Learning notes MySQL Error injection (COUNT (), Rand (), GROUP by)

First look at the common attack payload, as follows:

Select COUNT (*), (Floor (rand (0)) × from table by x;

Then the attack load is explained,

Floor (rand (0) * *) query table content greater than or equal to 3 will be an error. Part of the reason, because floor (rand (0) * *) is regular and fixed.

If you do not understand, you can use the database to do the experiment. Select Floor (rand (0) * *) from table, the data volume is best about 10. You will find a string of 0110110011 ... A regular number.

Then select COUNT (*) from the table group by X, which is executed in MySQL, creates a virtual table, which is used for statistics.

For example: There is a field 12 in the table, and the statements are counted in the virtual table one at a, and returned after the statistic is finished.

Finally, take a look at the Select COUNT (*) from the table group by floor (rand (0) *), the query process.

Since floor (rand (0) * *) is regular (011011001110 ...), the statement executes multiple times, with Pseudocode as follows:

1. Select COUNT (*) from table GROUP by 0

2. Select COUNT (*) from table GROUP by 1

3. Select COUNT (*) from table GROUP by 1

4. Select COUNT (*) from table GROUP by 0

5. Select COUNT (*) from table GROUP by 1

......

The first time is 0 skipped, the second is a value of 1 counts 1, the third value is 1 counts 2, the fourth is 0 skipped, the fifth is 1, the new insert data (because fourth time is 0), because the new Insert data primary key value is the same as the previous primary key key value, so error.

For specific attack loads, see https://www.waitalone.cn/mysql-error-based-injection.html

Learning notes MySQL Error injection (COUNT (), Rand (), GROUP by)