RE: malicious encoding - mysql php

["Rob Shein" <shoten () starpower net>]

It looks to me like they're either filtering out the apostrophe (this can be
done using the preg() function in PHP quite easily) or converting it to
something else (less likely).  I don't think you'll be able to get around
it, but have you tried any other characters (double quote) to see what
happens then?

> -----Original Message-----
> From: biftarin () hotmail com [mailto:biftarin () hotmail com] 
> Sent: Thursday, September 02, 2004 3:44 PM
> To: pen-test () securityfocus com
> Subject: malicious encoding - mysql php
>
>
>
>
> Hi all,
>
> I'm currently auditing a forum running on Redhat Enterprise, 
> Apache 1.3.27, PHP 4.3.7 and mySQL 3.23.58 .
>
> The problem I need to solve is how to bypass this filter that 
> blocks apostrophes.
>
> $input = str_replace("'", "'", $input)
>
> (in case the board decodes the 2nd argument, it is ampersand 
> hash 39)  
>
> I have tried UTF-8 encoding ( %c0%a7 ) and the apostrophe 
> appears in the mysql log file. 
>
> e.g  The query in the logfile looks like this.
>
> SELECT * FROM sessions WHERE key='invalidkey' AND member_id = '1'
>
> This doesn't return a row. Yet when I copy and paste this 
> query and execute it through the mysql client it returns a 
> row as expected.
>
> It looks as though the %c0%a7 isn't being filtered out by PHP 
> but it's not being viewed as an apostrophe by mySQL even 
> though it appears as an apostrophe in the mySQL log file.
>
> If someone could help me understand this discrepancy or offer 
> an alternative way to bypass the filter I'd really appreciate it.
>
> Thanks in advance.
>
> --------------------------------------------------------------
> ----------------
> Ethical Hacking at the InfoSec Institute. All of our class 
> sizes are guaranteed to be 12 students or less to facilitate 
> one-on-one interaction with one of our expert instructors. 
> Check out our Advanced Hacking course, learn to write 
> exploits and attack security infrastructure. Attend a course 
> taught by an expert instructor with years of in-the-field pen 
> testing experience in our state of the art hacking lab. 
> Master the skills of an Ethical Hacker to better assess the 
> security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------