Having special characters is a good idea but having a comma just to break a CSV is dumb. This would only happen if the hacker used a bad exporter or created their own (very poorly).
AFAIK it's only "ambiguous" in the sense that if you get a csv file you can't determine the exact parsing behavior to use, but if you know what program created the csv (or what encoder options were used), it's not ambiguous to parse.
>but things get really hairy really fast when you start adding types or BLOBs in the CSV.
AFAIK BLOBs are hex encoded, which make them a non issue.
Have you ever used quotes in a password. I did. IOS was constantly changing quotes into smart quotes. Super annoying for those times when I had to actually type in my password.
On the other hand, if you go out of your way to pollute the data and the hacker debugs the resulting errors and finds you as the culprit, they may target you as a form of petty revenge.
In R, libraries will often tell you when there is a parsing anomaly and which line it occurs with. The first thing I do is examine those lines closely!
comma being a very common and probably common when many organization are enforcing special character policy . For those big exports , they are probably not dumping out as csv , it would be light weight db file . I assume sqllite
Yea good assumption, SQLMap for instance, defaults --dump to .csv with sqlite as an option if you're just looking for a simpler test point. Plenty of other tooling options out there too. Tooling providing your encoding during dump will overcome the ',' concern though, no?
They are kinda trolling, Kinda not. A rainbow table is just a huge list of precomputed passwords to hash.
MD5 hash of "pass": 1a1dc91c907325c69271ddf0c944bc72
SHA-1 hash of "pass": d74db87a56f6d8a52ca4bbafc86a27f4b66c58a4
SHA-256 hash of "pass": 3f5d8cc9ea971f85b91fe9a761e29f882abeae92e4b99b5678f7bf3f53b1519f
but if you add "salt" to the password, (i.g. some randomly generated data), your password will be deterministically unqiue, and thus a rainbow table wouldn't ever work. The infrared and ultraviolet part is pure troll tho.
But can’t the hacker just write a small function to fix that? If I found a comma in the third position in a hash crack I might assume it’s part of the password and not a column separator.
The reason you might want to put such character in a password is not in case it might leak, but in order to break the idiotic system which stores and handles those passwords in plain text. I would use a double quote and a single quote. That will break things if passwords are wrapped in quotes without escaping.
PRO TIP: You can also use % to punish incorrect use of printf(3), $ to punish use of "eval" in Perl and bash, <> to break HTML parsing, * to punish overzealous filename globbing, & to set off forkbombs on the unsuspecting victims, +++ATH0 to make their modems hang up, and ! to prevent transmission via UUCP.
And then back into a corner, splash a can of paint in every direction, put your head between your knees, and wait for WWIII. (If it doesn't start by the time the paint dries, do it all over again tomorrow.)
True - a friend of mine worked in a dangerous part of the world and was car-jacked in a manual car. As soon as the car-jacker was behind the wheel they realised they couldn't drive the car and gave up.
My brother had a stick shift. Kids broke into his car and proceeded to drive it 15 feet into a pole and abandon it. Whole thing was caught on camera too.
50 comments
[ 3.2 ms ] story [ 106 ms ] threadEdge cases get hard when dealing with nested commas, and there's no standard escape sequence.
Probably matters less with a two column arrangement, but things get really hairy really fast when you start adding types or BLOBs in the CSV.
>but things get really hairy really fast when you start adding types or BLOBs in the CSV.
AFAIK BLOBs are hex encoded, which make them a non issue.
If blobs got consistently hex encoded, that would also be nice. Base64 is common, and there are multiple types of base64 encoding people use too.
Personally, I tend to think of CSV imports as something you can expect to have a ‘yield’ - and it’s never 100%.
break it, but not in a way that throws a parse error
[]https://highon.coffee/blog/sqlmap-cheat-sheet/#sqlmap-dump-d...
MD5 hash of "pass": 1a1dc91c907325c69271ddf0c944bc72
SHA-1 hash of "pass": d74db87a56f6d8a52ca4bbafc86a27f4b66c58a4
SHA-256 hash of "pass": 3f5d8cc9ea971f85b91fe9a761e29f882abeae92e4b99b5678f7bf3f53b1519f
but if you add "salt" to the password, (i.g. some randomly generated data), your password will be deterministically unqiue, and thus a rainbow table wouldn't ever work. The infrared and ultraviolet part is pure troll tho.
He added a toggle switch under the dash instead of fixing the clutch switch. He figured it'd be some poor man's anti theft.
I think it would have worked. It was pretty fun having friends try to move his car for a while.