Penetration Testing mailing list archives
Re: Executing PHP Code from MSSQL table
From: Matthew Lee Hinman <matthew.hinman () gmail com>
Date: Tue, 16 Oct 2007 23:52:53 -0600
Check out using the 'eval' operator in PHP, here's the doc page: http://us2.php.net/eval From the page: "eval - Evaluate a string as PHP code" This should be able to do what you want. - Lee * Jim Halfpenny <jimsmailinglists () gmail com> [2007-10-16 07:52:21 +0100]:
Hi, The problem with this approach is that the content is most likely loaded in by the PHP preprocessor, and it will not usually go back and parse any code inserted. Consider this pseudocode: print ("print(\"World\")") The preprocessor will print the string print("World") but it will not execute the text string as if it were code. The same is true if the text string is retrieved from a database and not a literal. print("<img src=\"" . getImageNameFromDB() . "\">") What you have is an opportunity for cross-site scripting, not PHP code injection. Regards, Jim On 10/16/07, Danux <danuxx () gmail com> wrote:Hi, after testing a PHP-MSSQL app, i am able to insert and update tables but i can't execute store_procedures, so, i was wondering if its possible to update a table putting something like: "phpinfo()" or (passthru("ipconfig")) in order to execute while loading the page? I mean: inside the html page the images are taken from database so... in a black box perspective a think is something like: <img src=$img> and i know where is the table which reads this image name, then i can update the table and instead of read something like $img = picture.gif, reads some thing like "phpinfo();". but as you know this is only a string, even though if i update the table with: eval("phpinfo();") its also a string .... so it dont get executed!! So, i would like you help me, what can i do if i am able to insert, create and update tables but unable to run store procedures, or bulk or bcp!!!!! Thanks!!! -- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Attachment:
_bin
Description:
Current thread:
- Executing PHP Code from MSSQL table Danux (Oct 15)
- Re: Executing PHP Code from MSSQL table Jim Halfpenny (Oct 16)
- Re: Executing PHP Code from MSSQL table Matthew Lee Hinman (Oct 18)
- Re: Executing PHP Code from MSSQL table Danux (Oct 18)
- Re: Executing PHP Code from MSSQL table Matthew Lee Hinman (Oct 18)
- Re: Executing PHP Code from MSSQL table Alexander Klimov (Oct 18)
- Re: Executing PHP Code from MSSQL table Robin Wood (Oct 19)
- Re: Executing PHP Code from MSSQL table Danux (Oct 19)
- Re: Executing PHP Code from MSSQL table Jim Halfpenny (Oct 16)