Re: SQLi with backslash

[Robin Wood <robin () digininja org>]

On 24 June 2011 15:29, JD <jdruin () gmail com> wrote:
> You count still try to insert a XSS and see if some other person is serverd
> that XSS. Surely someone (maybe an admin or power user) can see those logs.
> Also, whenever you can perform SQLi but you cannot actually see any visible
> output, blind SQLi is a fallback position.

Yes but as I said, in the time I've got on the test it isn't really a
practical attack. I've already dropped plenty of XSS into the table so
some may trigger at some point.

> In this case you have an insert statement rather than a select, so I think
> using a blind sub-query might work. Since you cannot see any output, perhaps
> you could use timing. The "sleep()" function in MySQL works well for this.
> As one of the insert parameters, you could insert a "case" statement.
>
> For example, lets say we wait to extract the user name that the web server
> uses to log into the database.
>
> We can try to get the 1st letter using timing like this. This select would
> be one of your paramters into the insert. Hopefully this makes sense.
>
> My syntax is probably horrible becasue I am guessing, but something like:
>
> SELECT CASE WHEN substring(CURRENT_USER(), 1,1) = 'a' THEN sleep(5)
> ELSE sleep(0) END;
> http://dev.mysql.com/doc/refman/5.0/en/control-flow-functions.html
> http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_current-user

I agree with this but can't find a way to actually get it to run a
query with the SELECT in it. I can't escape the initial query to get
the injection to run.

Robin

> On Wed, Jun 22, 2011 at 10:03 AM, Robin Wood <robin () digininja org> wrote:
> > Hi
> > I've got a scenario where both single and double quotes are being
> > stripped but no other escaping appears to be being performed. The
> > database is MySQL with php on top.
> >
> > The query that I've found SQL injection on is in the form
> >
> > insert into log values ('a', 'b');
> >
> > where I can inject in to the second parameter.
> >
> > If I inject a backslash then I get
> >
> > insert into log values ('a', 'b\');
> >
> > which gives an invalid SQL statement and is how the injection was
> > found. Can anyone come up with a way to exploit this? If I put
> > anything before the slash isn't really worth anything and if I put
> > anything after then the statement becomes valid and the slash escapes
> > whatever character is after it.
> >
> > I thought about using the slash to encode something but couldn't get it to
> > work.
> >
> > The table is write only for me, I can't see any of its entries echo'ed
> > back to the site anywhere so I can't go for stored XSS or anything
> > like that (maybe possible but not in the time available for the test).
> >
> > Apart from breaking the statement I can't see a way to exploit this,
> > can anyone else?
> >
> > Robin
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
>
>
>
> --
> Thanks,
>
> JD



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------