Web Application Security
SQLi with backslash Jun 22 2011 02:03PM
Robin Wood (robin digininja org) (1 replies)
Re: SQLi with backslash Jun 24 2011 05:17PM
Voulnet (voulnet gmail com) (1 replies)
Re: SQLi with backslash Jun 25 2011 10:36AM
Robin Wood (robin digininja org) (1 replies)
On 24 June 2011 18:17, Voulnet <voulnet (at) gmail (dot) com [email concealed]> wrote:
> They are probably using that mysql_real_escape_string php function,
> which escapes these characters. There are many ways to bypass it, and
> you can find it all over the web.
>
> Some examples:
>
> use char(39) <-- ASCII decimal value of ' is 39
> or use the hex value. For example SELECT (0x27) <-- 27 is the hex value of '.
>
> For example if you want to load a file, you would call
> load_file('myfile'), using hex encoding you take 'myfile' with the
> single quotes included and convert it to hex, then write it as
> load_file(0x27..........27) with the rest of the hex values of the
> filename characters filled in between.
>

No, all they are doing is stripping ' and ", they dump the statements
to screen in the error message.

And using 0x27 will just end up with the string 0x27 being inserted as
it is inside the single quoted string. That might help if I could
escape the quotes but that is the bit I can't do.

Robin

>
> On Wed, Jun 22, 2011 at 5:03 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>> Hi
>> I've got a scenario where both single and double quotes are being
>> stripped but no other escaping appears to be being performed. The
>> database is MySQL with php on top.
>>
>> The query that I've found SQL injection on is in the form
>>
>> insert into log values ('a', 'b');
>>
>> where I can inject in to the second parameter.
>>
>> If I inject a backslash then I get
>>
>> insert into log values ('a', 'b\');
>>
>> which gives an invalid SQL statement and is how the injection was
>> found. Can anyone come up with a way to exploit this? If I put
>> anything before the slash isn't really worth anything and if I put
>> anything after then the statement becomes valid and the slash escapes
>> whatever character is after it.
>>
>> I thought about using the slash to encode something but couldn't get it to work.
>>
>> The table is write only for me, I can't see any of its entries echo'ed
>> back to the site anywhere so I can't go for stored XSS or anything
>> like that (maybe possible but not in the time available for the test).
>>
>> Apart from breaking the statement I can't see a way to exploit this,
>> can anyone else?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: SQLi with backslash Jun 25 2011 04:51PM
Voulnet (voulnet gmail com) (1 replies)
RE: SQLi with backslash Jun 27 2011 03:38PM
Onken, Skyler (onk08001 byui edu)


 

Privacy Statement
Copyright 2010, SecurityFocus