Sunday, 4 January 2009
I haven’t hacked the PHPIDS for a while but David Lindsay (AKA Thornmaker) inspired me. When I say hacked I mean in a good way because finding bypasses helps improve the filters
Here is my vector:-
/Please submit the string\ to help us make the \ PHPIDS better./,y=('aler\ t'),x=this,x=x[y] x('I cant let you have all the fun thornmaker'),/abc abc\ abc abc abc\ abc\ /,/abc abc\ abc abc abc\ abc\ /
Notice the English like text in order to bypass the centrifuge detection. I use backslashes to create strings in order to bypass the regular expressions. “this” refers to the current window and the string alert is passed to the window object which creates a reference to the alert function. It’s worth noting Mario fixed it very quickly so it no longer works. If you want a go and want to come up with your own vector then check out the phpids demo page.