From: Danux (danuxx@gmail.com)
Date: Wed Oct 17 2007 - 13:43:37 EDT
Yeah, i understand how eval works, but i am not able to change the way
the page was programmed, so, maybe a can put something like -- <?
eval("phpinfo();") ?> -- inside the table field but after that, the
page will read: <img src= <? eval("phpinfo") ?> > but as String,
always as String.
If the php page would have been programmed with a hard coded "eval" like:
<img src= <? eval( getImagefromDB() ) > then after reading my code
inserted into the database, it would works!!!
So, the only thing a can do, is something about XSS as Jim Halfpenny said.
Thanks anyway!!!!
On 10/17/07, Matthew Lee Hinman <matthew.hinman@gmail.com> wrote:
> Check out using the 'eval' operator in PHP, here's the doc page:
>
> http://us2.php.net/eval
>
> From the page:
> "eval - Evaluate a string as PHP code"
>
> This should be able to do what you want.
>
> - Lee
>
>
> * Jim Halfpenny <jimsmailinglists@gmail.com> [2007-10-16 07:52:21 +0100]:
>
> >Hi,
> >The problem with this approach is that the content is most likely
> >loaded in by the PHP preprocessor, and it will not usually go back and
> >parse any code inserted. Consider this pseudocode:
> >
> >print ("print(\"World\")")
> >
> >The preprocessor will print the string print("World") but it will not
> >execute the text string as if it were code. The same is true if the
> >text string is retrieved from a database and not a literal.
> >
> >print("<img src=\"" . getImageNameFromDB() . "\">")
> >
> >What you have is an opportunity for cross-site scripting, not PHP code
> >injection.
> >
> >Regards,
> >Jim
> >
> >On 10/16/07, Danux <danuxx@gmail.com> wrote:
> >> Hi, after testing a PHP-MSSQL app, i am able to insert and update
> >> tables but i can't execute store_procedures, so, i was wondering if
> >> its possible to update a table putting something like: "phpinfo()" or
> >> (passthru("ipconfig")) in order to execute while loading the page?
> >>
> >> I mean:
> >>
> >> inside the html page the images are taken from database so... in a
> >> black box perspective a think is something like: <img src=$img> and i
> >> know where is the table which reads this image name, then i can update
> >> the table and instead of read something like $img = picture.gif, reads
> >> some thing like "phpinfo();". but as you know this is only a string,
> >> even though if i update the table with: eval("phpinfo();") its also a
> >> string .... so it dont get executed!!
> >>
> >> So, i would like you help me, what can i do if i am able to insert,
> >> create and update tables but unable to run store procedures, or bulk
> >> or bcp!!!!!
> >>
> >> Thanks!!!
> >>
> >> --
> >> Danux, CISSP
> >> Chief Information Security Officer
> >> Macula Security Consulting Group
> >> www.macula-group.com
> >>
> >> ------------------------------------------------------------------------
> >> This list is sponsored by: Cenzic
> >>
> >> Need to secure your web apps NOW?
> >> Cenzic finds more, "real" vulnerabilities fast.
> >> Click to try it, buy it or download a solution FREE today!
> >>
> >> http://www.cenzic.com/downloads
> >> ------------------------------------------------------------------------
> >>
> >>
> >
> >------------------------------------------------------------------------
> >This list is sponsored by: Cenzic
> >
> >Need to secure your web apps NOW?
> >Cenzic finds more, "real" vulnerabilities fast.
> >Click to try it, buy it or download a solution FREE today!
> >
> >http://www.cenzic.com/downloads
> >------------------------------------------------------------------------
>
>
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT