Bugtraq mailing list archives

Re: Re: [KAPDA::#16] - SMF SQL Injection

From: "Steven M. Christey" <coley () mitre org>
Date: Sat, 10 Dec 2005 14:36:09 -0500 (EST)

substr(strtolower($_REQUEST['start']), 0, 1)

So, the string is set to lower case, and then only the FIRST letter is
used within the query. How can anyone exploit the database with a one
character insertion? Of course this is within single quotes as well,
so it cannot even be a command.



This sounds like yet another example of a researcher diagnostic error,
which I warned about a couple months ago:

  A common researcher diagnosis error: misreading error messages
  http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-10/0040.html

I would bet that the software generated an error based on this portion
of the SQL/PHP code:

  WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" .
  substr(strtolower($_REQUEST['start']), 0, 1) . "'

The original demonstration value of "start" is:

  '[SQL]

and since the first character is "'", PHP would generate something
like:

  WHERE LOWER(SUBSTRING(realName, 1, 1)) < '''

which would then generate a syntax error, which could then be
mis-diagnosed as SQL injection.

I bet that many so-called "SQL injection" issues are of this form of
"limited SQL syntax manipulation."  It is still an error message
information leak, which some people don't think it security relevant.
But clearly it is much less severe than SQL injection.

- Steve

Current thread:

[KAPDA::#16] - SMF SQL Injection alireza hassani (Dec 09)
- <Possible follow-ups>
- Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 10)
  - Re: [KAPDA::#16] - SMF SQL Injection ascii (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection retrogod (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection polnby (Dec 12)
- Re: Re: [KAPDA::#16] - SMF SQL Injection Steven M. Christey (Dec 12)
- Re: Re: Re: [KAPDA::#16] - SMF SQL Injection grudge (Dec 14)