Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: magic_quotes

from [Christoph 'knurd' Jeschke] Network Security [Permanent Link]
Subject: Re: magic_quotes
Date: Tue, 28 Jun 2005 00:14:36 +0200 
mickael kael schrieb:


(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
url

test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*

result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'


Right. This only works if $id is additionally urldecode()ded. Then %27
will be replaced with '. This vuln apperead in ... Phorum last year, IIRC.


But it don't work, i think, Mysql not interpret %27.


Right.


I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.


See <http://www.gulftech.org/?node=research&article_id=00073-05052005>.

Another weakness occurs, if a application relies _only_ on magic_quotes
[1]. Because if the hoster changes his php.ini or php is bogus, the last
and only line of defence is gone.


Thanks in advance,


You're welcome.

[1] Once a time, i examine a popular german forum system (pforum) and
found a lot of these "relies". Worst case come: $victim installed pforum
at his webspace, but $hoster set magic_quotes_* to off. $victim was
fucked. Ok, $victim was more fucked by the several sql-injections and
XSS cookie stealing, but fucked.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SF new column announcement: Where's the threat?, Kelly Martin
Next by Date:  New Virus?, Hamish Stanaway
Previous by Thread:  Re: magic_quotes, mickael kael
Next by Thread:  Re: magic_quotes, Tony Stahler
Indexes:  [Date] [Thread] [Top] [All Lists]