Text Reversal Exploit and Fix

August 6, 2011

Recently, I discovered an exploit "in the wild" that, when posted to a website, can reverse all the text in a field. An example of this exploit can be found below:

Example ‮ Example

The actual code to do the above is this:

<?PHP echo "<div>Example \" . chr(226) . chr(128) . chr(174) . \" Example</div>"; ?>

I've searched Google for the key combination, form reverser, text reversal exploit, etc... I've had no success finding anything on it.

Live Demonstration

So, with that in mind, I present a live demonstration of the exploit. Copy the two bars "||" below, and then type in the input box... Paste the bars... Then type some more. Note the results.
Please note that it will be difficult to select the bars due to the exploit.

Example
\|‮\|

Now that you seen how this can be used as an annoyance, it seems to affect everything AFTER the three characters, within an HTML element (i.e. a TD, DIV and so on).

In PHP, strip_tags, mysql_real_escape_string, and others won't filter this.

Detecting it in your database

I threw together the simple script below that will detect if there are any fields in any database you have access to that contains this string. You'll have to fill in the connection parameters. If it helps you sleep better at night, allow it only SELECT... However it does need access to information_Schema to get ahold of the table names.

Download Original

<?PHP
$con = mysql_connect("localhost","anyusername","yourpassword");
 
$query = mysql_query("SHOW DATABASES");
while ($row = mysql_fetch_assoc($query))
	{
	if ($row['Database']!="mysql" && $row['Database']!="information_schema" && $row['Database']!="performance_schema")
		$Databases[] = $row['Database'];
	}
for ($ParseDB=0;$ParseDB<=count($Databases)-1;$ParseDB++)
	{
	$query = mysql_query("SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema = '{$Databases[$ParseDB]}'") or die(mysql_error());
	while ($row = mysql_fetch_assoc($query))
		{
		$Fields = NULL;
		$subquery = mysql_query("EXPLAIN `{$Databases[$ParseDB]}`.`{$row['TABLE_NAME']}`") or die(mysql_error());
		while ($subrow=mysql_fetch_assoc($subquery))
			{
			if ($subrow['Key']!="")
				$Thiskey = $subrow['Field'];
 
			$Fields .= "`{$subrow['Field']}` LIKE '%" . chr(226) . chr(128) . chr(174) . "%' OR ";
			}
		$Fields = substr($Fields,0,-4);
 
		$badquery = mysql_query("SELECT `$Thiskey` FROM `{$Databases[$ParseDB]}`.`{$row['TABLE_NAME']}` WHERE $Fields");
		while ($badrow = mysql_fetch_assoc($badquery))
			{
			echo "Reverser found in database <strong>{$Databases[$ParseDB]}</strong> in table {$row['TABLE_NAME']} on key <strong>$ThisKey = {$badrow[$Thiskey]}</strong><br />";
			}
		}
	}
?>

Should this string be found, you'll get the below results:

Reverser found in database DATABASE in table TABLE on FIELD_KEY_NAME = 1234

That should be enough for you to find it, and remove it through MySQL, or a graphical utility like phpMyAdmin.

Preventing it

You could do simple string replacements, or filter out all the characters that really need'nt be posted. I chose the latter for the code below:

Download Original

<?PHP
 
function ASCIIOnly($string=NULL)
	{
	$OutStr = NULL;
	if ($string==NULL)
		RETURN FALSE;
	for ($i=0;$i<=strlen($string);$i++)
		{
		$ThisChar = ord(substr($string,$i,1));
		if (($ThisChar>31 && $ThisChar<127) || $ThisChar==10 || $ThisChar==13)
			$OutStr .= chr($ThisChar);
		}
	RETURN $OutStr;
	}
 
echo ASCIIOnly("ABCabc123" . chr(226) . chr(128) . chr(174) . " testing");
?>

This code should filter anything from the client side (except file uploads and things of that sort -- mostly text inputs). It will strip off out-of-range ASCII characters that aren't used.

Characters 10 and 13 are linefeed characters, and may be used together, or seperately, depending on operating system.

Post any comments, questions, or concerns below! No comments yet! Be the first!