Web Application Security
Re: SQLi with backslash Jun 26 2011 08:33AM
Robin Wood (robin digininja org) (1 replies)
Re: SQLi with backslash Jun 26 2011 05:29PM
Voulnet (voulnet gmail com)
So it goes into MySQL completely single-quote free, and just writing
); SQLi HERE -- doesn't work? That's kinda weird. Is it because MySQL
is not supporting stacked queries? If that is so then there is a way
around that, you can check Advanced MySQL Exploitation, a paper
released in BlackHat a few years ago, it might be of interest.

Other than that, I think I am out of ideas and your client might have
gotten away with it.

On Sun, Jun 26, 2011 at 11:33 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> On 26 June 2011 06:02, Voulnet <voulnet (at) gmail (dot) com [email concealed]> wrote:
>> Yeah, I understood from you that the web app removes only the single
>> and double quotes.
>>
>> So what kind of query would be executed on MySQL? is it:
>> 1- insert into log values ('a','b');
>> or
>> 2- insert into log values (a,b); <-- I doubt it is this way, because a
>> and b should be strings.
>>
>> so if you only add a backslash, which as I understand doesn't get
>> stripped, wouldn't the query executed on MySQL be:
>>  insert into log values ('a\','b'); <-- which should do the backslash trick?
>>
>> If that doesn't happen, then you've got a really annoying web app to
>> test, haha. Tell them all the O'Rielly's in the world hate them.
>
> It is the second one of your pair but I can only inject into the
> second parameter, it is logging a username when attempting to login
> and I've no control over the first parameter.
>
> I think we are going to come to the conclusion that I expected, their
> coding is bad but they've got away with it.
>
> Robin
>
>>
>> On Sun, Jun 26, 2011 at 1:46 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>> On 25 June 2011 23:40, Voulnet <voulnet (at) gmail (dot) com [email concealed]> wrote:
>>>> Have you tried a backslash to let MySQL auto escape a single quote for you?
>>>
>>> All single and double quotes are being stripped by the application
>>> before getting to the SQL query.
>>>
>>> Nice try though.
>>>
>>> Robin
>>>
>>>> Example:
>>>>
>>>> insert into log values('a\', ' );drop table log --');
>>>>
>>>> If I am correct, the first parameter would be 'a\', ' <-- this would
>>>> be because with the backslash, MySQL would escape the next single
>>>> quote, and consider the starting single quote of the 2nd parameter as
>>>> the closing quote of the 1st parameter, then what you input as the 2nd
>>>> parameter would be executed, so you terminate the insert correctly and
>>>> execute your SQLi string.
>>>>
>>>> I am not sure if it would work, but I'm sure you can play around with
>>>> that concept and get it to to work. You might have some lack finding
>>>> column truncation issues, too.
>>>>
>>>> ---------------------------------------------------------
>>>> Voulnet: Your local geek
>>>> Stalk me on twitter @Voulnet
>>>>
>>>>
>>>> On Sat, Jun 25, 2011 at 10:33 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>>>> On 25 June 2011 17:51, Voulnet <voulnet (at) gmail (dot) com [email concealed]> wrote:
>>>>>> Okay then, have you tried an alternate encoding? MySQL can act funny
>>>>>> when asian characters are used. For reference you can see this:
>>>>>>
>>>>>> http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string
-fully-protect-against-sql-injection
>>>>>>
>>>>>> Because, if I understand correctly, there would a discrepancy between
>>>>>> what PHP sees (thinking it is a normal multibyte character and passing
>>>>>> it on, and what MySQL sees if set incorrectly which would result in it
>>>>>> parsing the asian character as something + single quote.
>>>>>
>>>>> Just tried and it didn't work, was worth a try.
>>>>>
>>>>>> By the way, have you tried the char(39) or hex encoding and verified
>>>>>> it didn't work?
>>>>>
>>>>> Yes, it won't work as the char(39) is inside the quotes so is just
>>>>> taken as a string:
>>>>>
>>>>> insert into log values ('a', 'xx char(39) ...');
>>>>>
>>>>> To use it I would have to have broken out of the quotes first.
>>>>>
>>>>> Robin
>>>>>
>>>>>>
>>>>>> On Sat, Jun 25, 2011 at 1:36 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>>>>>> On 24 June 2011 18:17, Voulnet <voulnet (at) gmail (dot) com [email concealed]> wrote:
>>>>>>>> They are probably using that mysql_real_escape_string php function,
>>>>>>>> which escapes these characters. There are many ways to bypass it, and
>>>>>>>> you can find it all over the web.
>>>>>>>>
>>>>>>>> Some examples:
>>>>>>>>
>>>>>>>> use char(39) <-- ASCII decimal value of ' is 39
>>>>>>>> or use the hex value. For example SELECT (0x27) <-- 27 is the hex value of '.
>>>>>>>>
>>>>>>>> For example if you want to load a file, you would call
>>>>>>>> load_file('myfile'), using hex encoding you take 'myfile' with the
>>>>>>>> single quotes included and convert it to hex, then write it as
>>>>>>>> load_file(0x27..........27) with the rest of the hex values of the
>>>>>>>> filename characters filled in between.
>>>>>>>>
>>>>>>>
>>>>>>> No, all they are doing is stripping ' and ", they dump the statements
>>>>>>> to screen in the error message.
>>>>>>>
>>>>>>> And using 0x27 will just end up with the string 0x27 being inserted as
>>>>>>> it is inside the single quoted string. That might help if I could
>>>>>>> escape the quotes but that is the bit I can't do.
>>>>>>>
>>>>>>> Robin
>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jun 22, 2011 at 5:03 PM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
>>>>>>>>> Hi
>>>>>>>>> I've got a scenario where both single and double quotes are being
>>>>>>>>> stripped but no other escaping appears to be being performed. The
>>>>>>>>> database is MySQL with php on top.
>>>>>>>>>
>>>>>>>>> The query that I've found SQL injection on is in the form
>>>>>>>>>
>>>>>>>>> insert into log values ('a', 'b');
>>>>>>>>>
>>>>>>>>> where I can inject in to the second parameter.
>>>>>>>>>
>>>>>>>>> If I inject a backslash then I get
>>>>>>>>>
>>>>>>>>> insert into log values ('a', 'b\');
>>>>>>>>>
>>>>>>>>> which gives an invalid SQL statement and is how the injection was
>>>>>>>>> found. Can anyone come up with a way to exploit this? If I put
>>>>>>>>> anything before the slash isn't really worth anything and if I put
>>>>>>>>> anything after then the statement becomes valid and the slash escapes
>>>>>>>>> whatever character is after it.
>>>>>>>>>
>>>>>>>>> I thought about using the slash to encode something but couldn't get it to work.
>>>>>>>>>
>>>>>>>>> The table is write only for me, I can't see any of its entries echo'ed
>>>>>>>>> back to the site anywhere so I can't go for stored XSS or anything
>>>>>>>>> like that (maybe possible but not in the time available for the test).
>>>>>>>>>
>>>>>>>>> Apart from breaking the statement I can't see a way to exploit this,
>>>>>>>>> can anyone else?
>>>>>>>>>
>>>>>>>>> Robin
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This list is sponsored by Cenzic
>>>>>>>>> --------------------------------------
>>>>>>>>> Let Us Hack You. Before Hackers Do!
>>>>>>>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>>>>>>>> Request Yours Now!
>>>>>>>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>>>>>>>> --------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus