Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Executing PHP Code from MSSQL table

From: Danux <danuxx () gmail com>
Date: Wed, 17 Oct 2007 12:43:37 -0500
Yeah, i understand how eval works, but i am not able to change the way
the page was programmed, so, maybe a can put something like -- <?
eval("phpinfo();") ?> -- inside the table field but after that, the
page will read: <img src= <? eval("phpinfo") ?> > but as String,
always as String.

If the php page would have been programmed with a hard coded "eval" like:

<img src= <? eval( getImagefromDB() ) > then after reading my code
inserted into the database, it would works!!!

So, the only thing a can do, is something about XSS as Jim Halfpenny said.

Thanks anyway!!!!



On 10/17/07, Matthew Lee Hinman <matthew.hinman () gmail com> wrote:

Check out using the 'eval' operator in PHP, here's the doc page:

http://us2.php.net/eval

 From the page:
"eval - Evaluate a string as PHP code"

This should be able to do what you want.

- Lee


* Jim Halfpenny <jimsmailinglists () gmail com> [2007-10-16 07:52:21 +0100]:


Hi,
The problem with this approach is that the content is most likely
loaded in by the PHP preprocessor, and it will not usually go back and
parse any code inserted. Consider this pseudocode:

print ("print(\"World\")")

The preprocessor will print the string print("World") but it will not
execute the text string as if it were code. The same is true if the
text string is retrieved from a database and not a literal.

print("<img src=\"" . getImageNameFromDB() . "\">")

What you have is an opportunity for cross-site scripting, not PHP code
injection.

Regards,
Jim

On 10/16/07, Danux <danuxx () gmail com> wrote:

Hi, after testing a PHP-MSSQL app, i am able to insert and update
tables but i can't execute store_procedures, so, i was wondering if
its possible to update a table putting something like: "phpinfo()" or
(passthru("ipconfig")) in order to execute while loading the page?

I mean:

inside the html page the images are taken from database so... in a
black box perspective a think is something like: <img src=$img> and i
know where is the table which reads this image name, then i can update
the table and instead of read something like $img = picture.gif, reads
some thing like "phpinfo();". but as you know this is only a string,
even though if i update the table with: eval("phpinfo();") its also a
string .... so it dont get executed!!

So, i would like you help me, what can i do if i am able to insert,
create and update tables but unable to run store procedures, or bulk
or bcp!!!!!

Thanks!!!

--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------






-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: