sqlmap-users

Re: [sqlmap-users] sqlmap ubuntu quote

[Bernardo D. A. G. <ber...@gm...>]

Hi Alfonso,

If the parameter where you are trying to inject is a string (e.g.
url.com/page.php?parameter=value, value is a string) you basically can
not on MySQL/PostgreSQL, but I found and documented on my blog
(bernardodamele.blogspot.com) a technique to do that on Oracle and
MSSQL.
There are a few techniques to do that by double-encoding or utf-7
encoding the single quote, but they often do not do the trick.

If the parameter is an integer so not between single quote you can
bypass magic_quotes_gpc by casting to CHAR(), or similar dbms
function, all the 'strings' in your injected SQL statement: sqlmap
does it automatically.

Cheers,
Bernardo


On Fri, Mar 6, 2009 at 11:15, alfonso caponi <alf...@gm...> wrote:
> Hi,
>
> I'm trying sqlmap against a website (Apache/2.2.8 (Ubuntu)
> PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g + mysql
> 14.12) vulnerable, written ad-hoc to test sql scanners. Sqlmap works very
> fine (with magic_quotes_gpc off), but I've a question: how can I use it (or
> others tecniques) to bypass magic_quotes_gpc check? I read from Internet
> (slides, doc, http://www.securityfocus.com/bid/32673/info ecc.) that
> magic_quotes is deprecated and not very safe... but I can't able to bypass
> it with encoding strings ecc.
>
> Have you any hints or idea?
>
> Thank you very much for your time,
> AL
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F

Re: [sqlmap-users] sqlmap ubuntu quote

[Pragmatk <pra...@gm...>]

Bernardo Damele A. G. wrote:
> Hi Alfonso,
> 
> If the parameter where you are trying to inject is a string (e.g.
> url.com/page.php?parameter=value, value is a string) you basically can
> not on MySQL/PostgreSQL, but I found and documented on my blog
Depending on the charset of the schema, you can on some of the more 
exotic multi-byte charset ones. From my personal cheatsheet:

big5	[A1-F9]
sjis	[81-9F], [E0-FC]
gbk	[81-FE]
cp932	[81-9F], [E0-FC]
^-- vulnerable charsets for addslashes & others. ie big5: %a1%5c


> (bernardodamele.blogspot.com) a technique to do that on Oracle and
> MSSQL.
Interesting! Thank you for the link!

> There are a few techniques to do that by double-encoding or utf-7
> encoding the single quote, but they often do not do the trick.
Also interesting, I'll keep that in mind. Do you have any examples / 
links to posts about that?

> If the parameter is an integer so not between single quote you can
> bypass magic_quotes_gpc by casting to CHAR(), or similar dbms
> function, all the 'strings' in your injected SQL statement: sqlmap
> does it automatically.
I normally use hex notation as that takes up less bytes.
ie 0x4142434445 == 'ABCDE'

It also has the bonus that it's castable to int columns.

Joe "Pragmatk"

Re: [sqlmap-users] sqlmap ubuntu quote

[Bernardo D. A. G. <ber...@gm...>]

Hi Joe,

On Thu, Mar 26, 2009 at 13:36, Pragmatk <pra...@gm...> wrote:
> ...
> Depending on the charset of the schema, you can on some of the more exotic
> multi-byte charset ones. From my personal cheatsheet:
> ...

This is very uncommon, but it is well detailed on Chris Shiflett blog
and sla.ckers.org forum.

> Also interesting, I'll keep that in mind. Do you have any examples / links
> to posts about that?

sla.ckers.org forum and OWASP double encoding attack page.

>> If the parameter is an integer so not between single quote you can
>> bypass magic_quotes_gpc by casting to CHAR(), or similar dbms
>> function, all the 'strings' in your injected SQL statement: sqlmap
>> does it automatically.
>
> I normally use hex notation as that takes up less bytes.
> ie 0x4142434445 == 'ABCDE'

This does not work on the majority of database softwares, good to mention thus.

Regards,
-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F