From: DokFLeed (dokfleed@dokfleed.net)
Date: Sat Jan 20 2007 - 04:33:03 EST
regardless all the possible ways and arguments,
is there an actual way to bypass Magic Quotes?
CHAR doesnt work, also %% doesnt work
i.e.
INTO OUTFILE 'D:/www/zin.php'
would be
INTO OUTFILE CHAR(39,68,58,47,199,199,199,47,122,105,110,46,112,104,112,39);
and will not work
any proven ideas?
cheers
Dok
----- Original Message -----
From: "Ronald Chmara" <ron@Opus1.COM>
To: "DokFLeed" <dokfleed@dokfleed.net>
Cc: <pen-test@securityfocus.com>
Sent: Friday, January 19, 2007 3:02 PM
Subject: Re: Magic Quotes question
> On Jan 16, 2007, at 11:10 PM, DokFLeed wrote:
>> Hi,
>> I posted this earlier to webappsec@securityfocus.com with no luck ,
>> does anyone know how to bypass magic quotes? a proven working way .
>
> stripslashes(). :-)
>
> It's fairly easy to get a developer to put stripslashes() on a website
> too, if one just slowly adds posts that seem like they can be tracked
> back to magic quotes... "I\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \'m having
> problems...."
>
> This is why magic quotes/slashes was getting turned off all over the
> place..... excessive escaping before db inserts, as variable values were
> passed from page to page.
>
> Well, that, and the escaping wasn't data-engine specific. Some data
> engines use \', others use '', others need no ' escaping, and since many
> modern db engines can use *any* delimiter, for any language, "magic
> quotes" was simply the wrong level to apply data filtering at.
>
>> example is, in such a simple SQL like
>> "SELECT * from USERS WHERE id =$id";
>> I am looking for ways to by pass magic quotes to inject this
>> INTO OUTFILE '/home/z.php'
>
> INTO OUTFILE %/home/z.php% works, if "%" is the field delimiting
> character being used. Magic quotes totally fails in that scenario.
>
>> point is, if magic quotes can stop this, so why is it going to be
>> removed in php6? it can simply stay and be activated or deactivated on
>> will.
>
> It was a great idea, in a much less complex world.
>
>> and if there is a way to by pass, I want to include it in my check
>> GET/POST inputs.
>
> Any character can be used, by many db engines, as a delimiter. It is bad
> programming practice to assume that *any* bulk filtering mechanism will
> work, so your GET/POST idea is flawed.
>
> The problem is not magic quotes.
> The problem is not replacing magic quotes.
>
> The problem *is* validating each piece of data received, and dealing with
> it in an appropriate manner, regardless of the db engine used, charset
> used, delimiters used.
>
> -Ronabop
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:32 EDT