PHPIDS bypass
Sunday, 4 January 2009
I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters π
Here is my vector:-
/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/
Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.
No. 1 — January 5th, 2009 at 3:23 am
backslashes with multilines… nice! I was actually just thinking about that the other night, but in a different context – never occured to me to try it in a bypass π
No. 2 — January 5th, 2009 at 9:43 am
I was also thinking cdata could be another way of doing it π
No. 3 — January 5th, 2009 at 10:19 am
CData doesn’t spilt strings nicely π or reg exps. Just tested it now. There must be another way though