Navigating SQL Injection Safeguards

Asked Nov 05 '14 at 17:31

Active Nov 05 '14 at 17:36

Viewed 70 times

I'm trying to get around the DVWA high security SQL injection challenge, I've tried a bunch of automated scanning tools with no luck, read a bunch of articles saying it's impossible now i've turned to the source code:

You can submit a number (id) to select some details from within the database. I'm trying to pull all rows out:

$id = stripslashes($id);
$id = mysql_real_escapse_string($id);

if (is_numeric($id))
{
    SELECT first_name, last_name FROM users WHERE user_id = '$id';
}

I've tried putting hex numbers and commands and things through it, it gets past the checks but doesn't work. Now i'm not 100% sure about the backend, but is there anyway to reconstruct the strings from hex once i'm past the is_numeric() check?

Dvwa uses mysql_query, not mysqli or prepared statements if that's any help

Any pointers would be much appreciated!

edited Nov 05 '14 at 17:36

asked Nov 05 '14 at 17:31

Crizly

2,597
4
18
29

This seems to boil down to: "how can I perform SQLi using only numeric data"? – schroeder Nov 05 '14 at 18:17
hmf, don't suppose you have some magic way of performing sql injection with numeric data? :3 – Crizly Nov 05 '14 at 18:26
Care to add the code for mysql_real_escape_String() if it's not too large of a function? – KDEx Nov 06 '14 at 01:46
@KDEx - It can be found here http://php.net/manual/en/function.mysql-real-escape-string.php – Crizly Nov 06 '14 at 19:40

Navigating SQL Injection Safeguards

0 Answers0