About

My name is Johannes Dahse and I studied “IT-Security” at the Ruhr-University Bochum in Germany. Currently I am doing my PhD at the Chair for Systems Security in the area of static code analysis and work as a penetration tester and security consultant.

Contact: johannes.dahse at rub. de

22 Responses to About

  1. ZinovaS says:

    Hi,

    i found your articles very informative. i learned a lot from it. thats why i want to thank you and provide you with some piece of information.

    you wrote that there is no way to give a path to load_file not using ‘quotes ‘
    actually there is a way:

    SELECT CONCAT(‘0x’,HEX(‘/path/to/file.php’));
    that gives you a pathname in hex (could be done in other ways):
    0x2F706174682F746F2F66696C652E706870

    and now we can use it like this:
    SELECT load_file(0x2F706174682F746F2F66696C652E706870);

    and it works for me in 5.0.32-Debian_7etch6-log

  2. Reiners says:

    hi, glad you like them. thanks for your hint but I was referring to INTO OUTFILE when I wrote that the quotes are definetly neccessary for the path. you probably mixed up the articles ;) load_file() of course accepts encoding as any other function, but INTO OUTFILE as being an operation, not a function, doesnt support a way to avoid quotes (afaik).

  3. Aoife says:

    Hi,

    just wondering what RIPS stand for?

    Cheers,

    Aoife

    • Reiners says:

      Hi,
      actually it stands for Reiners Ironic PHP Scanner … ironic because it is a PHP app scanning PHP apps. However I find the acronym not really sexy so I never mention it anywhere ;)
      Cheers,
      Reiners

  4. Tobbe says:

    Hi,

    Thanks for all your great articles.

    Is there any possibility of you adding an RSS feed to this page? I’d like to subscribe to it in my rss reader. Thank you!

  5. […] man das Programm benutzt, rät der Autor zuerst das Infopaper zu lesen, welches sich -> hier <- findet. Zudem ist das Tool noch lange […]

  6. Adela Kuźniarska says:

    Hello

    My name is Adela Kuźniarska and I represent PenTest Magazine- the only publication devoted to penetration testing

    We are looking for authors who could provide us with some interesting articles concerning penetration testing and vulnerability management.

    We need people to write influential article about the Nessus software by now.

    I believe your expertise in this matter might be invaluable to our readers and maybe you could share your knowledge with us.

    Would you be interested in hearing more details?

    For more information please visit http://www.pentestmag.com

    I am looking forward to hearing from you.

    Best Regards

    Adela Kuźniarska
    PenTest Magazine

  7. massi says:

    hi Johannes,
    can I ask you how is it possible to make a blind query WITHOUT using query, when only other statements are available (i.e. case etc.)
    I’ve seen you said it is possible -I tried to find a solution to that, but failed hard at…
    …any idea or tip? :)

  8. massi says:

    ooops, errata corrige:
    “to make a blind query WITHOUT using a select statement”.

    Without a select i’m limited to read variables like version etc., but cant understand how to access table contetns…

    • Reiners says:

      hi massi,
      as stated here you can only access columns that are already in the field list (columns that are used in the original SELECT query you are injecting into).
      Example:
      SELECT name, password FROM users WHERE id = X
      If you want to access the password column you dont need a subselect, because it is already in the field list:
      X= if(mid(password,1,1)=0x61,1,2)
      However if your desired column/table is not already in the field list, there is no way to access is without using another SELECT.

      Cheers,
      Reiners

  9. hello,your blog is very nice,i am from china,i have learned a lot from your site,so,then,i have a question:
    this url : http://websec.wordpress.com/2011/06/
    this article,you say “mysql_real_escape_string” can be safe
    // safe
    $name = mysql_real_escape_string($_GET[‘name’]);
    mysql_query(“SELECT * FROM users WHERE name = ‘$name'”);

    but i find that it is also vulnerable,when mysql’s character is gbk,
    ?name=%bf%27 will also work well in sql injection

    • Reiners says:

      yes it is insecure with some asian character sets, as described in detail here. however since those character sets are very rarely used (at least here in europe) one can assume that mysql_real_escape_string is safe. To be sure you should always use prepared statements. thanks for noting.

  10. ysj says:

    Hey, nice write up. I got a few questions:

    1. Under the WHERE ALTERNATIVE SECTION, you used having to replace where right? I thought having is only possible when there is group by and aggregate function?
    2. If /union/i was used in their filter, according to your expertise, is it still possible to bypass it and use the union keyword?

    thanks :)

  11. Aaron says:

    Nice articles Johannes ! Very technical which is not found in much blogs.

  12. Dm says:

    hey Reiners,
    Are there any type of sqli that bypass an integer type cast ? Like this:
    public int? IdAssunto { get; set; }

    I was looking on things like ASCII HEX Encoded injection but wanna check with you too.

    Rergard

  13. Javed says:

    Hi Reiners,

    How are you can I’ve your email , ive sent email on your mentioned address above but it bounce back . I need your assistance in penetration of web app for WAF bypass.

    Regards
    Javed

  14. Tien says:

    If I use “select data into outfile [path]” but the quote ‘ and double ” are filtered, is there way to write file in this case? Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 87 other followers

%d bloggers like this: