Is it possible to do SQL injection (HIGH Level) on Damn Vulnerable Web App?

Question

I searched all over google to see how it would be possible to bypass the following (it's from the high level of security from DVWA):

$id = $_GET['id']; 
    $id = stripslashes($id); 
    $id = mysql_real_escape_string($id); 

    if (is_numeric($id)){ 

    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
    $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); 

    $num = mysql_numrows($result); 

    $i=0; 

    while ($i < $num) { 

        $first = mysql_result($result,$i,"first_name"); 
        $last = mysql_result($result,$i,"last_name"); 

        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 

        $i++; 
    } 
} 

Is it possible to crack that?

For those who aren't familiar with DVWA, here is a youtube video about it: http://www.youtube.com/watch?v=oMV0JZVxvdQ

Also, my other concern is on Medium level. It does have the mysql_real_escape_string() working, but when you use the same SQL injection from Low level AND you remove the quotes, it bypasses the protection. Why is that? How come it was so easy to bypass mysql_real_escape string?

The code (concise version) of the Medium level is this:

   $id = $_GET['id']; 
    $id = mysql_real_escape_string($id); 
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";

I want to use PDO's as it's probably much safer. Please let me know your thoughts on that.

Thanks a lot in advance.

Answer 1

In the medium level just use: 1 and 1=1 order by X.

All of the author's queries are low level, but you can replace the name of a table with hex code 0x..., for example where table_name=0x12345. If we use a string char we will have an error because the ' is not allowed.

Answer 2

I have the same problem you have. I don't know how to crack it neither.

But I think I have an answer for the problem in Medium level, I think it's a programmer's error.

$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"

Notice that in low and high level you have quotes in $id, not in Medium...I think that's the point. If you'd have this:

$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"

I'm pretty sure that it wouldn't be so easy to bypass mysql_real_escape string in Medium level.

In other words, I'm pretty sure that if you didn't have the quotes in High Level, you could do the injection as well.

Answer 3

The addition of is_numeric would not make this a very likely full-blown sql attack, but is_numeric is just not very exact:

is_numeric('0xdeadbeef') // true
is_numeric('10e3') // true

It's probably better to use filters:

if (false !== ($id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT))) {
}