SQL Injection And UTF 7 encoding

July 5, 2007

Query:- There is a web application vulnerable to SQL Injection, but the web server has added protection like magic_quotes or the application calls the function add_slashes, which means i can't insert  a single quote and thus cant exploit a SQL Injection. The injection point is in a string field. Does it means, its safe??????

Answer:- To the best of my knowledge, it is safe if your application supports utf-8 encoding(which is most common). However, if it supports utf-7 encoding, it becomes vulnerable. This is best described by Chris Shifflett:-

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

"In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c ().

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character, not two. Oops, there goes the backslash."

Well Done Chris..

Comments

1 Comment

  • Royads says:

    Well thank you for this post. Well can you write some code which we can be used to protect from any kind of sql injection attack. I am searching for a generalized code snippet which will protect the application from any kind of sql injection attack.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback