Security Basics mailing list archives
Re: magic_quotes
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Tue, 28 Jun 2005 00:14:36 +0200
mickael kael schrieb:
(this is just a code for testing) code : $sql = "SELECT nom FROM log where id='$id'"; url
test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom FROM log where id=1/*'
Right. This only works if $id is additionally urldecode()ded. Then %27 will be replaced with '. This vuln apperead in ... Phorum last year, IIRC.
But it don't work, i think, Mysql not interpret %27.
Right.
I read on the thread that it is possible to bypass magic_quotes, but i don't find any solution. So if someone say it is possible, it will be interessant to have a poc.
See <http://www.gulftech.org/?node=research&article_id=00073-05052005>. Another weakness occurs, if a application relies _only_ on magic_quotes [1]. Because if the hoster changes his php.ini or php is bogus, the last and only line of defence is gone.
Thanks in advance,
You're welcome. [1] Once a time, i examine a popular german forum system (pforum) and found a lot of these "relies". Worst case come: $victim installed pforum at his webspace, but $hoster set magic_quotes_* to off. $victim was fucked. Ok, $victim was more fucked by the several sql-injections and XSS cookie stealing, but fucked.
Current thread:
- RE: magic_quotes, (continued)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)