Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: malicious encoding - mysql php
From: "Rob Shein" <shoten () starpower net>
Date: Thu, 2 Sep 2004 22:37:31 -0400

It looks to me like they're either filtering out the apostrophe (this can be
done using the preg() function in PHP quite easily) or converting it to
something else (less likely).  I don't think you'll be able to get around
it, but have you tried any other characters (double quote) to see what
happens then?

-----Original Message-----
From: biftarin () hotmail com [mailto:biftarin () hotmail com] 
Sent: Thursday, September 02, 2004 3:44 PM
To: pen-test () securityfocus com
Subject: malicious encoding - mysql php




Hi all,

I'm currently auditing a forum running on Redhat Enterprise, 
Apache 1.3.27, PHP 4.3.7 and mySQL 3.23.58 .

The problem I need to solve is how to bypass this filter that 
blocks apostrophes.

$input = str_replace("'", "&#39;", $input)

(in case the board decodes the 2nd argument, it is ampersand 
hash 39)  

I have tried UTF-8 encoding ( %c0%a7 ) and the apostrophe 
appears in the mysql log file. 

e.g  The query in the logfile looks like this.

SELECT * FROM sessions WHERE key='invalidkey' AND member_id = '1'

This doesn't return a row. Yet when I copy and paste this 
query and execute it through the mysql client it returns a 
row as expected.

It looks as though the %c0%a7 isn't being filtered out by PHP 
but it's not being viewed as an apostrophe by mySQL even 
though it appears as an apostrophe in the mySQL log file.

If someone could help me understand this discrepancy or offer 
an alternative way to bypass the filter I'd really appreciate it.

Thanks in advance.

--------------------------------------------------------------
----------------
Ethical Hacking at the InfoSec Institute. All of our class 
sizes are guaranteed to be 12 students or less to facilitate 
one-on-one interaction with one of our expert instructors. 
Check out our Advanced Hacking course, learn to write 
exploits and attack security infrastructure. Attend a course 
taught by an expert instructor with years of in-the-field pen 
testing experience in our state of the art hacking lab. 
Master the skills of an Ethical Hacker to better assess the 
security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault