 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
is there a way to bypass protection? |
 |
 Posted: Sat Apr 16, 2005 8:26 am |
 |
|
| dark_el_diablo |
| Beginner |
 |
|
| Joined: Apr 16, 2005 |
| Posts: 1 |
|
|
|
 |
|
 |
|
| is there a way to bypass protector system? for example if i want to get the md5 hash of a site |
|
|
|
|
| Posted: Sat Apr 16, 2005 9:32 am |
|
|
| shai-tan |
| Valuable expert |
 |
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Sat Apr 16, 2005 12:15 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
i'm interested too 
is there a way to bypass Sentinel , or the other 2 security mods i saw, the one blaming you, and giving you a whois on your ip , and the other "you got slapped by nukecop" lol
i've done some "experiments" hoping the query wouldn't be detected, but it was detected... |
|
|
|
|
| Posted: Sat Apr 16, 2005 1:13 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
sentinel use database for many kind of attack that detected, so ?
u need to use 0day exploits 
or why dont try to break the sentinel module first ?  |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sat Apr 16, 2005 1:33 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
have you got some 0day to give me ? 
i think i'll download the sentinel module and try to understand how it works, then how to bypass it  but i think it would be hard lol
thanks a lot y3 |
|
|
|
|
| Posted: Sun Apr 17, 2005 12:52 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Some of the 0day exploits don't work either. I've tried.
Sentinel is quick secure. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Sun Apr 17, 2005 5:51 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| KingOfSka wrote: | have you got some 0day to give me ?
i think i'll download the sentinel module and try to understand how it works, then how to bypass it but i think it would be hard lol
thanks a lot y3 |
no problem, just give u some idea
it would be great for you to do a research about that |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sun Apr 17, 2005 5:57 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| shai-tan wrote: | Some of the 0day exploits don't work either. I've tried.
Sentinel is quick secure. |
"quick secure " != 100% secure
if im not wrong, there is one of waraxe advisory already make a funny of "nuke cops" by bypassing the restriction
maybe waraxe will do the same again with senitnel  |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Sun Apr 17, 2005 9:50 am |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
tell me if i'm wrong, the mod works in this way:
first, it get the exploit list from the database, then when a user send an HTTP request, the mod checks the request to see if it contains an exploit and take actions.
now i'll try to understand how this databse works.. |
|
|
|
|
| Posted: Sun Apr 17, 2005 10:14 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Your best bet is attacking the module itself. One that hasnt been up dated in a while  |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Sun Apr 17, 2005 12:27 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| KingOfSka wrote: | tell me if i'm wrong, the mod works in this way:
first, it get the exploit list from the database, then when a user send an HTTP request, the mod checks the request to see if it contains an exploit and take actions.
now i'll try to understand how this databse works.. |
somethin like that
coz im not familiar with sentinel n phpnuke 
i dont even know if we modify the request what will happen ?
maybe you could give some try .. or maybe u should find sentinel vulnerabillity |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
| Posted: Sun Apr 17, 2005 4:38 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
i gave a quick look at sentinel, it seems it uses regular expression for filtering strings:
| Code: |
// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[1];
if($blocker_row['activate'] > 0) {
if (stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'*/union/*') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'*/union/*') OR stristr($nsnst_const['query_string_base64'],' union ')) {
block_ip($blocker_row);
}
}
|
so the base 64 way and the urlencoded one are useless..
now i'll do some test with comment, do you think the chr() way would work? |
|
|
|
|
|
|
|
|
| Posted: Sun Apr 17, 2005 6:11 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Sentinel is not Holy Grail of the phpnuke webmaster, it's not perfect. I mean, you can't just add many different "protection" systems to full of holes phpnuke engine and then hope, that maybe you can sleep well tonight, without fear to discover next morning defaced website
Wait for some time, i'm working currently with Sentinel and there will be advisory soon, i think  |
|
|
|
|
| Posted: Sun Apr 17, 2005 6:36 pm |
|
|
| KingOfSka |
| Advanced user |
|
|
| Joined: Mar 13, 2005 |
| Posts: 61 |
|
|
|
|
|
|
|
ehhehe great as usual waraxe
i'm testing but i think you'll find a way to defeat sentinel before me lol
**edit: just tested , commenting queryies won't work  |
|
|
|
|
| Posted: Sun Apr 17, 2005 7:35 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Heh
I have found method to bypass all the UNION filters. For test i used phpnuke 7.5 installation with sentinel (all the features activated) and then tried to exploit my last #41 bug. Of course, i had been stopped at first, but then i tried some camoflague methods and
So, advisory will be out soon, thats for sure. Should i contact Sentinel developers first?  |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 3
Goto page 1, 2, 3Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 183
Members: 0
Total: 183
