Web Application Security
SQLi with backslash Jun 22 2011 02:03PM
Robin Wood (robin digininja org) (1 replies)
Re: SQLi with backslash Jun 24 2011 05:17PM
Voulnet (voulnet gmail com) (1 replies)
They are probably using that mysql_real_escape_string php function,
which escapes these characters. There are many ways to bypass it, and
you can find it all over the web.

Some examples:

use char(39) <-- ASCII decimal value of ' is 39
or use the hex value. For example SELECT (0x27) <-- 27 is the hex value of '.

For example if you want to load a file, you would call
load_file('myfile'), using hex encoding you take 'myfile' with the
single quotes included and convert it to hex, then write it as
load_file(0x27..........27) with the rest of the hex values of the
filename characters filled in between.

On Wed, Jun 22, 2011 at 5:03 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> Hi
> I've got a scenario where both single and double quotes are being
> stripped but no other escaping appears to be being performed. The
> database is MySQL with php on top.
>
> The query that I've found SQL injection on is in the form
>
> insert into log values ('a', 'b');
>
> where I can inject in to the second parameter.
>
> If I inject a backslash then I get
>
> insert into log values ('a', 'b\');
>
> which gives an invalid SQL statement and is how the injection was
> found. Can anyone come up with a way to exploit this? If I put
> anything before the slash isn't really worth anything and if I put
> anything after then the statement becomes valid and the slash escapes
> whatever character is after it.
>
> I thought about using the slash to encode something but couldn't get it to work.
>
> The table is write only for me, I can't see any of its entries echo'ed
> back to the site anywhere so I can't go for stored XSS or anything
> like that (maybe possible but not in the time available for the test).
>
> Apart from breaking the statement I can't see a way to exploit this,
> can anyone else?
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: SQLi with backslash Jun 25 2011 10:36AM
Robin Wood (robin digininja org) (1 replies)
Re: SQLi with backslash Jun 25 2011 04:51PM
Voulnet (voulnet gmail com) (1 replies)
RE: SQLi with backslash Jun 27 2011 03:38PM
Onken, Skyler (onk08001 byui edu)


 

Privacy Statement
Copyright 2010, SecurityFocus