WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQLi with backslash

From: Robin Wood <robin () digininja org>
Date: Sun, 26 Jun 2011 09:33:14 +0100
On 26 June 2011 06:02, Voulnet <voulnet () gmail com> wrote:

Yeah, I understood from you that the web app removes only the single
and double quotes.

So what kind of query would be executed on MySQL? is it:
1- insert into log values ('a','b');
or
2- insert into log values (a,b); <-- I doubt it is this way, because a
and b should be strings.

so if you only add a backslash, which as I understand doesn't get
stripped, wouldn't the query executed on MySQL be:
 insert into log values ('a\','b'); <-- which should do the backslash trick?

If that doesn't happen, then you've got a really annoying web app to
test, haha. Tell them all the O'Rielly's in the world hate them.


It is the second one of your pair but I can only inject into the
second parameter, it is logging a username when attempting to login
and I've no control over the first parameter.

I think we are going to come to the conclusion that I expected, their
coding is bad but they've got away with it.

Robin



On Sun, Jun 26, 2011 at 1:46 AM, Robin Wood <robin () digininja org> wrote:

On 25 June 2011 23:40, Voulnet <voulnet () gmail com> wrote:

Have you tried a backslash to let MySQL auto escape a single quote for you?


All single and double quotes are being stripped by the application
before getting to the SQL query.

Nice try though.

Robin


Example:

insert into log values('a\', ' );drop table log --');

If I am correct, the first parameter would be 'a\', ' <-- this would
be because with the backslash, MySQL would escape the next single
quote, and consider the starting single quote of the 2nd parameter as
the closing quote of the 1st parameter, then what you input as the 2nd
parameter would be executed, so you terminate the insert correctly and
execute your SQLi string.

I am not sure if it would work, but I'm sure you can play around with
that concept and get it to to work. You might have some lack finding
column truncation issues, too.

---------------------------------------------------------
Voulnet: Your local geek
Stalk me on twitter @Voulnet


On Sat, Jun 25, 2011 at 10:33 PM, Robin Wood <robin () digininja org> wrote:

On 25 June 2011 17:51, Voulnet <voulnet () gmail com> wrote:

Okay then, have you tried an alternate encoding? MySQL can act funny
when asian characters are used. For reference you can see this:

http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection

Because, if I understand correctly, there would a discrepancy between
what PHP sees (thinking it is a normal multibyte character and passing
it on, and what MySQL sees if set incorrectly which would result in it
parsing the asian character as something + single quote.


Just tried and it didn't work, was worth a try.


By the way, have you tried the char(39) or hex encoding and verified
it didn't work?


Yes, it won't work as the char(39) is inside the quotes so is just
taken as a string:

insert into log values ('a', 'xx char(39) ...');

To use it I would have to have broken out of the quotes first.

Robin



On Sat, Jun 25, 2011 at 1:36 PM, Robin Wood <robin () digininja org> wrote:

On 24 June 2011 18:17, Voulnet <voulnet () gmail com> wrote:

They are probably using that mysql_real_escape_string php function,
which escapes these characters. There are many ways to bypass it, and
you can find it all over the web.

Some examples:

use char(39) <-- ASCII decimal value of ' is 39
or use the hex value. For example SELECT (0x27) <-- 27 is the hex value of '.

For example if you want to load a file, you would call
load_file('myfile'), using hex encoding you take 'myfile' with the
single quotes included and convert it to hex, then write it as
load_file(0x27..........27) with the rest of the hex values of the
filename characters filled in between.



No, all they are doing is stripping ' and ", they dump the statements
to screen in the error message.

And using 0x27 will just end up with the string 0x27 being inserted as
it is inside the single quoted string. That might help if I could
escape the quotes but that is the bit I can't do.

Robin



On Wed, Jun 22, 2011 at 5:03 PM, Robin Wood <robin () digininja org> wrote:

Hi
I've got a scenario where both single and double quotes are being
stripped but no other escaping appears to be being performed. The
database is MySQL with php on top.

The query that I've found SQL injection on is in the form

insert into log values ('a', 'b');

where I can inject in to the second parameter.

If I inject a backslash then I get

insert into log values ('a', 'b\');

which gives an invalid SQL statement and is how the injection was
found. Can anyone come up with a way to exploit this? If I put
anything before the slash isn't really worth anything and if I put
anything after then the statement becomes valid and the slash escapes
whatever character is after it.

I thought about using the slash to encode something but couldn't get it to work.

The table is write only for me, I can't see any of its entries echo'ed
back to the site anywhere so I can't go for stored XSS or anything
like that (maybe possible but not in the time available for the test).

Apart from breaking the statement I can't see a way to exploit this,
can anyone else?

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




















This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: