mailing list archives
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Tue, 28 Jun 2005 00:14:36 +0200
mickael kael schrieb:
(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'
Right. This only works if $id is additionally urldecode()ded. Then %27
will be replaced with '. This vuln apperead in ... Phorum last year, IIRC.
But it don't work, i think, Mysql not interpret %27.
I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.
Another weakness occurs, if a application relies _only_ on magic_quotes
. Because if the hoster changes his php.ini or php is bogus, the last
and only line of defence is gone.
Thanks in advance,
 Once a time, i examine a popular german forum system (pforum) and
found a lot of these "relies". Worst case come: $victim installed pforum
at his webspace, but $hoster set magic_quotes_* to off. $victim was
fucked. Ok, $victim was more fucked by the several sql-injections and
XSS cookie stealing, but fucked.