Changing The SQL Charset.

Publicated on : 1182871548
I've been busy this week with some new SQL injection ideas. One of them was to change the charset dynamically upon injection. This is a little tricky, but could turn out to be critical to bypass certain restrictions. If any, it is also useful to refine an injection.

The principle is simple: normally every column has a charset that has been set by the SQL administrator. Most of the time it is a default charset. But sometimes we need to have a another charset.

We can change the charset by injecting this vector:

ALTER TABLE `test` CHANGE `password` `password` VARCHAR(255) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL

Notice that the backticks are not really needed:

ALTER TABLE test CHANGE password password VARCHAR(255) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL

We now changed the charset to GBK CHINESE. You might wonder why we changed it to GBK Chinese. This has to do with bypassing addslashes, the PHP function addslashes is vulnerable to multibyte encoding but that is only possible if the database utilizes a multibyte charset, like GBK Chinese or BIG 5.

It works like this:

The vector: 0xbf27 admin 0xbf27
this becomes: ¿'admin¿'
then parsed as: 'admin'

In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c ().

Read more: http://www.0x000000.com/?i=66