Hey Fellow Researchers,
I’m working on developing my bug hunting skills, and I’ve run into a challenge with the bwAPP GET SQLi while set in medium mode.
Basically medium and hard mode add “addslashes” and “mysql_real_escape_string” to sanitize the untrusted input data and add the \ into the SQL statements; which, is preventing me from jumping out of the SQL statement.
I’ve spent the last few days reading and trying various techniques of encoded characters, unicode characters, multibyte char, using mySQL characters, mySQL temper scripts, and I’m not sure of anything else that I can try or a different approach.
The gist of the challenge appears to be the apostrophe’s that surround the sanitized characters, and a lot of the techniques to bypass, don’t have the apostrophe’s surrounding the sanitized input
For instance,
The php code uses the “addslashes” and the “mysql_real_escape_string” to sanitize the user input.
$userinput = addslashes(<Untrusted Search Word>) – Medium Mode
$userinput = mysql_real_escape_string(<Untrusted Search Word>) - Hard Mode
SELECT * FROM movies WHERE title like ‘% $userinput %’
Do you guys have any recommended reading material, or concepts/approaches to help solve this challenge?