I had a bet with a friend of mine David Lindsey <http://p42.us/> aka Thornmaker. Basically we said the first one to get a XSS vector on phpids <http://php-ids.org/> buys a beer at Bluehat :)I haven’t had much time to do this because I’ve been pretty busy but over the last few days in my spare time I’ve been slowly constructing a vector. David you owe me a beer :D
What is interesting about phpids is that it includes a centrifuge detection
system which compares past vectors and known good inputs which enables them
to detect future attacks that slip past their regular expressions. The
system has greatly improved since the early days and I actually had a ton of
XSS vectors which got past their expressions but not centrifuge.
So in my crazy world of XSS how can you bypass a protection like this? Well
in Firefox there’s a E4X statement which I posted previously that doesn’t
look like javascript syntax. e.g. :-
default xml namespace = statement
Using this method I managed to construct my vector which used this to bypass
centrifuge but I had a problem, how to first get a payload and how to call
that payload. Why is that a problem? Because phpids checks common injections
like eval, alert etc.
I decided to try various different tricks using “this” which refers to the
current window in javascript when executing from a script tag in Firefox.
The methods I used worked well but the centrifuge detection was triggered
when using “+” to concatenate strings.
Simple calls to ‘abc’.concat(’def’) were blocked quite easily so I
needed another method. Using a && trick to bypass some of their regular
expressions it was possible to call a global function by assigning it to a
variable:-
default xml namespace=toolbar,b=1&&this.atob
So the default xml namespace bypasses centrifuge and the variable b is
assigned to the atob function in Firefox. This is because in javascript the
right side of the statement is returned not 1 when using && in this context.
I could get the string eval by converting base64 and convert the string to a
function using the techniques described.
All I needed now was the payload and that was obtained using the 1&& method
but this time using window.name:-
default xml namespace=toolbar,y=1&&name
I had all the raw ingredients now to finish my vector which produced the
final vector that looks like a work of art to me :)
default xml namespace=toolbar,b=1&&this.atob
default xml namespace=toolbar,e2=b('ZXZhbA')
default xml namespace=toolbar,e=this[toolbar,e2]
default xml namespace=toolbar,y=1&&name
default xml namespace=toolbar
default xml namespace=e(y)
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
<<inline: image002.gif>>
<<inline: image003.gif>>
