lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 08 Apr 2010 23:23:36 +0400
From: Владимир Воронцов
	<vladimir.vorontsov@...ec.ru>
To: Full disclosure <full-disclosure@...ts.grok.org.uk>, 
	Webappsec <webappsec@...urityfocus.com>
Subject: Chain based SQL injection

Hello Bugtraq!
Hello Full-Disclosure!

The study of security web applications stumbled on the possibility of an
attack such as the introduction of SQL injection unusual way. 

All user data, which fall into the base with a query like INSERT filtered
using the mysql_real_escape_string(). 

However, under certain circumstances, data from the database were part of
another query to the database in which they no longer held the filtration. 

Thus, through mysql_real_escape_string() to write to the database string
types: 

'Union all select version() /* 

Which is already being part of another query, which does not directly
depend on the user data already played the role of the classic SQL
injection. 

As a result, the second request, which gave the performance of operators
was as follows: 

select mixvalue from datas where name like '%' union all select version
()/*%' 

To call such a thing could be as something like "a stored SQL injection",
but in view of connectivity requests me more like the version of the "chain
based SQL injection". 

Below give the example of vulnerable code.

<?php
$con = mysql_connect(“localhost”,”user”,”pass”);
if (!$con)
{
  die(‘Could not connect: ‘ . mysql_error());
}

mysql_select_db(“dbase”, $con);

if (strlen($_GET['name'])>2) {
  $r = mysql_query(“insert into sqli values(4,
‘”.mysql_real_escape_string($_GET['name']).”‘)”);
}

$result = mysql_query(“SELECT * FROM sqli”);

while($row = mysql_fetch_array($result))
{
  echo “< p/ >User < font color=’red’>”.$row['name'].”</ font>”;
  echo “< br />”;
  $curname=$row['name'];
  $r = mysql_query(“select mixtext from datas where mixtext like
‘%”.$curname.”%’”);
  echo “< br/>Associated data:”;
  while($row = mysql_fetch_array($r))
  {
    echo “< br/>——— “.$row['mixtext'];
  }
}

mysql_close($con);
?>

Original at russian language: http://oxod.ru/?p=97

-- 
Best regards, 
Vladimir Vorontsov
ONsec security expert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ