3

This is so often discussed issue, I know, but I've recently found this vulnerability and I'm testing whether I'm resistant to such an injection, however I'm not able to simulate that behavior. Probably, I don't understand that query they're using.

The part that interests me:

The first vulnerability affects the mysql_real_escape_string() function family which does not reject invalid multi-byte characters. For example, in UTF-8, the "0xC8 ' ' attackersql" or "0xC8 \ ' attackersql" string is converted to "one_character ' attackersql" (ignore spaces). So, the query:

SELECT ... WHERE v = ' mysql_real_escape_string("0xC8 ' attackersql") '

become :

SELECT ... WHERE v = ' 0xC8 ' ' attackersql '

SELECT ... WHERE v = 'one_character ' attackersql'

An attacker can therefore inject the attackersql command.

The question sounds pretty lame, but how can I make this injection work?

Note (edited): I'm using PHP 5.2.6, MySQL 5.0.51a (correction) and charset 'utf8' is set on DB connection.

Community
  • 1
  • 1
chyno
  • 382
  • 3
  • 13
  • Could you give a little context over *why* you're trying to get this to work? – eggyal Apr 22 '12 at 18:20
  • why does it matter? he's trying to be a hacker. just give him the answer – Alex Gordon Apr 22 '12 at 18:22
  • As I mentioned in the question, I'm not sure whether I'm resistant to this vulnerability in my application. It seems to me that my app runs under the same circumstances as described in the article. – chyno Apr 22 '12 at 18:28
  • 2
    Thanks for your answer, I've expected such a reaction, but if you could rather try to help me than insulting me here... – chyno Apr 22 '12 at 18:36
  • @I__: I only asked because, whilst I don't know the answer to the question, I thought that perhaps there might be other ways to approach the problem given a little more context. Separately, I have no idea what policy SO have on publishing answers that outright demonstrate how to exploit known vulnerabilities? – eggyal Apr 22 '12 at 21:59
  • I would like to delete my former answer, in light of the much more detailed and knowledgeable answer posted [here](http://stackoverflow.com/a/12118602/623041), but I cannot do so whilst it is accepted. I have instead edited it with a link to that answer, but if you unaccept I will delete. – eggyal Aug 25 '12 at 17:28

0 Answers0