Re: Magic Quotes question

From: Tim (tim-pentest@sentinelchicken.org)
Date: Mon Jan 22 2007 - 15:33:39 EST


> regardless all the possible ways and arguments,
> is there an actual way to bypass Magic Quotes?
> CHAR doesnt work, also %% doesnt work
> i.e.
> INTO OUTFILE 'D:/www/zin.php'
> would be
> INTO OUTFILE CHAR(39,68,58,47,199,199,199,47,122,105,110,46,112,104,112,39);
> and will not work
>
> any proven ideas?

The simplest answer I have for you is that bypassing magic quotes can be
done in some situations, but it largely depends on the following:

1. Which database backend you're using.

2. Where in a query you're attempting to inject, and what you're trying
    to inject.

In your case, I don't believe what you're doing can be made to work on
MySQL. However, instead of going for the gold (writing a file for
remote execution), you accept the silver (do a UNION on other tables
with sensitive info), you can probably bypass it.

tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:33 EDT