Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Magic Quotes

from [DokFLeed] Network Security [Permanent Link]
Subject: Re: Magic Quotes
Date: Thu, 12 Oct 2006 05:14:20 +0400
such a simple SQL like
"SELECT * from USERS WHERE id =$id";
can lead to a total hack of the SERVER not just the web application.
so far the only thing keeping it from happening is the magic quotes,
so even with a dumb programmer, the server is safe coz of magic quotes,
why is it going to be removed in php6 !!!!
if you can insert your own PHP code into the database then
run a select to dump the info to a file on the server using INTO OUTFILE '/home/z.php'
as you can see the problem right now is the ' in the OUTFILE syntax, and it is magic quotes that is taking care of the server :)

bottom line magic quotes rulez

Dok

----- Original Message ----- From: "Steve Slater" <slater@handsonsecurity.com>
To: "DokFLeed" <dokfleed@dokfleed.net>; <webappsec@securityfocus.com>
Sent: Wednesday, October 11, 2006 3:11 AM
Subject: Re: Magic Quotes


At 04:00 AM 10/06/06, DokFLeed wrote:

if there is noway around Magic Quotes, then why is every developer against it ?
Dok

You can often get around it, depending upon the app and the query.
Here is one that works...or at least did work at the time. It's pretty old:

http://packetstormsecurity.nl/0311-exploits/phpBB206.txt

What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:

SELECT * from db.table where column = 1100

What if I change 1100 to: -9999 union select * from whatever.whatever

(No quotes needed here...)

Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.

Steve



==================================================

Steve Slater
President

Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550

http://www.securitycompliancecorp.com
slater@securitycompliancecorp.com





-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Magic Quotes, Steve Slater
Next by Date:  Black Hat CFP, Registration, and Announcements for October, Jeff Moss
Previous by Thread:  Re: Magic Quotes, Steve Slater
Next by Thread:  Re: Magic Quotes, Brad Lhotsky
Indexes:  [Date] [Thread] [Top] [All Lists]