=alert(document.domain)//💛`
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Katika kesi hii, kosa lilikuwa kwamba seva baada ya kuondoa herufi mbaya **iligeuza herufi ya UTF-8 kutoka Windows-1252 kuwa UTF-8** (kimsingi kuingiza na ubadilishaji wa kuingiza ulikuwa tofauti). Kisha hii haikutoa < sahihi tu herufi ya unicode isiyotarajiwa: `‹`\
 								``Kwa hivyo walichukua matokeo haya na **kubadilisha tena sasa kutoka UTF-8 hadi ASCII**. Hii ilifanya `‹` kuwa `<` ndio jinsi udanganyifu ulivyoweza kufanya kazi kwenye mfumo huo.\
 								Hii ndio iliyotokea:
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
+								```php
 								<?php
 								$str = isset($_GET["str"]) ? htmlspecialchars($_GET["str"]) : "";
 								$str = iconv("Windows-1252", "UTF-8", $str);
 								$str = iconv("UTF-8", "ASCII//TRANSLIT", $str);
 								echo "String: " . $str;
 								```
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Orodha ya Emoji:
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
 								* [https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv](https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv)
 								* [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html)
 								<details>
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								Njia nyingine za kusaidia HackTricks:
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
-												Translated to Swahili

											
										
										
											2024-02-11 02:13:58 +00:00
+								* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
 								* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
 								* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
 								* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
-												GitBook: [#3446] unicode injection

											
										
										
											2022-09-02 10:02:33 +00:00
 								</details>