Web Application Security
Re: SQLi with backslash Jun 24 2011 02:51PM
Robin Wood (robin digininja org)
On 24 June 2011 15:29, JD <jdruin (at) gmail (dot) com [email concealed]> wrote:
> You count still try to insert a XSS and see if some other person is serverd
> that XSS. Surely someone (maybe an admin or power user) can see those logs.
> Also, whenever you can perform SQLi but you cannot actually see any visible
> output, blind SQLi is a fallback position.

Yes but as I said, in the time I've got on the test it isn't really a
practical attack. I've already dropped plenty of XSS into the table so
some may trigger at some point.

> In this case you have an insert statement rather than a select, so I think
> using a blind sub-query might work. Since you cannot see any output, perhaps
> you could use timing. The "sleep()" function in MySQL works well for this.
> As one of the insert parameters, you could insert a "case" statement.
>
> For example, lets say we wait to extract the user name that the web server
> uses to log into the database.
>
> We can try to get the 1st letter using timing like this. This select would
> be one of your paramters into the insert. Hopefully this makes sense.
>
> My syntax is probably horrible becasue I am guessing, but something like:
>
> SELECT CASE WHEN substring(CURRENT_USER(), 1,1) = 'a' THEN sleep(5)
> ELSE sleep(0) END;
> http://dev.mysql.com/doc/refman/5.0/en/control-flow-functions.html
> http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#functi
on_current-user
>

I agree with this but can't find a way to actually get it to run a
query with the SELECT in it. I can't escape the initial query to get
the injection to run.

Robin

>
> On Wed, Jun 22, 2011 at 10:03 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>
>> Hi
>> I've got a scenario where both single and double quotes are being
>> stripped but no other escaping appears to be being performed. The
>> database is MySQL with php on top.
>>
>> The query that I've found SQL injection on is in the form
>>
>> insert into log values ('a', 'b');
>>
>> where I can inject in to the second parameter.
>>
>> If I inject a backslash then I get
>>
>> insert into log values ('a', 'b\');
>>
>> which gives an invalid SQL statement and is how the injection was
>> found. Can anyone come up with a way to exploit this? If I put
>> anything before the slash isn't really worth anything and if I put
>> anything after then the statement becomes valid and the slash escapes
>> whatever character is after it.
>>
>> I thought about using the slash to encode something but couldn't get it to
>> work.
>>
>> The table is write only for me, I can't see any of its entries echo'ed
>> back to the site anywhere so I can't go for stored XSS or anything
>> like that (maybe possible but not in the time available for the test).
>>
>> Apart from breaking the statement I can't see a way to exploit this,
>> can anyone else?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>
>
>
> --
> Thanks,
>
> JD
>
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus