i SQL injection bypass PHP addslashs function – All things in moderation

SQL injection bypass PHP addslashs function

 

The addslashes(string) function returns a string with backslashes in front of predefined characters:

  • single quote (‘)
  • double quote (“)
  • backslash (\)
  • NULL

This function can be used to prepare a string for storage in a database and database queries, prevent SQL injection attack. However, this is easily bypassed using an invalid multi-byte character. This article consider about that bypass technique.

Example we consider url:

http://example.com/index.php?id=1

Suppose PHP code using by server following:

include("sql-connect.php"); // connect mysql
if(isset($_GET['id'])){
    $id=addslashes($_GET['id']); //prepare a string using addslashs function
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
}

 

1. Check addslash() function used by server code.

Now let try testing sql injection vulnerability using single quote (‘), double quote (“)

http://example.com/index.php?id=1'

http://example.com/index.php?id=1"

No error occurred. Because It was escaped by addslashs() function:

single quote escaped as: \’

double quote escaped as: \”

 

2. Bypass addslashs() using multi-byte.

The value 0xbf5c and 0xaf5c is a valid multibyte character in GBK(Chinese language) and as well as addslashes does not check the MySQL character set.

addslash() function add a slash(%5c) before our quote character. Example use single quote(%27) it becomes %5c%27 (/’)

We could try bypass with %bf or %af. So when we use %bf%27 as our input, it become %bf%5c%27 and %bf%5c  is a valid Chinese Multi-byte character (?) and %bf%5c%27 equal ?’, then server executed our single quote.

Now lets try test inject  %bf%27 or %af%27, it’s will get some error from server.

Then we can exploit SQL injection!

http://example.com/index.php?id=1%bf%27

 

2 Comments

  1. Kristen91 November 3, 2016
    • Stephen Stinson November 25, 2016

Leave a Reply