WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Magic Quotes

From: "DokFLeed" <dokfleed () dokfleed net>
Date: Fri, 6 Oct 2006 15:00:04 +0400
I am researching in bypassing Magic Quotes enforced by PHP
Suppose you have a script
grabuserinfo.php?id=NUMERICVALUE
which runs a SELECT statement, to be able to pass a ' through the GET successfully 
I tried
id=CHAR(39,49,49,39)
which is
id='11'
but it breaks after CHAR 32 SPACE character and wouldn't execute whatever comes next 
for example to dump user info into a txt file
id=11 INTO OUTFILE 'D:/www/zin.txt'
would be
id=CHAR(49,49,32,73,78,84,79,32,79,85,84,70,73,76,69,32,39,68,58,47,199,199,199,47,122,105,110,46,116,120,116,39);
BREAKS

OR

if a site is using URLDECODE();
%2527 translates to %27, which gets past magic quotes. This is translated to ' by urldecode.
but none of these actually works, I wonder if there is a proven way to bypass the quotes
I also got that through a search "0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (?) followed by 0x27 ('), 
and 0xbf5c is 0xbf (?) followed by 0x5c (\).
0xbf27, and addslashes() modifies this to become 0xbf5c27" but I dont think it works, addslashes()/stripslashes() act differently than illustrated. 


any ideas!
if there is noway around Magic Quotes, then why is every developer against it ? Dok 

-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! 

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: