Jump to content

Archived

This topic is now archived and is closed to further replies.

pierre

bypass "mysql_real_escape_string"

Recommended Posts

Hello,

I where wondering if someone has ever bypass this function mysql_real_escape_string

"mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. "

For example I want to inout the classic : 1' or '1'='1 in a variable encapsulated by mysql_real_escape_string function.

Is it possible ?

EDIT: even SQLMAP don't make it !!

root@osboxes:/var/www/html# sqlmap -u "http://192.168.1.1/DVWA/vulnerabilities/sqli/#" --cookie="security=medium; PHPSESSID=u669kpihv3tsblhrgqo21lcu71"

[...]

[11:06:43] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment')
[11:06:43] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 222 times

[*] shutting down at 11:06:43

 

Share this post


Link to post
Share on other sites

No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

Share this post


Link to post
Share on other sites
53 minutes ago, digininja said:

If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

That would be like hell on earth for webhoster/webmins.

Share this post


Link to post
Share on other sites
On 17/6/2016 at 5:31 PM, digininja said:

No. The whole point of the function is to prevent injection. If someone found a bypass then it would open holes in so many apps that it would be patched within hours if not quicker.

Yes but if it is on level "Medium" on DVWA, it indicates that it might be bypassed ?

EDIT: I've succeed bypassing this evasion function but I don't know why...

Here is the original SQLi I want to pass:

1' OR '1'='1

I encode the space and equal in hexadecimal but not aposthophe, and it works (http://www.asciitable.com/):

Encoded SQLi: 1%20OR%201%3D1

My question is the following: why is the SQLi works even if I don't have apostrohpe in ?

Is it because equal and space aren't affected by my_real_escape_string() ?

Cf: http://php.net/manual/en/function.mysql-real-escape-string.php

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Share this post


Link to post
Share on other sites

These are the two important lines of code:

$id = mysql_real_escape_string( $id );

$query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

So if you inject:

1 or 1=1

then the statement made up is:
 

SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1;

which is a valid statement and returns all rows because of the boolean true at the end (1=1).

The reason this can get through the escape function is because there is nothing in there that needs escaping.

If the query was something like:

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

Then you would need to break out of the single quotes and when you pass them in your id they would be escaped and you wouldn't be able to do things.

Share this post


Link to post
Share on other sites

Yess exactly !! I try to escapte something that I didn't have to, I didn't have to encode my SQLi moreover.

Low level:

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

Medium level: 

 $query  = "SELECT first_name, last_name FROM users WHERE user_id = $id;";

So in the medium level, our value isn't surround by quotes, so we don't have put ones :)

But if the medium level were:

$id = mysql_real_escape_string( $id );
$query  = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";

It would have been impossible to make SQLi ?

Share this post


Link to post
Share on other sites

I'd never say impossible but it would not be possible under normal circumstances as to break out from the single quotes you'd need your own single quote in the id but if you do that then the escape string will put a slash in front of it which stops you escaping the statement:

id = " ' or 1=1"

would become

id = " \' or 1=1"

which would keep you inside the variable.

Share this post


Link to post
Share on other sites

Yes so nearly impossible ;)

Thanks again for your clear explanations digininja :)

Share this post


Link to post
Share on other sites

This is where my comment on if escape string fails it is a bad day comes from. In this example it is basically stopping the injection but if if can be bypassed then everything which relies on it (if it doesn't rely on it it probably has injection already) becomes injectable.

Share this post


Link to post
Share on other sites

The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet.

Share this post


Link to post
Share on other sites

Yes but "if it failed" shouldn't be considered with such a function no ?

However, I am aware there is other hardening step which can be implemented.

Share this post


Link to post
Share on other sites
Quote

Yes but "if it failed" shouldn't be considered with such a function no ?

Not sure what you mean.

Share this post


Link to post
Share on other sites
On 24/6/2016 at 3:01 PM, digininja said:

The escape string function is protecting the statment from exploitation, if it failed then the statement would no longer be protected. Imagine this over the whole of the internet.

you were meaning :

The escape string function is protecting the statment from exploitation, if the "escape string function" failed then the statement would no longer be protected. Imagine this over the whole of the internet.

Which I answer:

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

Share this post


Link to post
Share on other sites

I still don't understand what this means, I think you are losing something in translation

 

Quote

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

 

Share this post


Link to post
Share on other sites
2 hours ago, tot94 said:

Yes but "if the escapte string statement failed" shouldn't be considered with such a function no ?

You should always consider what would happen if a function/statement failed, both from a security point of view and reliability point of view. Then you need to consider what the chances are that the function/statement will fail.  For something like mysql_real_escape_string the impact of it failing is very high and the chance of it failing is probably average.  Having made this judgement then you look to see if there is a better way (hint, read up on paramaterized queries).

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...