# Unicode Injection

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Introduction

Kulingana na jinsi back-end/front-end inavyofanya kazi wakati in **pata wahusika wa unicode wa ajabu**, mshambuliaji anaweza **kupita ulinzi na kuingiza wahusika wa kiholela** ambao wanaweza kutumika **kudhulumu udhaifu wa kuingiza** kama XSS au SQLi.

## Unicode Normalization

Unicode normalization inatokea wakati **wahusika wa unicode wanapohaririwa kuwa wahusika wa ascii**.

Moja ya hali ya kawaida ya aina hii ya udhaifu inatokea wakati mfumo unafanya **mabadiliko** kwa namna fulani kwenye **ingizo** la mtumiaji **baada ya kulikagua**. Kwa mfano, katika lugha zingine, simu rahisi ya kufanya **ingizo kuwa kubwa au dogo** inaweza kuhariri ingizo lililotolewa na **unicode itabadilishwa kuwa ASCII** ikizalisha wahusika wapya.\
Kwa maelezo zaidi angalia:

{% content-ref url="unicode-normalization.md" %}
[unicode-normalization.md](unicode-normalization.md)
{% endcontent-ref %}

## `\u` to `%`

Wahusika wa unicode mara nyingi huwakilishwa na **`\u` prefix**. Kwa mfano, wahusika `㱋` ni `\u3c4b`([angalia hapa](https://unicode-explorer.com/c/3c4B)). Ikiwa back-end **inabadilisha** prefix **`\u` kuwa `%`**, string inayotokana itakuwa `%3c4b`, ambayo imefutwa URL ni: **`<4b`**. Na, kama unavyoona, wahusika **`<` wanaingizwa**.\
Unaweza kutumia mbinu hii ku **ingiza aina yoyote ya wahusika** ikiwa back-end ina udhaifu.\
Angalia [https://unicode-explorer.com/](https://unicode-explorer.com/) kupata wahusika unahitaji.

Udhaifu huu kwa kweli unatokana na udhaifu ambao mtafiti alipata, kwa maelezo zaidi angalia [https://www.youtube.com/watch?v=aUsAHb0E7Cg](https://www.youtube.com/watch?v=aUsAHb0E7Cg)

## Emoji Injection

Back-ends fulani hufanya kazi kwa njia ya ajabu wanap **pokea emojis**. Hivyo ndivyo ilivyotokea katika [**hii ripoti**](https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209) ambapo mtafiti alifanikiwa kupata XSS kwa payload kama: `💋img src=x onerror=alert(document.domain)//💛`

Katika kesi hii, kosa lilikuwa kwamba server baada ya kuondoa wahusika wabaya **ilibadilisha string ya UTF-8 kutoka Windows-1252 hadi UTF-8** (kimsingi uandishi wa ingizo na kubadilisha kutoka uandishi vilikuwa tofauti). Kisha hii haisababishi < sahihi bali unicode ya ajabu: `‹`\
``Hivyo walichukua matokeo haya na **kugeuza tena sasa kutoka UTF-8 hadi ASCII**. Hii **ilihariri** `‹` kuwa `<` hii ndiyo jinsi exploit ilivyoweza kufanya kazi kwenye mfumo huo.\
Hii ndiyo ilivyotokea:
```php
<?php

$str = isset($_GET["str"]) ? htmlspecialchars($_GET["str"]) : "";

$str = iconv("Windows-1252", "UTF-8", $str);
$str = iconv("UTF-8", "ASCII//TRANSLIT", $str);

echo "String: " . $str;
```
Emoji orodha:

* [https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv](https://github.com/iorch/jakaton\_feminicidios/blob/master/data/emojis.csv)
* [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html)

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}