Development, Analysis And Research

I wrote this a while ago, whilst playing with SQL Injection, however a little unfinished, the idea was to try to write out entire files, through an SQL Injection attack.

I thought I would expand, on my previous post Exceptions, Exceptions, Exceptions, and see what is possible with a simple a SQL Injection attack. I will base this on the assumption, that if you’ve managed to overlook an arbitry SQL Injection attack, I will assume that there will be vulnerable output somewhere.

  $id = ($_REQUEST['id'])? (int) $_REQUEST['id'] : 0;
  $SearchTerm = (isset($_REQUEST['q']))? $_REQUEST['q'] : null;

  if ( $id!=0 && !empty($SearchTerm) ) {
    $SQL = "SELECT id, StartDate, EndDate, Title FROM Table_One WHERE id={$id} AND Title='{$SearchTerm}';";
    $Query = mysql_query($SQL) or die('Query Error: '.mysql_error());
    $Row = mysql_fetch_array($Query, MYSQL_ASSOC);

    if(!empty($Row['Title'])) {
      print $Row['Title'];
    }
  }

A couple experiments with sql injection.

LOAD%20DATA%20INFILE%20'/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php'%20INTO%20TABLE%20test.OUTRUN;
LOAD DATA INFILE '/root/.bash_profile' INTO TABLE test.OUTRUN;

string(96) "LOAD DATA INFILE '/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php' INTO TABLE test(Output);"
Query Error: Access denied for user 'user@'localhost' (using password: YES)

• mysql_real_escape_string versus Prepared Statements
• The addslashes() Versus mysql_real_escape_string() Debate

It’s been some time since I last posted, due a rather hectic schedule and today I fly off to Loret De Mar, Spain for a week with the lads and two weeks after that to Miami. I’m sure this will help to take my mind of things.

As with anything you constantly learn from your mistakes and encounter various challenges and I have found that there are some problems with PHP itself from a recent and ongoing project.

Serialized Objects, Heredoc, and strings. (PHP Version 4.3.2)
Writing a serialized object to a a flat published file can hold its benefits, however this can become exceptionally large. One of the fundamental issues I found was that a fairly large serialized object inside the Heredoc syntax, would halt execution of php. Apache would log memory limits in the apache logs, however using base64 encoding and decoding on a serialized object and placing it within string literals, would execute fine. From observation, the fault would incur directly during the closing chevron’s.

URL’s with double slashe at the beginning

A single slash at the root directory will point to the sites root directory. e.g.

<a href="/root_script.php">/root</a>


I’m quite surprised i’ve never encountered this issue before, however you can manage to get URL’s to point to http://directory_name/script_name.php when the target is actually pointing to http://www.thehistorychannel.co.uk//directory_name/script_name.php for example, (note the double slash at the root directory).

When the script’s action simply contains:


< ?php
print "<form action="{$_SERVER['PHP_SELF']}" method="post">";
?>


I’m not sure if anyone else has encountered this problem?