pierre Posted June 17, 2016 Share Posted June 17, 2016 (edited) Hello, I where wondering if someone has ever bypass this function mysql_real_escape_string "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. " For example I want to inout the classic : 1' or '1'='1 in a variable encapsulated by mysql_real_escape_string function. Is it possible ? EDIT: even SQLMAP don't make it !! root@osboxes:/var/www/html# sqlmap -u "http://192.168.1.1/DVWA/vulnerabilities/sqli/#" --cookie="security=medium; PHPSESSID=u669kpihv3tsblhrgqo21lcu71" [...] [11:06:43] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment') [11:06:43] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 222 times [*] shutting down at 11:06:43 Edited June 17, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
digininja Posted June 17, 2016 Share Posted June 17, 2016 No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker. Quote Link to comment Share on other sites More sharing options...
Broti Posted June 17, 2016 Share Posted June 17, 2016 53 minutes ago, digininja said: If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker. That would be like hell on earth for webhoster/webmins. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 20, 2016 Author Share Posted June 20, 2016 (edited) On 17/6/2016 at 5:31 PM, digininja said: No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker. Yes but if it is on level "Medium" on DVWA, it indicates that it might be bypassed ? EDIT: I've succeed bypassing this evasion function but I don't know why... Here is the original SQLi I want to pass: 1' OR '1'='1 I encode the space and equal in hexadecimal but not aposthophe, and it works (http://www.asciitable.com/): Encoded SQLi: 1%20OR%201%3D1 My question is the following: why is the SQLi works even if I don't have apostrohpe in ? Is it because equal and space aren't affected by my_real_escape_string() ? Cf: http://php.net/manual/en/function.mysql-real-escape-string.php mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. Edited June 20, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
digininja Posted June 20, 2016 Share Posted June 20, 2016 These are the two important lines of code: $id = mysql_real_escape_string( $id ); $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; So if you inject: 1 or 1=1 then the statement made up is: SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1; which is a valid statement and returns all rows because of the boolean true at the end (1=1). The reason this can get through the escape function is because there is nothing in there that needs escaping. If the query was something like: $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; Then you would need to break out of the single quotes and when you pass them in your id they would be escaped and you wouldn't be able to do things. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 21, 2016 Author Share Posted June 21, 2016 Yess exactly !! I try to escapte something that I didn't have to, I didn't have to encode my SQLi moreover. Low level: $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; Medium level: $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; So in the medium level, our value isn't surround by quotes, so we don't have put ones :) But if the medium level were: $id = mysql_real_escape_string( $id ); $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; It would have been impossible to make SQLi ? Quote Link to comment Share on other sites More sharing options...
digininja Posted June 21, 2016 Share Posted June 21, 2016 I'd never say impossible but it would not be possible under normal circumstances as to break out from the single quotes you'd need your own single quote in the id but if you do that then the escape string will put a slash in front of it which stops you escaping the statement: id = " ' or 1=1" would become id = " \' or 1=1" which would keep you inside the variable. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 22, 2016 Author Share Posted June 22, 2016 Yes so nearly impossible ;) Thanks again for your clear explanations digininja :) Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2016 Share Posted June 22, 2016 This is where my comment on if escape string fails it is a bad day comes from. In this example it is basically stopping the injection but if if can be bypassed then everything which relies on it (if it doesn't rely on it it probably has injection already) becomes injectable. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 24, 2016 Author Share Posted June 24, 2016 Hmm I don't understand you explanation.. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 24, 2016 Share Posted June 24, 2016 The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 27, 2016 Author Share Posted June 27, 2016 Yes but "if it failed" shouldn't be considered with such a function no ? However, I am aware there is other hardening step which can be implemented. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 27, 2016 Share Posted June 27, 2016 Quote Yes but "if it failed" shouldn't be considered with such a function no ? Not sure what you mean. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 28, 2016 Author Share Posted June 28, 2016 On 24/6/2016 at 3:01 PM, digininja said: The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet. you were meaning : The escape string function is protecting the statment from exploitation, if the "escape string function" failed then the statement would no longer be protected. Imagine this over the whole of the internet. Which I answer: Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ? Quote Link to comment Share on other sites More sharing options...
digininja Posted June 28, 2016 Share Posted June 28, 2016 I still don't understand what this means, I think you are losing something in translation Quote Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ? Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted June 28, 2016 Share Posted June 28, 2016 2 hours ago, tot94 said: Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ? You should always consider what would happen if a function/statement failed, both from a security point of view and reliability point of view. Then you need to consider what the chances are that the function/statement will fail. For something like mysql_real_escape_string the impact of it failing is very high and the chance of it failing is probably average. Having made this judgement then you look to see if there is a better way (hint, read up on paramaterized queries). Quote Link to comment Share on other sites More sharing options...
buffy Posted July 27, 2016 Share Posted July 27, 2016 http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.