From: DokFLeed (dokfleeddokfleed.net)
Date: Fri Oct 06 2006 - 06:00:04 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am researching in bypassing Magic Quotes enforced by PHP
Suppose you have a script
grabuserinfo.php?id=NUMERICVALUE
which runs a SELECT statement, to be able to pass a ' through the GET
successfully
I tried
id=CHAR(39,49,49,39)
which is
id='11'
but it breaks after CHAR 32 SPACE character and wouldn't execute whatever
comes next
for example to dump user info into a txt file
id=11 INTO OUTFILE 'D:/www/zin.txt'
would be
id=CHAR(49,49,32,73,78,84,79,32,79,85,84,70,73,76,69,32,39,68,58,47,199,199,199,47,122,105,110,46,116,120,116,39);
BREAKS

OR

if a site is using URLDECODE();
%2527 translates to %27, which gets past magic quotes. This is translated to
' by urldecode.

but none of these actually works, I wonder if there is a proven way to
bypass the quotes

I also got that through a search "0xbf27 is not a valid multi-byte
character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is
0xbf (?) followed by 0x27 ('),
and 0xbf5c is 0xbf (?) followed by 0x5c (\).
0xbf27, and addslashes() modifies this to become 0xbf5c27" but I dont think
it works, addslashes()/stripslashes() act differently than illustrated.

any ideas!

if there is noway around Magic Quotes, then why is every developer against
it ?
Dok

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]