Adding modules 36,37 on mysql_real_escape_string bypass

Less-32/index.php

@@ -37,7 +37,7 @@ function check_addslashes($string)
 
 // connectivity 
 
-
+mysql_query("SET NAMES gbk");
 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
 $result=mysql_query($sql);
 $row = mysql_fetch_array($result);
@@ -71,7 +71,19 @@ function check_addslashes($string)
 </br>
 <font size='4' color= "#33FFFF">
 <?php
-echo "Hint: The Query String you input is escaped as : ".$id;
+
+function strToHex($string)
+{
+    $hex='';
+    for ($i=0; $i < strlen($string); $i++)
+    {
+        $hex .= dechex(ord($string[$i]));
+    }
+    return $hex;
+}
+echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
+echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";
+
 ?>
 </center>
 </font> 

Less-32/index.php~

@@ -0,0 +1,97 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<title>Less-32 **Bypass addslashes()**</title>
+</head>
+
+<body bgcolor="#000000">
+<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
+<font size="5" color="#00FF00">
+
+
+<?php
+//including the Mysql connect parameters.
+include("../sql-connections/sql-connect.php");
+
+function check_addslashes($string)
+{
+    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
+    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
+    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
+
+
+    return $string;
+}
+
+// take the variables 
+if(isset($_GET['id']))
+{
+$id=check_addslashes($_GET['id']);
+//echo "The filtered request is :" .$id . "<br>";
+
+//logging the connection parameters to a file for analysis.
+$fp=fopen('result.txt','a');
+fwrite($fp,'ID:'.$id."\n");
+fclose($fp);
+
+// connectivity 
+
+mysql_query("SET NAMES gbk");
+$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
+$result=mysql_query($sql);
+$row = mysql_fetch_array($result);
+
+	if($row)
+	{
+  	echo '<font color= "#00FF00">';	
+  	echo 'Your Login name:'. $row['username'];
+  	echo "<br>";
+  	echo 'Your Password:' .$row['password'];
+  	echo "</font>";
+  	}
+	else 
+	{
+	echo '<font color= "#FFFF00">';
+	print_r(mysql_error());
+	echo "</font>";  
+	}
+}
+	else { echo "Please input the ID as parameter with numeric value";}
+
+
+
+?>
+</font> </div></br></br></br><center>
+<img src="../images/Less-32.jpg" />
+</br>
+</br>
+</br>
+</br>
+</br>
+<font size='4' color= "#33FFFF">
+<?php
+
+function strToHex($string)
+{
+    $hex='';
+    for ($i=0; $i < strlen($string); $i++)
+    {
+        $hex .= dechex(ord($string[$i]));
+    }
+    return $hex;
+}
+echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
+echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";
+
+?>
+</center>
+</font> 
+</body>
+</html>
+
+
+
+
+
+

Less-33/index.php

@@ -33,7 +33,7 @@ function check_addslashes($string)
 
 // connectivity 
 
-
+mysql_query("SET NAMES gbk");
 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
 $result=mysql_query($sql);
 $row = mysql_fetch_array($result);
@@ -67,7 +67,17 @@ function check_addslashes($string)
 </br>
 <font size='4' color= "#33FFFF">
 <?php
-echo "Hint: The Query String you input is escaped as : ".$id;
+function strToHex($string)
+{
+    $hex='';
+    for ($i=0; $i < strlen($string); $i++)
+    {
+        $hex .= dechex(ord($string[$i]));
+    }
+    return $hex;
+}
+echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
+echo "The Query String you input in Hex becomes : ".strToHex($id);
 ?>
 </center>
 </font> 

Less-34/index.php

@@ -64,6 +64,7 @@
         //echo "Input password after addslashes is : ".$passwd;    
 
 	// connectivity 
+	mysql_query("SET NAMES gbk");
 	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
 	$result=mysql_query($sql);
 	$row = mysql_fetch_array($result);

Less-35/index.php

@@ -33,7 +33,7 @@ function check_addslashes($string)
 
 // connectivity 
 
-
+mysql_query("SET NAMES gbk");
 $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
 $result=mysql_query($sql);
 $row = mysql_fetch_array($result);

Less-36/index.php

@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<title>Less-36 **Bypass MySQL Real Escape String**</title>
+</head>
+
+<body bgcolor="#000000">
+<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
+<font size="5" color="#00FF00">
+
+
+<?php
+//including the Mysql connect parameters.
+include("../sql-connections/sql-connect.php");
+
+function check_quotes($string)
+{
+    $string= mysql_real_escape_string($string);    
+    return $string;
+}
+
+// take the variables 
+if(isset($_GET['id']))
+{
+$id=check_quotes($_GET['id']);
+//echo "The filtered request is :" .$id . "<br>";
+
+//logging the connection parameters to a file for analysis.
+$fp=fopen('result.txt','a');
+fwrite($fp,'ID:'.$id."\n");
+fclose($fp);
+
+// connectivity 
+
+mysql_query("SET NAMES gbk");
+$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
+$result=mysql_query($sql);
+$row = mysql_fetch_array($result);
+
+	if($row)
+	{
+  	echo '<font color= "#00FF00">';	
+  	echo 'Your Login name:'. $row['username'];
+  	echo "<br>";
+  	echo 'Your Password:' .$row['password'];
+  	echo "</font>";
+  	}
+	else 
+	{
+	echo '<font color= "#FFFF00">';
+	print_r(mysql_error());
+	echo "</font>";  
+	}
+}
+	else { echo "Please input the ID as parameter with numeric value";}
+
+
+
+?>
+</font> </div></br></br></br><center>
+<img src="../images/Less-36.jpg" />
+</br>
+</br>
+</br>
+</br>
+</br>
+<font size='4' color= "#33FFFF">
+<?php
+function strToHex($string)
+{
+    $hex='';
+    for ($i=0; $i < strlen($string); $i++)
+    {
+        $hex .= dechex(ord($string[$i]));
+    }
+    return $hex;
+}
+echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
+echo "The Query String you input in Hex becomes : ".strToHex($id);
+?>
+</center>
+</font> 
+</body>
+</html>
+
+
+
+
+
+

Less-37/index.php

@@ -0,0 +1,120 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+	<title>Less-37- MySQL_real_escape_string</title>
+</head>
+
+<body bgcolor="#000000">
+<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>
+
+<div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
+
+<div style="padding-top:10px; font-size:15px;">
+
+
+<!--Form to post the data for sql injections Error based SQL Injection-->
+<form action="" name="form1" method="post">
+	<div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
+	    <input type="text"  name="uname" value=""/>
+	</div>  
+	<div> Password  : &nbsp;&nbsp;&nbsp;
+		<input type="text" name="passwd" value=""/>
+	</div></br>
+	<div style=" margin-top:9px;margin-left:90px;">
+		<input type="submit" name="submit" value="Submit" />
+	</div>
+</form>
+
+</div>
+</div>
+<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
+<font size="3" color="#FFFF00">
+<center>
+<br>
+<br>
+<br>
+<img src="../images/Less-37.jpg" />
+</center>
+
+<?php
+//including the Mysql connect parameters.
+include("../sql-connections/sql-connect.php");
+
+
+// take the variables
+if(isset($_POST['uname']) && isset($_POST['passwd']))
+{
+	$uname1=$_POST['uname'];
+	$passwd1=$_POST['passwd'];
+
+        //echo "username before addslashes is :".$uname1 ."<br>";
+        //echo "Input password before addslashes is : ".$passwd1. "<br>";
+
+	//logging the connection parameters to a file for analysis.
+	$fp=fopen('result.txt','a');
+	fwrite($fp,'User Name:'.$uname1);
+	fwrite($fp,'Password:'.$passwd1."\n");
+	fclose($fp);
+
+        $uname = mysql_real_escape_string($uname1);
+        $passwd= mysql_real_escape_string($passwd1);
+
+        //echo "username after addslashes is :".$uname ."<br>";
+        //echo "Input password after addslashes is : ".$passwd;    
+
+	// connectivity 
+	mysql_query("SET NAMES gbk");
+	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
+	$result=mysql_query($sql);
+	$row = mysql_fetch_array($result);
+
+	if($row)
+	{
+  		//echo '<font color= "#0000ff">';	
+
+  		echo "<br>";
+		echo '<font color= "#FFFF00" font size = 4>';
+		//echo " You Have successfully logged in\n\n " ;
+		echo '<font size="3" color="#0000ff">';	
+		echo "<br>";
+		echo 'Your Login name:'. $row['username'];
+		echo "<br>";
+		echo 'Your Password:' .$row['password'];
+		echo "<br>";
+		echo "</font>";
+		echo "<br>";
+		echo "<br>";
+		echo '<img src="../images/flag.jpg"  />';	
+
+  		echo "</font>";
+  	}
+	else  
+	{
+		echo '<font color= "#0000ff" font size="3">';
+		//echo "Try again looser";
+		print_r(mysql_error());
+		echo "</br>";
+		echo "</br>";
+		echo "</br>";
+		echo '<img src="../images/slap.jpg" />';	
+		echo "</font>";  
+	}
+}
+
+?>
+
+</br>
+</br>
+</br>
+<font size='4' color= "#33FFFF">
+<?php
+
+echo "Hint: The Username you input is escaped as : ".$uname ."<br>";
+echo "Hint: The Password you input is escaped as : ".$passwd ."<br>";
+?>
+
+</font>
+</div>
+</body>
+</html>