From: Matthew Lee Hinman (matthew.hinman@gmail.com)
Date: Wed Oct 17 2007 - 01:52:53 EDT
Check out using the 'eval' operator in PHP, here's the doc page:
From the page:
"eval - Evaluate a string as PHP code"
This should be able to do what you want.
- Lee
* Jim Halfpenny <jimsmailinglists@gmail.com> [2007-10-16 07:52:21 +0100]:
>Hi,
>The problem with this approach is that the content is most likely
>loaded in by the PHP preprocessor, and it will not usually go back and
>parse any code inserted. Consider this pseudocode:
>
>print ("print(\"World\")")
>
>The preprocessor will print the string print("World") but it will not
>execute the text string as if it were code. The same is true if the
>text string is retrieved from a database and not a literal.
>
>print("<img src=\"" . getImageNameFromDB() . "\">")
>
>What you have is an opportunity for cross-site scripting, not PHP code
>injection.
>
>Regards,
>Jim
>
>On 10/16/07, Danux <danuxx@gmail.com> wrote:
>> Hi, after testing a PHP-MSSQL app, i am able to insert and update
>> tables but i can't execute store_procedures, so, i was wondering if
>> its possible to update a table putting something like: "phpinfo()" or
>> (passthru("ipconfig")) in order to execute while loading the page?
>>
>> I mean:
>>
>> inside the html page the images are taken from database so... in a
>> black box perspective a think is something like: <img src=$img> and i
>> know where is the table which reads this image name, then i can update
>> the table and instead of read something like $img = picture.gif, reads
>> some thing like "phpinfo();". but as you know this is only a string,
>> even though if i update the table with: eval("phpinfo();") its also a
>> string .... so it dont get executed!!
>>
>> So, i would like you help me, what can i do if i am able to insert,
>> create and update tables but unable to run store procedures, or bulk
>> or bcp!!!!!
>>
>> Thanks!!!
>>
>> --
>> Danux, CISSP
>> Chief Information Security Officer
>> Macula Security Consulting Group
>> www.macula-group.com
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
>>
>
>------------------------------------------------------------------------
>This list is sponsored by: Cenzic
>
>Need to secure your web apps NOW?
>Cenzic finds more, "real" vulnerabilities fast.
>Click to try it, buy it or download a solution FREE today!
>
>http://www.cenzic.com/downloads
>------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT