SQLi bypass at PL4
See original GitHub issue_Issue originally created by user dune73 on date 2017-05-16 13:46:25. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/782._
Ivan Novikov performed an auth/logic SQLi that bypasses PL4 and works on MySQL assuming column id exists.
curl -v -d "id=1.or-id" localhost
I really like the way he uses only two special chars to pull this of. Bonus points for using only special chars that 920274 allows. Impedance mismatch is such a pain in the ass.
Issue Analytics
- State:
- Created 3 years ago
- Comments:15
Top Results From Across the Web
SQLi bypass at PL4 · Issue #782 - GitHub
Ivan Novikov performed an auth/logic SQLi that bypasses PL4 and works on MySQL assuming column id exists. curl -v -d "id=1.or-id" localhost ...
Read more >SQL Injection Cheat Sheet - Invicti
The SQL Injection Cheat Sheet is the definitive resource for all the technical details about the different variants of the well-known SQLi vulnerability....
Read more >SQL Injection Bypassing WAF - OWASP Foundation
It becomes possible to exploit the vulnerability with the method of blind-SQL Injection by replacing SQL functions that get to WAF signatures with...
Read more >SQL Injection ByPass - Information Security Stack Exchange
They have a page designated to SQL Injection Bypassing. Your target is that you need to make sure that however the query has...
Read more >Time-Based Blind SQL Injection Attacks
Time-Based Blind SQL Injection Attacks ... Can only be used in PL/SQL. ... but it could help bypassing weak blacklist filters only checking...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
User spartantri commented on date 2017-06-02 13:03:45:
csanders-git did you meant literal “.” or is it a wildcard? why is “or” repeated?
Have you tested that regex against “The migthy Thor.” (1 match) or “The mighty Thor. -Exists -in the Valhalla.Like it or not” (6 matches)? This have plenty of false positives so PL2 may not be the best place, what about PL3 and add some boundaries like:
(?i)(?:\d|\s|\w)(?😦?😦?:.|-)\b(?:or|all|and|any|between|exists|in|like|not|or|some)\b)|(?:\b(?:or|all|and|any|between|exists|in|like|not|or|some)\b(?:.|-)))
That would allow “The mighty Thor.” to pass and there are only three matches against the full sentece. 😃
After, there is the encoding issues urldecode, comments, utf…
Will using “+” execute as well? id=1.+or-id
User fgsch commented on date 2019-10-20 22:15:45:
This issue has timed out as it has not received any update in over 2 years. If this is still a problem please open a new issue.