SQL Injection, Getting past the magic quote

December 30, 2007

I recently encountered a SQL Injection, against a MS-SQL database. It happened to be an integer based injection.  Developers thought, that checking for a single quote(') in the input, would be sufficient to protect against SQL Injection attacks. What this meant was i can ask the server to return information like this:-

id=1 and 1=(select @@version)— 

However, becuase the application checks for single quote in input, i could not run this query successfully:-

id=1; exec master..xp_cmdshell('ping');–

This could , however be bypassed by using a simple hex encoding trick.




In the above example, there is also a small trick to bypass white space protection in the input by using /**/. 


Leave a Reply

Your email address will not be published. Required fields are marked *