Re: Overwriting an uninitialized local variable in PHP

Kellox wrote:

A PHP script looks like this:

$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
...
mysql_query($query) or die();


My question is if there is a way to "initialize" the variable $query
myself as an attacker from the outside, so that I can write my on SQL
query.

Yes. If PHP has been configured with "register_globals = On" or it is an
old version where this is the default you can do something like this:
http://vulnerablesite.com/vulnerable_script.php?sort=undefined&query=select
username, password from users

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

Relevant Pages

  • Re: Overwriting an uninitialized local variable in PHP
    ... Variables in PHP that are not explicitly set have ... But this variable is never used in a SQL ... The actual variable containing the query is $query. ... Arm your enterprise with BigFix, the single converged IT security and operations engine. ...
    (Security-Basics)
  • RE: Creating a checklist for SQL Server 2000
    ... Yes, you are on the right track, where possible use Windows and not SQL ... Better Ideas for IT Risk & Security Mgt. ... are there any checklists out there or do I have to carry out some kind ... BigFix ...
    (Security-Basics)