Re: magic_quotes

[Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>]

mickael kael schrieb:

> (this is just a code for testing)
> code : $sql = "SELECT nom FROM log where id='$id'";
> url
test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
> result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
> FROM log where id=1/*'

Right. This only works if $id is additionally urldecode()ded. Then %27
will be replaced with '. This vuln apperead in ... Phorum last year, IIRC.

> But it don't work, i think, Mysql not interpret %27.

Right.

> I read on the thread that it is possible to bypass magic_quotes, but i
> don't find any solution. So if someone say it is possible, it will be
> interessant to have a poc.

See <http://www.gulftech.org/?node=research&article_id=00073-05052005>.

Another weakness occurs, if a application relies _only_ on magic_quotes
[1]. Because if the hoster changes his php.ini or php is bogus, the last
and only line of defence is gone.

> Thanks in advance,

You're welcome.

[1] Once a time, i examine a popular german forum system (pforum) and
found a lot of these "relies". Worst case come: $victim installed pforum
at his webspace, but $hoster set magic_quotes_* to off. $victim was
fucked. Ok, $victim was more fucked by the several sql-injections and
XSS cookie stealing, but fucked.