Follow us on Twitter!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 18
Guests Online: 15
Members Online: 3

Registered Members: 82908
Newest Member: krishna7799
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 02:53
1. I read somewhere that you can still bypass PHP filtering functions such as htmlentities using special Unicode letters. Is this true, and if so which ones are used and how do I filter them out?

2. Is the code below (PHP) sufficient for filtering out poison null bytes from a string?

Code

function r($str)
{
    return str_replace(chr(0), "", $str);
}






3. Say you're performing an SQL injection:

http://site.com/index.php?page=-5+union+select+1,2,3,4,5,password--

What columns would the "select 1,2,3,4,5" retrieve from the database?


5. I heard that addslashes can be bypassed. If so, how is that done and how can I protect against it?


6. Is mysql_real_escape_string foolproof (meaning as in it cannot be bypassed) ?
Let's say you could bypass that function, then would an extra check (look at the code below) suffice?

Code

<?php

$query = mysql_query("select * from users where username = '" . mysql_real_escape_string($_GET['username']) . "' and password = '" . mysql_real_escape_string($_GET['password']) . "' limit 1");

if (mysql_num_rows($query) == 1) // first check
{
      $data = mysql_fetch_assoc($query);
     
      if ($data['username'] == $_GET['username'] && $data['password'] == $_GET['password']) // second check
      {
            // perform authentication
      }
}

?>



Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 25-06-09 13:23
I dont have long so I'll just quickly answer 2 of your questions


3. Say you're performing an SQL injection:

http://site.com/index.php?page=-5+union+select+1,2,3,4,5,password--

What columns would the "select 1,2,3,4,5" retrieve from the database?


1,2,3,4 are hte same as just doing null,null,null. It just makes it easier to see your column count. Nothing will be returned, only things returned are the fields you specify.



5. I heard that addslashes can be bypassed. If so, how is that done and how can I protect against it?


Addslashes can be bypassed with certain charachters, such as... i recall a upside down question mark could be used as a ' which would bypass the slasshes.

hope that helps.
http://www.hellboundhackers.org/
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 25-06-09 18:08
system_meltdown wrote:
Selecting 1,2,3,4,5 is not the same as selecting nulls.


ah interesting.

thanks for sharing!
http://www.hellboundhackers.org/
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 18:38
I agree - security should be first priority. When I'm developing dynamic websites that interact with databases, I go way over the top with security checks and everything. I probably don't need that many and probably could do with less, but that would mean less security.

In my opinion you can never have too much security, unless of course the script is so heavy that it slows or crashes the server. But that doesn't seem to be a problem with me so far. Most of my scripts probably are resource-heavy, but it's worth it in the end because I have increased security.

Heh... if I ever lost those precious files I'm gonna kill myself Shock
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 19:47
Mr_Cheese wrote:
system_meltdown wrote:
Selecting 1,2,3,4,5 is not the same as selecting nulls.


ah interesting.

thanks for sharing!

? Pfft you such a know it all system! lol


Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-06-09 20:21
MoshBat wrote:
I tend to add another few filters before mysql_real_escape_string(), as you never know if there is a bug/exploit/whatever that has yet to be published.
And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose.
Null bytes do affect some newer versions of PHP, depending on the script, so I hear.

Finally, it's worth it, I think, to go way over the top security-wise.
Time consuming, repetetive and quite often mind-numbing but better than having to start afresh, should you leave something lying open.

Edit:
Fucking useless keyboard.


You talk about optimising code, yet you use preg_replace() when regex is not needed, do you know how much resources this wastes?! Use str_replace if you're not using regular expressions, it saves time and memory.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-06-09 20:49
MoshBat wrote:
system_meltdown wrote:
MoshBat wrote:
I tend to add another few filters before mysql_real_escape_string(), as you never know if there is a bug/exploit/whatever that has yet to be published.
And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose.
Null bytes do affect some newer versions of PHP, depending on the script, so I hear.

Finally, it's worth it, I think, to go way over the top security-wise.
Time consuming, repetetive and quite often mind-numbing but better than having to start afresh, should you leave something lying open.

Edit:
Fucking useless keyboard.


You talk about optimising code, yet you use preg_replace() when regex is not needed, do you know how much resources this wastes?! Use str_replace if you're not using regular expressions, it saves time and memory.

You're assuming that I choose to use it over str_replace. I don't.
I usually have many things that need replacing, and tend to do them all at once, which ends up being more efficient than str.


I'm not assuming. You said it.

"And I use preg_replace() rather than str. I'm not quite sure why, just one of those things, I suppose."


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-09 20:58
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-06-09 21:06
winkleer wrote:
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.


The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites. . .lah.php%00


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-09 06:52
system_meltdown wrote:
winkleer wrote:
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.


The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites. . .lah.php%00


Smooth way to introduce elites0ft (damn spammer!) lol Wink j/k


Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)

ranma
Member



Posts: 273
Location: Behind a sphere
Joined: 27.08.05
Rank:
Active User
Posted on 26-06-09 17:23
winkleer wrote:
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.


Er... Does it matter?


Wisdom spared is wisdom squared.
Author

RE: Five Questions (SQL Injection, XSS, Null Bytes)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 26-06-09 21:11
system_meltdown wrote:
winkleer wrote:
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.


The IDS I built for Elites0ft checks for %00 in the $_GET variable, and works fine: http://www.elites. . .lah.php%00


Interesting. My results say otherwise. Maybe its just the config.

Code
<pre>
<?php
// ?page=test%00

echo strstr($_GET["page"], "%00") ? "strstr found %00\n" : NULL;
echo strstr($_GET["page"], "\0") ? "strstr found \\0\n" : NULL;
echo strstr($_GET["page"], "\\0") ? "strstr found \\\\0\n" : NULL;  // returns true

echo str_replace("%00" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced %00\n" : NULL;
echo str_replace("\0" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced \\0\n" : NULL;
echo str_replace("\\0" ,"nullwashere" ,$_GET["page"]) == "testnullwashere" ? "str_replace found and replaced \\\\0\n" : NULL;  // returns true

?>
</pre>





ranma wrote:
winkleer wrote:
but to be safe you could str_replace %00 in the string.


hmm. i think you would need to replace \0 or \\0.


Er... Does it matter?


Yes it does.