The concept behind the bypass is that in Oracle's SQL dialect the character to escape a single-quote is a single-quote and the same is in Microsoft SQL Server.
A query like the following is syntatically wrong:
SELECT name FROM users WHERE name LIKE '%foo'bar%'But a query like this is syntatically correct:
SELECT name FROM users WHERE name LIKE '%foo''bar%'For instance let's assume that such a query is used by a web application and the malicious user has access to manipulate the LIKE clause field and the back-end DBMS is either Oracle or Microsoft SQL Server, then magic_quotes_gpc can be bypassed by injecting a UNION query SQL injection statement (or a blind SQL injection statement) similar to the following:
foobar' UNION ALL SELECT name FROM master..syslogins--Which will be processed by PHP and passed to the back-end DBMS as:
SELECT name FROM users WHERE name LIKE '%foobar\' UNION ALL SELECT name FROM master..syslogins--%'
The statement is syntatically correct and it is processed as expected because the backslash character added by PHP is not the back-end DBMS specific escaping character.
It's probably not as common as it is for Oracle to find a PHP web application with Microsoft SQL Server as back-end database management system but still it's worth knowing that this web application security setting bypass works on both database management systems.
Refer to the previous Oracle post for further details and personal considerations.
0 comments:
Post a Comment