Mysql error injection Principle Analysis (count (), rand (), group by), mysqlrand

Mysql error injection Principle Analysis (count (), rand (), group by), mysqlrand

Mysql error injection Principle Analysis (count (), rand (), group)

0x00 questions

I have been using the mysql database to report an error injection method, but why does it report an error?

Baidu, Google, knows about it and finds that everyone sends a conclusion on the official website, and then runs the SQL statement to prove the conclusion. However, no one has gone into depth to find out why rand cannot be used with order, it does not completely describe the principle of simultaneous error reporting.

0x01 location problems?

Select count (*), (floor (rand (0) * 2) x from information_schema.tables group by x; this is the most common online statement. Currently, the online SQL Injection tutorial is displayed, the floor is directly placed after count (*). To eliminate interference, we compared two error statements, as shown in figure

From the above picture, we can know that the error is not related to the location.

0x02 absolute error or relative error?

Is it true that an error is returned when the statement has floor (rand (0) * 2) and several other conditions? In fact, this is not the case. first create a table and add a new record, for example:

After confirming that there is only one record in the table, run the error statement, for example:

No error was found during multiple executions.

Then we add a new record.

Then test the error statement.

No error is reported during multiple executions.

OK, let's add another one.

Execute the error statement

OK success Error

It can be proved that there are conditions for the floor (rand (0) * 2) to report an error. There must be more than three records, and more than three records must report an error. Why? Continue.

0x03 do random factors have the right to decide (rand () and rand (0 ))

To thoroughly describe the cause of the error, remove the random factor and check it again. When you first read a record, for example:

No error is reported no matter how many times a record is executed.

Add a record.

The results of the two records become uncertain.

An error is reported randomly.

Then insert

After three records, a random error is reported as well as two records.

It can be seen that the error is related to the random factor, but what is the relationship? Why directly use rand ()? If there are two records, an error is reported, and sometimes an error is reported, sometimes no error is reported, while rand (0) does not report an error when there are two. If there are more than three, an error is absolutely returned? Let's continue.

0x04 uncertainty and certainty

As mentioned above, the principle of the error reported by floor (rand (0) * 2) is precisely because of its certainty. Why? From 0x03, We can roughly guess that, because floor (rand () * 2) without a random factor is a random error, however, if floor (rand (0) * 2) is used for more than three records, an error is reported. Therefore, we can assume that floor (rand () * 2) is random, there are no deterministic factors, while floor (rand (0) * 2) has some certainty.

To prove our conjecture, perform multiple operations on the Multi-record table on floor (rand () * 2) and floor (rand (0) * 2) respectively (select more than 10 records ), the execution results in 12 Record tables are as follows:

There are no rules for three consecutive queries. Next let's look at select floor (rand (0) * 2) from't-Safe;, for example:

 

 

We can see that the floor (rand (0) * 2) is regular and fixed. This is what we mentioned above is an error caused by certainty. Why does it report an error, let's look down.

0x05 count and group by virtual tables

Use select count (*) from't-Safe 'group by x; when using this statement, we often see the following similar results:

We can see that there are 5 Records in test12.

In line with the results of count (*), what operations did mysql perform when encountering the select count (*) from TSafe group by x statement, we firmly guess that mysql will create a virtual table when it encounters this statement (in fact, a virtual table will be created), and the entire workflow will be shown in:

2. Start to query the data, fetch the database data, and then check whether the virtual table exists or not. If the table does not exist, insert a new record. If the table exists, add 1 to the count (*) field, for example:

From this we can see that if the key exists, + 1 will be created. If the key does not exist, a new key will be created.

So what is the internal connection between this and Error Reporting? Let's go straight down. In fact, here we can use the previous content to guess one or two.

0x06 floor (rand (0) * 2) Error

In fact, mysql officially gave a prompt that this value will be calculated multiple times if rand () is used during query. What does this "calculated multiple times" mean, when group by is used, floor (rand (0) * 2) will be executed once. If there is no record in the virtual table, it will be executed again when the virtual table is inserted, let's take a look at the error process in floor (rand (0) * 2). From 0x04, we can see that in a multi-record Query Process, floor (rand (0) * 2) the value is qualitative, 011011... (Remember this order is very important) the error is actually caused by the calculation of floor (rand (0) * 2) multiple times. For details, see select count (*) from TSafe group by floor (rand (0) * 2); Query Process:

1. An empty virtual table is created by default before the query, for example:

2. take the first record, execute floor (rand (0) * 2), and find that the result is 0 (the first calculation). query the virtual table and find that the key value of 0 does not exist, the floor (rand (0) * 2) is calculated again, the result is 1 (the second calculation), and the virtual table is inserted. Then, the first record query is completed, for example:

3. query the second record, calculate floor (rand (0) * 2) Again, and find that the result is 1 (the third calculation). query the virtual table and find that the key value of 1 exists, therefore, floor (rand (0) * 2) is not calculated for the second time. count (*) is directly added to 1, and the second record is queried. The result is as follows:

4. query the third record, calculate floor (rand (0) * 2) Again, and find that the result is 0 (4th computations). query the virtual table and find that the key value is not 0, when the database tries to insert a new data record, the floor (rand (0) * 2) is calculated again as the primary key of the virtual table, the value is 1 (calculated 5th times). However, the primary key 1 already exists in the virtual table, and the newly calculated value is 1 (the primary key value must be unique ), therefore, an error is reported directly during insertion.

5. floor (rand (0) * 2) is calculated five times and the original data table is queried three times. Therefore, this is why three data entries are required in the data table, if you use this statement, the cause of the error is returned.

0x07 floor (rand () * 2) Error

From 0x05, we can also infer that no random factor is added. Because no random factor is added, floor (rand () * 2) is unmeasurable, therefore, an error can be reported as long as the following conditions occur when two data entries exist, for example:

The most important thing is that the first few records cannot have a 0, 1 key value in the virtual table after query. If so, no error can be reported no matter how many records exist, because floor (rand () * 2) it will not be calculated as the key value of the virtual table, which is why sometimes an error is reported without a random factor, and sometimes no error is reported.

After the current surface record makes the virtual table grow like this, the value of floor (rand () * 2) can be found in the virtual table no matter how many records are queried, so it will not be computed again, simply increase the number of count (*) fields, so no error is reported, such as floor (rand (1) * 2 ),

After the first two records are queried, there are already two key values 0 and 1 in the virtual table, so no error will be reported in the subsequent steps.

In short, the error message must be count (*), rand (), and group.