Home > Bypassing, General, Hacking, Mysql injection, PHP, Security > Bypassing the mysql_real_escape_string()

Bypassing the mysql_real_escape_string()

January 22nd, 2010
Goto comments Leave a comment

This publishing is around bonus stuff which I’ve considered ,MySQL injection , I had written a query :

/page.php?id=-1 union select table_name,2 from from information_schema.tables
where TABLE_SCHEMA='Sc0rpion'

As you see we used a single quote in query , in some cases , when either the magic_quote is on , or the programmer has secured the dynamic query by mysql_real_escape_string() function , you will see the prevention of executing your injection query .
I will preface two techniques that could be used in various queries of injection , they can’t be named security holes , just obfuscation ! ( for instance remember how the mod_security module is bypassed by variant tricks ) .

1 . ASCII equivalent to bypass

I accidentally faced a similar situation last night and it was main reason made me post up here , all has to be done is substituting the string by equivalent decimal ASCII value , for example in link above , the ‘Sc0rpion’ should exactly be converted , my online string converter :

http://sc0rpion.ir/converter.php

The hex values must be understood in an URL yielded , our new query would be like example below and there won’t any resistance from neither mysql_real_escape_string() function nor magic_quote ,

/page.php?id=-1 union select table_name,2 from from information_schema.tables
where TABLE_SCHEMA=char(83,99,48,114,112,105,111,110)

Query is executed without any disturbance , the tables lists will be appeared in front of your face . ( by using group_concat() function )

1 . HEX equivalent to bypass

There is another bypass method to load any file by load_file() function , if the magic_quote supposed to be enabled you will see the following query returns the fail of injection :

/page.php?id=-1 union select 1,load_file('etc/passwd')--

Since we used single quote , for conducting this attack to the success , the file which has specifically been chosen to be loaded , must be converted into hex format :

load_file(0xHEX);

As you see the is instruction which has to be observed ( 0x prefix before the hex code ) . for converting the string you can do it by script I accented already , http://sc0rpion.ir/converter.php , or easily by MySQL command line :

SELECT CONCAT(HEX('c:\\boot.ini'));

Our manufactured hex code is ready :

'etc/passwd' = 0x6574632f706173737764

So , we would change our query :

/page.php?id=-1 union select 1,load_file(0x6574632f706173737764)--

And the file will be loaded . I hope you enjoy this article , Yashar .

Bypassing, General, Hacking, Mysql injection, PHP, Security , , , , ,

  1. Afshin Mehrabani
    May 18th, 2010 at 10:31 | #1
    Reply | Quote

    Hello, useful article.

    this is true when programmer didn’t use single-quote in it mysql query structure like this:

    $query=”select * from table_name where id=’”.$_GET['id'].”‘”;

    And now you can’t use your method. :)

    Thanks, afshin

  1. No trackbacks yet.