Page 1 of 1

SQl injection,Urlencode

Posted: Fri Jul 20, 2007 5:35 am
by abalfazl
Hello!

Example 27.2. Splitting the result set into pages ... and making superusers (PostgreSQL)
<?php

$offset = $argv[0]; // beware, no input validation!
$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";
$result = pg_query($conn, $query);

?>

Normal users click on the 'next', 'prev' links where the $offset is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending a urlencode()'d form of the following to the URL

0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,passwd)
select 'crack', usesysid, 't','t','crack'
from pg_shadow where usename='postgres';
--



If it happened, then the script would present a superuser access to him. Note that 0; is to supply a valid offset to the original query and to terminate it.

What does urlencode here?May someone explain more about this attack?

Posted: Fri Jul 20, 2007 7:15 am
by Mordred
urlencode() will allow this long string with newlines etc. to be correctly copy/pasted in a browser address bar.
If you use HTML forms instead, the browser does urlencode() automatically.

Posted: Sat Jul 21, 2007 8:06 am
by abalfazl
Hello!
That was from:http://www.php.net/manual/en/security.d ... ection.php
It is not clear to me,May you explain this attack step by step?

Posted: Sat Jul 21, 2007 9:17 am
by superdezign
Basically, don't trust $_GET variables. Validate, validate, validate.

Posted: Sun Jul 22, 2007 12:33 am
by abalfazl
Hello

Say we a have a form,

Do you mean:

Someone enter this code:

0;
insert into pg_shadow(usename,usesysid,usesuper,usecatupd,pass wd)
select 'crack', usesysid, 't','t','crack'
from pg_shadow where usename='postgres';
--

To this function:urlencode,

And then add result to URL,

Right?

Posted: Tue Jul 24, 2007 9:33 am
by programmingjeff
URLEncode makes sure that all characters are converted into a basic-character string. Many funky characters are converted into a %-number sequence.

Code: Select all

<?php
$str = "abcdef?%!@#$%^&*(";
echo urlencode($str);

// This will display:  abcdef%3F%25%21%40%23%24%25%5E%26%2A%28
?>



In your example, since the $offset variable is numeric, you don't need to use urlencode. Instead, you can cast the variable to an integer, which prevents any injections.

If someone tries to use an injection, the offset variable will automatically become "0".

Code: Select all

<?php

$offset = (int)$argv[0]; // Cast to an integer. If the argument is not a number, it will become 0
$query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;";
$result = pg_query($conn, $query);

?>