Re: Overwriting an uninitialized local variable in PHP

From: Anton Dobrin <anton.dobrin@xxxxxxxxx>
Date: Thu, 22 Feb 2007 23:39:31 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You do realize the code has a operation - critical mistake in it, right?

Robert Larsen wrote:

Kellox wrote:

A PHP script looks like this:

$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
...
mysql_query($query) or die();

My question is if there is a way to "initialize" the variable $query
myself as an attacker from the outside, so that I can write my on SQL
query.

Yes. If PHP has been configured with "register_globals = On" or it is an
old version where this is the default you can do something like this:
http://vulnerablesite.com/vulnerable_script.php?sort=undefined&query=select
username, password from users

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF3nADaB/XS7qurU0RAqfvAJ0WXBC2dMz1WHRZ2LyGY8upRvU7CgCeLtA5
GkcU0IASKpdWW9b9qF9jWN4=
=/cgl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

References:
- ssh key authentication
  - From: Jorge JJ
- Re: ssh key authentication
  - From: Kelly Martin
- Overwriting an uninitialized local variable in PHP
  - From: Kellox
- Re: Overwriting an uninitialized local variable in PHP
  - From: Robert Larsen

Prev by Date: General question
Next by Date: RE: About War Driving ..
Previous by thread: Re: Overwriting an uninitialized local variable in PHP
Next by thread: Re: ssh key authentication
Index(es):
- Date
- Thread

Relevant Pages

Re: Hacking Book / Information
... I am looking for a good book of hacking. ... BigFix ... BigFix enables continuous discovery, assessment, remediation, ...
(Security-Basics)
Re: Hacking Book / Information
... It's more about computer security than about hacking but it's easy to ... BigFix ... BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. ...
(Security-Basics)
Re: Hacking Book / Information
... The hacking exposed series is good, it includes M$, Linux, Cisco etc ... BigFix ... BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. ...
(Security-Basics)
Re: SSL certificate pass phase in apache
... BigFix ... engine. ... BigFix enables continuous discovery, assessment, remediation, ...
(Security-Basics)
Re: SSL certificate pass phase in apache
... Example of usage is "SSLPassPhraseDialog ... you're really paranoid about security, ... > This list is sponsored by: BigFix ... > and enforcement for complex and distributed IT environments in real-time ...
(Security-Basics)