Exploit mysql_real_escape_string()

Re: Exploit mysql_real_escape_string()

oniric — Thu, 17 Dec 2009 05:30:45 -0600

admin\' ; --

become

admin\'' or 1=1 --

the first quote is escaped and the second one delimits the string so after that you can inject what you want. Seems reasonable to me. Maybe it's a multi-line query so the -- comment doesn't work.

Re: Exploit mysql_real_escape_string()

felixia — Thu, 17 Dec 2009 05:12:21 -0600

No because I only add one quote so there are a impair number of quote into the sentence.

For example if we have something like:

"Select * from users where username='" + $username + "' and hash(" + $password + ")"

There are 2 singles quotes into the querry, if you add \' admin you will get three and get a sql error before it is processed.

admin\' ; -- doen't work neither

Re: Exploit mysql_real_escape_string()

oniric — Thu, 17 Dec 2009 04:56:20 -0600

Can't you simply use

admin\' or INJECT_HERE_WHAT_YOU_WANT_BUT_DONT_USE_QUOTES -- foo

?

Exploit mysql_real_escape_string()

felixia — Thu, 17 Dec 2009 04:37:37 -0600

The function mysql_real_escape_string() is used to add a \ in front of "dangerous characters" like single quote.

From ha.ckers.com:

With an sql injection example:

\';

Using the follwing example it possible to get an error message because you end the statement but I wasnt able to create a correct one (blind sql)

admin\' or \'1\'=\'1

Gives me the follwing error:

Error Executing Database Query.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\''1\''=\''1' and password = 'IyVeVEwK' and extranetuser =' at line 3

Any idee how I could make it works?