9

I'm trying to understand how a website can be hacked through using addslashes in PHP and MySQL for educational purpose.

After reading this topic and this topic, I try to understand how it can bypass with something like 0xbf27 that can be converted to 0xbf5c27 through using addslashes.

So I manually execute a query for setting Character Set.

set character set 'gbk';

The character for this purpose must be that is bf27.According what they say in the above topics it must be convert to something like bf5c27 but when I test it in my lab with a PHP code like this :

$query  = "SELECT first_name, last_name FROM users WHERE user_id = '".addslashes($id)."';";
echo $query;
$result = mysql_query($query) or die( '<pre>' . mysql_error() . '</pre>' );

And when I insert in my text field the exact query that executes is :

SELECT first_name, last_name FROM users WHERE user_id = '뼧';

So it seems that nothing specially happened !

After this I try to build another PHP script to understand what is going on so I build a simple script without any MySQL execution (test.php) like :

 <html>
 <head>
  <title>PHP Test</title>
 </head>
 <body>
 <?php 
$command = $_REQUEST[ 'id' ];;
$output = addslashes($command);
echo "<pre>$output</pre>"; ?> 
 </body>
</html>

Then I execute the file with URL like :

http://127.0.0.1/test.php?id=뼧

And if you see the above PHP code it echos:

뼧

The hex code of above 3 character is:

eb bc a7

Well I just think about what happened,

My questions are :

  1. What are 뼧 that it showed me ?(It seemed something unusual because it doesn't contain anything like 5c or 27 ?

  2. Why the first script doesn't show something like above three character in echo $query; ?

  3. How can I perform it truly like they describe(In above 2 topics) ?

Update 1 : Thanks to what Goktay Kaykusuz says I understand that I have problem in my encoding. the POC for it is I test it on Terminal and it resaluts :

<html>
 <head>
  <title>PHP Test</title>
 </head>
 <body>
 <pre>뼧</pre> </body>
</html>

so I understand that it converts the result to UTF8 (in Chrome) but in Terminal works normally.

But the problem is still alive because it works without any wonderful bypassing (It is just what a simple string should be.)

Community
  • 1
Mohammad Sina Karvandi
  • 245
  • 2
  • 11

2 Answers2

2

Funny thing, I've experimented with an online encoding converter. I think you have an encoding problem on the client side.

When I embedded the string inside the PHP code, it worked.

$test_var = chr(0xbf) . chr(0x27);
echo(bin2dex(addslashes($test_var)));

Resulted in: bf5c27

The problem is when you get the variable from the URL:

after addslashes() results in ebbca7

¿' after addslashes() result in bf5c27

but the online encoding converter shows bf27 for and bf 27 for ¿'.

Can you set the encoding of your PHP configuration to GBK and UTF-8 in php.ini, then try with the ¿' characters again? The examples in the links that you've given does not echo the output directly so you might have got scrambled on the client side as I've mentioned.

Göktay K.
  • 371
  • 1
  • 4
-1
$query  = "SELECT first_name, last_name FROM users WHERE user_id = \"".addslashes($id)."\";";
schroeder
  • 123,438
  • 55
  • 284
  • 319
user276040
  • 1