Jump to content

bypass "mysql_real_escape_string"

pierre

By pierre
in Security

 Share

Recommended Posts

pierre Newbie

pierre

Posted
Posted (edited)

Hello,

I where wondering if someone has ever bypass this function mysql_real_escape_string

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. "

For example I want to inout the classic : 1' or '1'='1 in a variable encapsulated by mysql_real_escape_string function.

Is it possible ?

EDIT: even SQLMAP don't make it !!

root@osboxes:/var/www/html# sqlmap -u "http://192.168.1.1/DVWA/vulnerabilities/sqli/#" --cookie="security=medium; PHPSESSID=u669kpihv3tsblhrgqo21lcu71"

[...]

[11:06:43] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[11:06:43] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 222 times

[*] shutting down at 11:06:43

 

Edited by tot94
Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

Link to comment
Share on other sites
Broti Newbie

Broti

Posted
Posted
53 minutes ago, digininja said:

If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

That would be like hell on earth for webhoster/webmins.

Link to comment
Share on other sites
pierre Newbie

pierre

Posted
  • Author
Posted (edited)
On 17/6/2016 at 5:31 PM, digininja said:

No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

Yes but if it is on level "Medium" on DVWA, it indicates that it might be bypassed ?

EDIT: I've succeed bypassing this evasion function but I don't know why...

Here is the original SQLi I want to pass:

1' OR '1'='1

I encode the space and equal in hexadecimal but not aposthophe, and it works (http://www.asciitable.com/):

Encoded SQLi: 1%20OR%201%3D1

My question is the following: why is the SQLi works even if I don't have apostrohpe in ?

Is it because equal and space aren't affected by my_real_escape_string() ?

Cf: http://php.net/manual/en/function.mysql-real-escape-string.php

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Edited by tot94
Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

These are the two important lines of code: 

$id = mysql_real_escape_string( $id );

$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

So if you inject: 

1 or 1=1

then the statement made up is:
  

SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1;

which is a valid statement and returns all rows because of the boolean true at the end (1=1).

The reason this can get through the escape function is because there is nothing in there that needs escaping.

If the query was something like: 

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

Then you would need to break out of the single quotes and when you pass them in your id they would be escaped and you wouldn't be able to do things.

Link to comment
Share on other sites
pierre Newbie

pierre

Posted
  • Author
Posted

Yess exactly !! I try to escapte something that I didn't have to, I didn't have to encode my SQLi moreover.

Low level: 

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

Medium level:  

 $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

So in the medium level, our value isn't surround by quotes, so we don't have put ones :)

But if the medium level were: 

$id = mysql_real_escape_string( $id );
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

It would have been impossible to make SQLi ?

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

I'd never say impossible but it would not be possible under normal circumstances as to break out from the single quotes you'd need your own single quote in the id but if you do that then the escape string will put a slash in front of it which stops you escaping the statement: 

id = " ' or 1=1"

would become 

id = " \' or 1=1"

which would keep you inside the variable.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

This is where my comment on if escape string fails it is a bad day comes from. In this example it is basically stopping the injection but if if can be bypassed then everything which relies on it (if it doesn't rely on it it probably has injection already) becomes injectable.

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet.

Link to comment
Share on other sites
pierre Newbie

pierre

Posted
  • Author
Posted
On 24/6/2016 at 3:01 PM, digininja said:

The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet.

you were meaning :

The escape string function is protecting the statment from exploitation, if the "escape string function" failed then the statement would no longer be protected. Imagine this over the whole of the internet.

Which I answer:

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

Link to comment
Share on other sites
digininja Grand Master

digininja

Posted
Posted

I still don't understand what this means, I think you are losing something in translation

 

Quote

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

 

Link to comment
Share on other sites
Jason Cooper Newbie

Jason Cooper

Posted
Posted
2 hours ago, tot94 said:

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

You should always consider what would happen if a function/statement failed, both from a security point of view and reliability point of view. Then you need to consider what the chances are that the function/statement will fail.  For something like mysql_real_escape_string the impact of it failing is very high and the chance of it failing is probably average.  Having made this judgement then you look to see if there is a better way (hint, read up on paramaterized queries).

Link to comment
Share on other sites
  • 5 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...