Jump to content

SQL Injection Getting around addslashes()


Satal Keto
 Share

Recommended Posts

I have set up a simple php script on my server which takes a GET parameter run's it through addslashes() and then uses it as a criteria so...

$qry = "SELECT * FROM tblTest WHERE TestID = "  . addslashes($_GET['id']);

Now I know full well that this code if vulnerable, its designed to have some level of protection just to allow me to practice my SQL Injection.

Now the problem I am having is that I am able to get a list of all the tables by doing the following

http://homeserver/test.php?id=-1 union all select 1,table_name from information_schema.tables limit 0,1

which will get the first entry, then...

http://homeserver/test.php?id=-1 union all select 1,table_name from information_schema.tables limit 1,1

to get the second entry and so on.

The problem comes when I am trying to get a list of the columns in one of the tables (obviously I know what they are (id, testfield) but that's defeating the purpose). The SQL Injection that I would normally use to get the list of columns would be...

http://homeserver/test.php?id=-1 union all select 1,column_name from information_schema.columns where table = 'tblTest' limit 0,1

obviously I would be incrementing the limit offset to find the other columns.

Now I already mentioned I am running the get parameter through addslashes, which won't have any problem with me doing the first set of SQL Injections as there aren't any quotes or characters which get escaped, but to get the columns I need to specify the table (well it would be possible for me to use concat() to put the table name and column name together in the output, thereby not requiring to specify the table, but I would like to avoid that if possible as that would take many attempts to even find the right table) unfortunately MySQL doesn't give tables id's which would make it easier.

Anyway hopefully someone will know of a decent way around this problem :)

Thanks for any help in advance

Satal :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...