Re: Executing PHP Code from MSSQL table

Check out using the 'eval' operator in PHP, here's the doc page:

http://us2.php.net/eval

From the page:
"eval - Evaluate a string as PHP code"

This should be able to do what you want.

- Lee


* Jim Halfpenny <jimsmailinglists@gmail.com> [2007-10-16 07:52:21 +0100]:

> Hi,
> The problem with this approach is that the content is most likely
> loaded in by the PHP preprocessor, and it will not usually go back and
> parse any code inserted. Consider this pseudocode:
>
> print ("print(\"World\")")
>
> The preprocessor will print the string print("World") but it will not
> execute the text string as if it were code. The same is true if the
> text string is retrieved from a database and not a literal.
>
> print("<img src=\"" . getImageNameFromDB() . "\">")
>
> What you have is an opportunity for cross-site scripting, not PHP code
> injection.
>
> Regards,
> Jim
>
> On 10/16/07, Danux <danuxx@gmail.com> wrote:
> > Hi, after testing a PHP-MSSQL app, i am able to insert and update
> > tables but i can't execute store_procedures, so, i was wondering if
> > its possible to update a table putting something like: "phpinfo()" or
> > (passthru("ipconfig")) in order to execute while loading the page?
> >
> > I mean:
> >
> > inside the html page the images are taken from database so... in a
> > black box perspective a think is something like: <img src=$img> and i
> > know where is the table which reads this image name, then i can update
> > the table and instead of read something like $img = picture.gif, reads
> > some thing like "phpinfo();". but as you know this is only a string,
> > even though if i update the table with: eval("phpinfo();") its also a
> > string .... so it dont get executed!!
> >
> > So, i would like you help me, what can i do if i am able to insert,
> > create and update tables but unable to run store procedures, or bulk
> > or bcp!!!!!
> >
> > Thanks!!!
> >
> > --
> > Danux, CISSP
> > Chief Information Security Officer
> > Macula Security Consulting Group
> > www.macula-group.com
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

pgpHNwP6CNP4O.pgp
Description: PGP signature