phpids bypass #120

Open
ilk3r opened this Issue Dec 19, 2016 · 9 comments

Projects

None yet

3 participants

@ilk3r
ilk3r commented Dec 19, 2016

Hi all.

i have come across an issue with phpids. i have been able to disable the service via sqli.
all that seems to be required is injecting into the security field e.g
Cookie: security=low''; PHPSESSID=g3du7t21hr27ss3o853la8h602
this disables the phpids service even when the security level is set to impossible.

@digininja
Contributor
@ilk3r
ilk3r commented Dec 19, 2016

thats correct one the injection is passed the security level is set to low

@digininja
Contributor
@ilk3r
ilk3r commented Dec 19, 2016

you can put in anything eg Cookie: security=low apple;

@ilk3r
ilk3r commented Dec 19, 2016

cause if the level is set to medium, high or impossible with phpids enabled you can disable the ids and set the level to low.

@digininja
Contributor
@ethicalhack3r
Owner
@digininja
Contributor
@digininja
Contributor

Found it, in here:

./dvwa/includes/dvwaPage.inc.php

If the security level passed in is not one of the allowed values then the IDS value is set to whatever the default is, which is false by default.

So if you pass "lowx" as as the security level the IDS is disabled.

20 // Valid security levels
 21 $security_levels = array('low', 'medium', 'high', 'impossible');
 22 if( !isset( $_COOKIE[ 'security' ] ) || !in_array( $_COOKIE[ 'security' ], $security_levels ) ) {
 23     // Set security cookie to impossible if no cookie exists
 24     if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) {
 25         dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] );
 26     }
 27     else {
 28         dvwaSecurityLevelSet( 'impossible' );
 29     }
 30 
 31     if( $_DVWA[ 'default_phpids_level' ] == 'enabled' )
 32         dvwaPhpIdsEnabledSet( true );
 33     else
 34         dvwaPhpIdsEnabledSet( false );
 35 }
 36 

Should probably set enabled and disabled in the session rather than set or not set then if the session value doesn't exist it can be set to the default but if it is set then it can be left alone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment