|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 86
Members: 0
Total: 86
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
SQL Injection - Getting around addslashes() |
|
Posted: Thu Aug 26, 2010 8:14 pm |
|
|
shadowplayer |
Beginner |
|
|
Joined: Aug 26, 2010 |
Posts: 2 |
|
|
|
|
|
|
|
Hi guys =)
I'm stuck with this injection, please help me with some ideas.
The query is (watch quotes):
Code: | SELECT users.* FROM users WHERE true AND users.email = '{$email}' |
Setting email to %00 (null) consumes the last single-quote in the query.
Problem:
Single-quotes (only single ones) are escaped by addslashes() (maybe magic_quotes). I've tried with multibyte chars like this:
Not working either... I'm getting escaped quotes.
Any ideas? |
|
|
|
|
|
Re: SQL Injection - Getting around addslashes() |
|
Posted: Fri Aug 27, 2010 3:42 pm |
|
|
shadowplayer |
Beginner |
|
|
Joined: Aug 26, 2010 |
Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Mon Aug 30, 2010 1:15 am |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
|
_________________ I study enough to make the rest a result. |
|
|
|
Posted: Mon Aug 30, 2010 11:19 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If magic_quotes_gpc=on or if addslashes(), mysql_escape_string(), mysql_real_escape_string() is used for incoming data sanitization, then there is no sql injection. Sql injection occurs when (examples) :
1. magic_quotes_gpc=off (easy to exploit)
2. stripslashes() is used (easy to exploit)
3. urldecode() or rawurldecode() is used (easy to exploit)
4. magic_quotes_runtime=off (second order injection, specific cases, hard to exploit)
5. specific cases related to sql truncation (hard to exploit)
By the way, when magic_quotes_gpc=on, then null byte (%00) trick will not work either, becasue it will be escaped too. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|