WebApp Sec mailing list archives
Re: SQLi with backslash
From: Robin Wood <robin () digininja org>
Date: Fri, 24 Jun 2011 15:51:54 +0100
On 24 June 2011 15:29, JD <jdruin () gmail com> wrote:
You count still try to insert a XSS and see if some other person is serverd that XSS. Surely someone (maybe an admin or power user) can see those logs. Also, whenever you can perform SQLi but you cannot actually see any visible output, blind SQLi is a fallback position.
Yes but as I said, in the time I've got on the test it isn't really a practical attack. I've already dropped plenty of XSS into the table so some may trigger at some point.
In this case you have an insert statement rather than a select, so I think using a blind sub-query might work. Since you cannot see any output, perhaps you could use timing. The "sleep()" function in MySQL works well for this. As one of the insert parameters, you could insert a "case" statement. For example, lets say we wait to extract the user name that the web server uses to log into the database. We can try to get the 1st letter using timing like this. This select would be one of your paramters into the insert. Hopefully this makes sense. My syntax is probably horrible becasue I am guessing, but something like: SELECT CASE WHEN substring(CURRENT_USER(), 1,1) = 'a' THEN sleep(5) ELSE sleep(0) END; http://dev.mysql.com/doc/refman/5.0/en/control-flow-functions.html http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_current-user
I agree with this but can't find a way to actually get it to run a query with the SELECT in it. I can't escape the initial query to get the injection to run. Robin
On Wed, Jun 22, 2011 at 10:03 AM, Robin Wood <robin () digininja org> wrote:Hi I've got a scenario where both single and double quotes are being stripped but no other escaping appears to be being performed. The database is MySQL with php on top. The query that I've found SQL injection on is in the form insert into log values ('a', 'b'); where I can inject in to the second parameter. If I inject a backslash then I get insert into log values ('a', 'b\'); which gives an invalid SQL statement and is how the injection was found. Can anyone come up with a way to exploit this? If I put anything before the slash isn't really worth anything and if I put anything after then the statement becomes valid and the slash escapes whatever character is after it. I thought about using the slash to encode something but couldn't get it to work. The table is write only for me, I can't see any of its entries echo'ed back to the site anywhere so I can't go for stored XSS or anything like that (maybe possible but not in the time available for the test). Apart from breaking the statement I can't see a way to exploit this, can anyone else? Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus ---------------------------------------- Thanks, JD
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- SQLi with backslash Robin Wood (Jun 23)
- Re: SQLi with backslash Voulnet (Jun 26)
- Re: SQLi with backslash Robin Wood (Jun 27)
- Message not available
- RE: SQLi with backslash Onken, Skyler (Jun 28)
- Re: SQLi with backslash Robin Wood (Jun 27)
- Re: SQLi with backslash Voulnet (Jun 26)
- Message not available
- Re: SQLi with backslash Robin Wood (Jun 26)
- <Possible follow-ups>
- Re: SQLi with backslash Robin Wood (Jun 26)