Re: Magic Quotes question

["DokFLeed" <dokfleed@dokfleed.net>]

regardless all the possible ways and arguments,
is there an actual way to bypass Magic Quotes?
CHAR doesnt work,  also %% doesnt work
i.e.
INTO OUTFILE 'D:/www/zin.php'
would be
INTO OUTFILE CHAR(39,68,58,47,199,199,199,47,122,105,110,46,112,104,112,39);
and will not work

any proven ideas?

cheers
Dok

----- Original Message ----- 
From: "Ronald Chmara" <ron@Opus1.COM>
To: "DokFLeed" <dokfleed@dokfleed.net>
Cc: <pen-test@securityfocus.com>
Sent: Friday, January 19, 2007 3:02 PM
Subject: Re: Magic Quotes question


> On Jan 16, 2007, at 11:10 PM, DokFLeed wrote:
> > Hi,
> > I posted this earlier to webappsec@securityfocus.com with no luck ,
> > does anyone know how to bypass magic quotes? a proven working way .
> stripslashes(). :-)
>
> It's fairly easy to get a developer to put stripslashes() on a  website 
> too, if one just slowly adds posts that seem like they can be  tracked 
> back to magic quotes... "I\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \'m having 
> problems...."
> This is why magic quotes/slashes was getting turned off all over the 
> place..... excessive escaping before db inserts, as variable values  were 
> passed from page to page.
> Well, that, and the escaping wasn't data-engine specific. Some data 
> engines use \', others use '', others need no ' escaping, and since  many 
> modern db engines can use *any* delimiter, for any language,  "magic 
> quotes" was simply the wrong level to apply data filtering at.
> > example is, in such a simple SQL like
> > "SELECT * from USERS WHERE id =$id";
> > I am looking for ways to by pass magic quotes to inject this
> > INTO OUTFILE '/home/z.php'
> INTO OUTFILE %/home/z.php% works, if "%" is the field delimiting 
> character being used. Magic quotes totally fails in that scenario.
> > point is, if magic quotes can stop this, so why is it going to be 
> > removed in php6? it can simply stay and be activated or deactivated  on 
> > will.
> It was a great idea, in a much less complex world.
>
> > and if there is a way to by pass, I want to include it in my check 
> > GET/POST inputs.
> Any character can be used, by many db engines, as a delimiter. It is  bad 
> programming practice to assume that *any* bulk filtering  mechanism will 
> work, so your GET/POST idea is flawed.
> The problem is not magic quotes.
> The problem is not replacing magic quotes.
>
> The problem *is* validating each piece of data received, and dealing  with 
> it in an appropriate manner, regardless of the db engine used,  charset 
> used, delimiters used.
> -Ronabop
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------