Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Exploit mysql_real_escape_string()
Posted by: felixia
Date: December 17, 2009 04:37AM

The function mysql_real_escape_string() is used to add a \ in front of "dangerous characters" like single quote.

From ha.ckers.com:

<Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string()>

With an sql injection example:

\';

Using the follwing example it possible to get an error message because you end the statement but I wasnt able to create a correct one (blind sql)

admin\' or \'1\'=\'1


Gives me the follwing error:

Error Executing Database Query.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\''1\''=\''1' and password = 'IyVeVEwK' and extranetuser =' at line 3

Any idee how I could make it works?

Options: ReplyQuote
Re: Exploit mysql_real_escape_string()
Posted by: oniric
Date: December 17, 2009 04:56AM

Can't you simply use

admin\' or INJECT_HERE_WHAT_YOU_WANT_BUT_DONT_USE_QUOTES -- foo

?

Options: ReplyQuote
Re: Exploit mysql_real_escape_string()
Posted by: felixia
Date: December 17, 2009 05:12AM

No because I only add one quote so there are a impair number of quote into the sentence.

For example if we have something like:

"Select * from users where username='" + $username + "' and hash(" + $password + ")"

There are 2 singles quotes into the querry, if you add \' admin you will get three and get a sql error before it is processed.

admin\' ; -- doen't work neither

Options: ReplyQuote
Re: Exploit mysql_real_escape_string()
Posted by: oniric
Date: December 17, 2009 05:30AM

admin\' ; --

become

admin\'' or 1=1 --

the first quote is escaped and the second one delimits the string so after that you can inject what you want. Seems reasonable to me. Maybe it's a multi-line query so the -- comment doesn't work.

Options: ReplyQuote


Sorry, only registered users may post in this forum.