moubik Posted November 22, 2007 Report Posted November 22, 2007 Really ?YES!What is mysql_error() ?It’s a simple function that helps developers debug their code. A piece of code may look like this: $query = “SELECT * FROM randomTable WHERE id=’”. $_GET[’id’] .”‘; mysql_query($query); echo mysql_error(); Obviously this code is vulnerable to SQL injection because $_GET[’id’] is not sanitized at all.One could inject SQL code directly into the id variable.Thus the programmer will sanitize the variable: $query = “SELECT * FROM randomTable WHERE id=’”. mysql_real_escape_string($_GET[’id’]) .”‘; mysql_query($query); echo mysql_error(); Cool, now he got rid of the SQL injection. But something else happened. I did not realize this until last night when i was testing a friend’s site. I tried an SQL injection and I saw that he properly sanitized the code, and threw an mysql_error().This gave me an idea. Could i use this to my advantage ?Well, of course i could: inject characters that will be escaped and also inject XSS code. What will this do ?It will throw an error that will contain the XSSXSS in echo mysql_error()The link may look like: http://site.com/search/aa/ASC’%20%3Cimg%20src=http:%20onerror=alert(String.fromCharCode(88,83,83))%3E/score/You can see that i inserted ‘ on purpose to be sure it will throw the error and then the XSS.I’ve used Gareth Heyes’ “unusual XSS vector” with very little change <img src=http: onerror=alert(String.fromCharCode(88,83,83)) />How does the source output look like? You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’ <img src=”http:” onerror=”alert(String.fromCharCode(88,83,83))”>’ at line 1So another function that is pure evil, mysql_error()original article: http://websecurity.ro/blog/2007/11/22/xss-in-mysql_error/ Quote
