Re: [Full-disclosure] SQL Injeciton.

From: Gabbar Sing (GabbarRang_at_netscape.net)
Date: 08/20/05

  • Next message: ad_at_class101.org: "Re: [Full-disclosure] FrSIRT False Alarm"
    Date: Sat, 20 Aug 2005 01:42:36 -0400
    To: requiem@praetor.org (Jeremy Bishop), full-disclosure@lists.grok.org.uk
    
    

    Thanks I would definitely check on magic_quotes, but the fact is it escapes those characters, so theres no way...its succeptable to sql injection. and ofcourse i am asking this question here means the develper has not done any kind of sanitization checking. So, if SLQ injection is no possible even below given XXS wont be the case i guess,

    '><script>alert('ur hacked')</script>

    Thanks,

    Gabbar.

    Jeremy Bishop <requiem@praetor.org> wrote:

    >On Friday 19 August 2005 20:20, Gabbar Sing wrote:
    >> Hi,
    >>
    >> We have an internal web application written in PHP, in which the
    >> developer has got following line.
    >
    ><snip>
    >
    >> At first sight I though its very much vulnerible to SQL Injection,
    >> but I am not just able to demonstrate it. As when i send the
    >> character " ' " it just escapes it before sending query to db as " '
    >> " thus failing my injection.
    >
    >PHP has a feature known as magic quotes that can provide automatic
    >escaping of quotes in user-submitted data. I believe the configuration
    >variables to look at are "magic_quotes_gpc" and "magic_quotes_sybase",
    >or some variation on those; the documentation should be more revealing.
    >
    >The developer may also have manually sanitized the data; I assume you
    >have checked for that already? The ideal means of handling input would
    >be to have the code check whether magic quotes are enabled and to take
    >appropriate action based on the result of that check.
    >
    >--
    >My group's mission statement - 'You want *what* ? By *WHEN* ?'
    > -- Simon Burr
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >Hosted and sponsored by Secunia - http://secunia.com/
    >

    __________________________________________________________________
    Switch to Netscape Internet Service.
    As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

    Netscape. Just the Net You Need.

    New! Netscape Toolbar for Internet Explorer
    Search from anywhere on the Web and block those annoying pop-ups.
    Download now at http://channels.netscape.com/ns/search/install.jsp
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: ad_at_class101.org: "Re: [Full-disclosure] FrSIRT False Alarm"