Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: magic_quotes

from [mickael kael] Network Security [Permanent Link]
Subject: Re: magic_quotes
Date: Sat, 25 Jun 2005 15:35:15 +0200 
Hello,

Sorry to deviate the subject of the thread.

I see some code which use %2527 to bypass magic_quotes because %25
correspond to %. I try this technic with this code

(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
url : 
test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'

But it don't work, i think, Mysql not interpret %27.
I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.

Thanks in advance,

Mk,
On 23 Jun 2005 08:30:59 -0000, maarten@webfauna.com
<maarten@webfauna.com> wrote:

I agree that magic quotes is not a very nice solution. Although it makes it a 
little harder to manipulate queries, it will make your code less clear. Some 
strings in you application are escaped (from POST data) and some are not 
(e.g. from database.) Sometimes it's not completly clear what the origin of a 
variable (string) is.
I think it's easier and safer if you can concider all strings to be unescaped 
and make sure you escape them in a query.
You need clear and easy to understand code to make your application secure.

In this case, I'd also use the intval() function. If you want an integer 
value, this makes sure it is.

Greets,
Maarten
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: Masters program for Information Security?, vinnyp121
Next by Date:  RE: AS400 Audit Checks, Clement Dupuis
Previous by Thread:  Re: magic_quotes, Christoph 'knurd' Jeschke
Next by Thread:  Re: magic_quotes, Christoph 'knurd' Jeschke
Indexes:  [Date] [Thread] [Top] [All Lists]