Code-BBCode: SQL-Highlighter

1st Official Post

    Hi! Recently i've posted something on a test board. Using the "Code" BBCode i've posted a MySQL Query and the board returned a message like this:


    Quote

    SQL-Query
    UPDATE 'root'@'localhost' SET !!!bf0b9b1472d9048a147e68134d204da80bdf0b1c!!!="PAROLA";


    The initial query was something like this:

    Quote

    UPDATE 'root'@'localhost' SET 'password'="PAROLA";


    I think some images will deliver more information that me and my english can do:


    [Blocked Image: http://ximagenes.es/di/095K/return.png]
    Initial query using bbcode:

    Quote


    [code.]UPDATE 'root'@'localhost' SET 'password'="PAROLA";[/code.] (Without dots).

    • Official Post

    Hi


    is looks like a bug in the code BBCode which causes the SQL highlighter to not properly highlight strings. There is no vulnerability, the query is not being executed on the MySQL server. The long string is randomly generated. Thanks for bringing this to our attention, though!

    • Official Post

    Hello @Yildirim,


    a short explanation on your observations:


    The code-BBCode includes various different syntax highlighting which can be explicitly set, e.g. [code=sql]…[/code]. If you omit a specific highlighter, the system will try to guess the proper highlighter based upon a set of specific keywords. In your case the system correctly detected a SQL query and used it to highlight the query (you can see it's working by looking at the color).

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login