This is so often discussed issue, I know, but I've recently found this vulnerability and I'm testing whether I'm resistant to such an injection, however I'm not able to simulate that behavior. Probably, I don't understand that query they're using.
The part that interests me:
The first vulnerability affects the mysql_real_escape_string()
function family which does not reject invalid multi-byte characters.
For example, in UTF-8, the "0xC8 ' ' attackersql" or "0xC8 \ '
attackersql" string is converted to "one_character ' attackersql"
(ignore spaces). So, the query:
SELECT ... WHERE v = ' mysql_real_escape_string("0xC8 ' attackersql") '
become :
SELECT ... WHERE v = ' 0xC8 ' ' attackersql '
SELECT ... WHERE v = 'one_character ' attackersql'
An attacker can therefore inject the attackersql command.
The question sounds pretty lame, but how can I make this injection work?
Note (edited): I'm using PHP 5.2.6, MySQL 5.0.51a (correction) and charset 'utf8' is set on DB connection.
No comments:
Post a Comment