SQL Injection, Getting past the magic quote
I recently encountered a SQL Injection, against a MS-SQL database. It happened to be an integer based injection. Developers thought, that checking for a single quote(') in the input, would be sufficient to protect against SQL Injection attacks. What this meant was i can ask the server to return information like this:-
id=1 and 1=(select @@version)—
However, becuase the application checks for single quote in input, i could not run this query successfully:-
id=1; exec master..xp_cmdshell('ping 127.0.0.1');–
This could , however be bypassed by using a simple hex encoding trick.
In the above example, there is also a small trick to bypass white space protection in the input by using /**/.