PHP-SECURITY: add slashes VS real escape

Category: Tutorials

PHP-SECURITY: add slashes VS real escape

PHP-SECURITY: add slashes VS real escape

 

Today im going to be talking about some security issues when programming your php/mysql website

this information will show you why it is very inportant to create a mysql table and table rows carfully because it could save your website from being hacked..

So lets get started...

In GBK (character encoding) there is a characters that is considered as invalid multi-byte characters (0xbf27) BUT the character (0xbf5c) is a single-byte character...

(0x)bf|27 is (¿)bf followed by (')27 AND
(0x)bf|5c is (¿)bf folowed by ()5c

So if you are using addslashes then it would be possible to inject the mysql tables with a single quote character..

so if i inject the char 0xbf27 (¿') then addslashes function will modify this to become a multi-byte character so it will become 0xbf5c27 (¿') and this multi-byte character is VALID meaning it the it will successfully bypass addslashes and allow me to perform Sql Attacks threw Curl Post Attacks....


to test this security issue your self to see if you are vuln you can set up a php script on your server and create a simple MySql SELECT command and use the php function char() to inject your system so heres a small example.

 

 

 <?php//Do Connection here$_POST['admin_user'] = chr(0xbf) . chr(0x27) . //here addslashes would turn into a valid multi-byte char                       ' OR username = username /*';$_POST['admin_pass'] = 'what ever'$sql "SELECT *        FROM   users        WHERE  username = '".addslashes($_POST['username'])."'        AND    password = '".addslashes($_POST['password'])."'"$result mysql_query($sql);/*    Login would usually be here to test for authentication*/?>  

 




Source:

  • Views: 1492
  • Date: 20-04-2011, 16:11
  • Share:
Who read this article:(2)

{popupx}