PHPIDS bypass

I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters :)

Here is my vector:-

/Please submit the string\
to help us make the \
PHPIDS better./,y=('aler\
t'),x=this,x=x[y]
x('I cant let you have all the fun thornmaker'),/abc abc\
abc abc abc\
abc\
/,/abc abc\
abc abc abc\
abc\
/

Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.

3 Responses to “PHPIDS bypass”

  1. thornmaker writes:

    backslashes with multilines… nice! I was actually just thinking about that the other night, but in a different context – never occured to me to try it in a bypass :)

  2. Gareth Heyes writes:

    I was also thinking cdata could be another way of doing it :)

  3. Gareth Heyes writes:

    CData doesn’t spilt strings nicely :( or reg exps. Just tested it now. There must be another way though