|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Vladimir Vorontsov (vladimir.vorontsov
onsec.ru)
Date: Fri Nov 06 2009 - 06:55:22 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Good day!
I recently encountered a problem with the implementation of SQL injection.
I wanted to write a file with the code interpreter to execute commands, but
in the end always append bracket, which I thought was supposed to be a
spoiler.
Comments at the end of the query to be filtered. The last character is
always append a closing parenthesis. Use a null-byte, too, was impossible.
Was an injection of this type:
$query = "select bla-bla from content_comments where user_id in (select
user_id from User where id =".removeBadChars($_GET['id']).");";
Where removeBadChars () kills such things as:
--
/*
but leaves /**/
I wanted to write a script to execute commands in a file. The rows included
in the first select, but the presence of brackets before inkludom demanded
its closure after it. Besides tricky function is not allowed to finish a
comment form - or /* at the end of the query.
As a result, very surprised, because that's such an option:
select bla-bla from content_comments where user_id in (select user_id from
User where id = 1/**/into/**/outfile/**/"/var/www/avatars/img.php")
recorded in the file the result of EXTERNAL select!.
Checked in
MySQL 4.1.22
MySQL 5.1.x
--
-----------------------------------------------------------------
Best regards!
Vladimir Vorontsov, security expert.
ONsec: turn on security
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]