Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Comma alternatives?
Posted by: oniric
Date: December 16, 2009 10:05AM

Hi all, I'm doing some research for a little vuln I discovered and I need a way to bypass a comma filter. Only the classic comma ( 0x2c )is filtered. The Injection is in an UPDATE statement and all I want to do is add another field to the SET list but I can't use the comma as a separator.

I found out that the character 0x82 ( low single comma ) can be used in MySQL 5 ( at least, maybe in 4 too ) as a replacement but I can't test it on other platforms such as MSSQL or Access. Can anyone give me an hand to test it? Or do you know another way to bypass such a filter ( not stackable query )?

Thank you!

Options: ReplyQuote
Re: Comma alternatives?
Posted by: Bullet
Date: December 20, 2009 01:47AM

Try bypassing techniques like:

1) HPP (HTTP Parameter Pollution) - If it's ASP+IIS: Encode the attack using url encoding (URL_Encode(,)=%2c) and split it in between the '%' and "2c".

2) Try using SQL comments like /**/ - Many filters just filter this input (/*,*/).

3) You can use union:
select username from users union select password from users union select ....

I think it's enough for now...

Options: ReplyQuote
Re: Comma alternatives?
Posted by: oniric
Date: December 20, 2009 08:49AM

It's an update query. Something like

UPDATE table SET first='asd', second = INJECTION, third = 'foo'

The filter it's not a true filter, it's a just a function applied to the data to trim the string at the first comma. So if I inject

'bar', password = 'pass'

only

'bar'

passes the "filter". HPP is not going to help here, and comments neither. Only in MySQL I can substitute commas with equivalent characters while in other platforms I can try Timed Blind SQLI. Other ideas?

Options: ReplyQuote
Re: Comma alternatives?
Posted by: Kyo
Date: December 20, 2009 09:07AM

what is the goal here? You can get data by using a subquery

(SELECT pass FROM users WHERE user='james')

Options: ReplyQuote
Re: Comma alternatives?
Posted by: oniric
Date: December 20, 2009 09:18AM

Yes but I can only SET that data in a field that's not "public" so I can do nothing with it. And yes I can always use Blind SQl Injection but the point here is do some research to find a better exploitation method ;-)



Edited 1 time(s). Last edit at 12/20/2009 09:20AM by oniric.

Options: ReplyQuote
Re: Comma alternatives?
Posted by: Kyo
Date: December 20, 2009 05:29PM

Oh, I see. Is there a second point after the first you can inject or even just input data on? You could keep the number of single quotes uneven and go from there?



Edited 1 time(s). Last edit at 12/20/2009 05:29PM by Kyo.

Options: ReplyQuote
Re: Comma alternatives?
Posted by: oniric
Date: December 21, 2009 08:31AM

Sorry, no second point; just that.

Options: ReplyQuote


Sorry, only registered users may post in this forum.