SQL Injection And UTF 7 encoding
Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does it means, its safe??????
Answer:- To the best of my knowledge, it is safe if your application supports utf-8 encoding(which is most common). However, if it supports utf-7 encoding, it becomes vulnerable. This is best described by Chris Shifflett:-
"In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c ().
How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash."
Well Done Chris..