Explanation of 10 MySQL Error injection principles (i.)

I would like to say that in the "Code Audit: Enterprise Web Code Security Architecture" in the book 10 kinds of MySQL error injection, it is very clear.

Interested please go to read, if for some reason did not read still want to understand, then please continue down.

1, Count,rand,floor

Select *  fromTestwhereId=1  and(Select 1  from(Select Count(*), Concat (User(), Floor(Rand(0)*2)) x fromInformation_schema.tablesGroup  byx) a);

Function Explanation:

Count: is a function that is used to record in a statistical table or in an array.

Rand: The call can produce a random number between 0 and 1.

Floor: The function returns only the integer part, and the fractional part is discarded.

Explanation of principle:

A fixed sequence is returned first at the Select Floor (rand (0) * *) (the contents of the table are about 10 and you can see it). Use the other person's, MO-Strange.

The so-called fixed sequence is the return of 01101100 .... This string is fixed, this must be remember, the back to use.

Then, due to count (*) statistics, the use of a row-by-line statistics, first establish a virtual table, determine the existence of the same field if there is a statistic value of +1, there is no return 0, start searching the next field.

Let me give you an example:

For example, there are ten apples in the table, and then the statistics are performed.

First time

Key statistic Value

Apple 1

Second time

Key statistic Value

Apple 2

......

Finally, because floor (rand (0) * *) returns a fixed value, according to COUNT (*), the 5th execution of the statistics after the 4th execution will be an error (return the same field, the next time the statistics of the same field is returned, resulting in the same primary key, so error).

This also indicates that the contents of the table need to be greater than 3.

2, Updatexml ()

Select *  from where id=1 and (Updatexml (1, concat (0x7e, (select User ()),0x7e),1));

Function Explanation:

Updatexml:xml the document for querying and modifying functions.

Updatexml (Xml_document, xpath_string, New_value);

　　The first parameter: Xml_document is a string format, the name of the XML Document object, and the doc

　　The second argument: Xpath_string (a string in XPath format), you can find tutorials online If you don't know the XPath syntax.

third parameter: new_value,string format, replacing the found matching number of criteria

Concat: Returns the string that results from the connection parameter.

Explanation of principle:

By concat the information that is queried into a string, the second argument of the Updatexml function requires an XPath format string. Now obviously not, so the error.

3, Extractvalue ()

Select *  from where id=1 and (Extractvalue (1, concat (0x7e, (Select  User()),0x7e));

Function Explanation:

Extractvalue (): Returns a string containing the queried value from the destination XML.

　　Extractvalue (Xml_document, xpath_string);

　　The first parameter: Xml_document is a string format, the name of the XML Document object, and the doc

　　Second parameter: xpath_string (a string in XPath format)

Concat: Returns the string that results from the connection parameter.

Principle Analysis:

By concat the information that is queried into a string, the second argument of the Extractvalue function requires an XPath format string. Now obviously not, so the error.

This time here, remember to pay attention.

Explanation of 10 MySQL Error injection principles (i.)