how about a feature request and a bug all in one :)

injection:
t=this
y=('nam')
x=t.eval
x(x(y+ ('e')+new Array)+y)

Hi!

We figured it out - the admins seem to have upgraded the PHP - but w/o Unicode support for the PCRE. That why the centrifuge didn't work at all. Fix will be deployed within the next hours...

@thornmaker: I will take care about the feature request asap :)

<edit>That issue btw caused the problem... should be fixed by our admins any second - thx admins :)</edit>



Edited 2 time(s). Last edit at 10/28/2008 06:22AM by .mario.

IE only. code is:

@cc_on eval(@cc_on name)

Small but ev[ia]l - I just added a rule for conditional compilations plus test case. Thx :)

Here's a IE only one:-
http://www.businessinfo.co.uk/labs/phpids/phpids4.html

document.body.style.cssText=name

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

... with CSS expression in the name - nice ;)

Yeah what's sweet about this one is that no parenthesis are required.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Oh noez!

[x00mario.freehostia.com]

@.mario: i like the layout on the demo page a lot better now, thanks for changing! for(i=0;;)i is a small DoS injection that Firefox 3.0.4 chokes on - IE8 and Opera 9.62 both allow you to abort.

thx - fixed!

This is unfortunately what happens when I'm sick with the flu and can't sleep...

xxx='javascr',xxx+=('ipt:eva'),xxx+=('l(n'),xxx+=('ame),y')
Cen:tri:fug:eBy:pas:sTe:xt:do location=(xxx)
while(0)

Nice one! Fixed..

Get well soon! Effing flu...

almost

x='javascr',x+=('ipt:eva'),x+=('l(na'),x+=('me),y')
abc:def:ghi:jkl:mno:pqr:stu:vwx:yza:bcd:do location=(x)
while(0)

Ouch - something went wrong with uploading the new filters yesterday. Fixed! I also added a small potion of regex to detect the concat pattern. better safe than sorry :)

@thornmaker

That's awesome, I can't figure out why that should be correct js syntax though. What is the interpreter doing?

It seems to be using the ":" as or statements even though it shouldn't be possible to define a block that way at least I thought.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

the ":" is just the label syntax in javascript, and I've chained a bunch of them together. Nothing special there - several of my other bypasses have used that to get around the centrifuge, though usually i put such text at the beginning or end of the injection (in this case, the "do location" bit worked better with a label before it though, iirc).

As your twitter pointed out, labels can have non standard ascii chars, and also other unicode oddities as well: javascript:\u0061\u0300:alert(0)

Well what I found interesting was the fact that label statements seem to be able to link together as or statements. For example :-

//Raises a syntax error "c is undefined"
a:b:c

//doesn't
a:b:c:alert(1)

The docs seem to suggest only one label is allowed and there's no mention of or statements

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yep - first one is a label for a label for something undefined - while the other is a label for a label for something known.

Yes but the code seems to be ignored for the other statements. After all they are all undefined so the parser should raise an error. Does anyone know anywhere where this is documented?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

a label is really just a prefix before the true statement and itself should not be thought of as a statement. in your a:b:c example, only the a and b are actual labels, the c is the statement which is presumably undefined.

that they can be chained together is kinda nifty



Edited 1 time(s). Last edit at 12/08/2008 10:21PM by thornmaker.

why not try to create a self enhancing script. instead of updating it manually every time!

its just a proposal but it could be nice to try and create. maybe create some sort of honny pot cature the attack and create a regex for it automaticly..
i'm really not sure how far this is possible but it would be great to see.

We kind of already have this via the centrifuge. Okay - it doesn't learn but it is capable of detection attacks without using the blacklist based filter rules.

Creating regex rules on the fly - phew. Based on which criteria the question is ;)

@thornmaker @mario

The labels do refer to the same code which is interesting.

aa:bb:for(i=0;i<10;i++) {
   alert(i);
   break aa;//works
   break bb//works
   break cc//label not found
}

@SpoofGhost

The only way that would be possible would be using AI. The computer would have to know what each attack means and would have to decide if someone was trying to create a malicious reg exp rule.

Auto blocking firewalls have the same problem because if you make a spoofed request as a malicious attack it could block a root dns server or other host.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

.mario - couldn't the centrifuge detection rules be rewritten as regex's? For various reasons (like performance) you might not want to, but as far as I can tell, the rules are functionally equivalent to regular expression rules.

I haven't tested this much, but to do this I think you would need to chain together some look ahead rules... something like... /a(?=(.*b){2,})(?=(.*c){2,})/ should match the a only if it is followed with 2 or more b's and 2 or more c's but the b's and c's can be in any order and have other text mixed in. for the IDS, you would replace a with the start anchor and replace b and c each with whatever class of characters the centrifuge is trying to pick up.

@thornmaker: Hmmm - dunno. I try to avoid lookaheads/lookbehinds. You mean to more easily place them in an external file/port them? Or for another reason?

@.mario: I'm not suggesting you should rewrite the centrifuge. I'm just curious if it is theoretically possible (the mathematician in me). The only advantage I can see in rewriting would be to have all the detection logic in the same place so the code is more portable, but this doesn't seem to be an issue really.

phpids eats backslashes:-

\a\l\e\r\t\(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Snap - yes. The demo did. Fixed, thx!

[url=http://demo.phpids.org/?test=foo:bar:boo:far:oof:boa:%0a(this)%5b(%20'a')%2b%20(new Array)%2b%20('lert')%20%2bnew%20Array%5d(0)]foo:bar:boo:far:oof:boa:
(this)[( 'a')+ (new Array)+ ('lert') +new Array](0)
[/url]

@thornmaker

Oooooo nice :) I might do one later after the footy ;) You inspired me

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]