Home page logo
/

basics logo Security Basics mailing list archives

Re: magic_quotes
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Tue, 28 Jun 2005 00:14:36 +0200

mickael kael schrieb:

(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
url
test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'

Right. This only works if $id is additionally urldecode()ded. Then %27
will be replaced with '. This vuln apperead in ... Phorum last year, IIRC.

But it don't work, i think, Mysql not interpret %27.

Right.

I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.

See <http://www.gulftech.org/?node=research&article_id=00073-05052005>.

Another weakness occurs, if a application relies _only_ on magic_quotes
[1]. Because if the hoster changes his php.ini or php is bogus, the last
and only line of defence is gone.

Thanks in advance,

You're welcome.

[1] Once a time, i examine a popular german forum system (pforum) and
found a lot of these "relies". Worst case come: $victim installed pforum
at his webspace, but $hoster set magic_quotes_* to off. $victim was
fucked. Ok, $victim was more fucked by the several sql-injections and
XSS cookie stealing, but fucked.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault