Code-BBCode: SQL-Highlighter

  • Hi! Recently i've posted something on a test board. Using the "Code" BBCode i've posted a MySQL Query and the board returned a message like this:


    UPDATE 'root'@'localhost' SET !!!bf0b9b1472d9048a147e68134d204da80bdf0b1c!!!="PAROLA";

    The initial query was something like this:


    UPDATE 'root'@'localhost' SET 'password'="PAROLA";

    I think some images will deliver more information that me and my english can do:

    [Blocked Image:]
    Initial query using bbcode:


    [code.]UPDATE 'root'@'localhost' SET 'password'="PAROLA";[/code.] (Without dots).

    • Official Post


    is looks like a bug in the code BBCode which causes the SQL highlighter to not properly highlight strings. There is no vulnerability, the query is not being executed on the MySQL server. The long string is randomly generated. Thanks for bringing this to our attention, though!

    • Official Post

    Hello @Yildirim,

    a short explanation on your observations:

    The code-BBCode includes various different syntax highlighting which can be explicitly set, e.g. [code=sql]…[/code]. If you omit a specific highlighter, the system will try to guess the proper highlighter based upon a set of specific keywords. In your case the system correctly detected a SQL query and used it to highlight the query (you can see it's working by looking at the color).

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!