MySQL Error injection principle analysis (count (), Rand (), GROUP by)
0x00 questions
have been using the MySQL Database error injection method, but why the error?
Baidu Google know a bit, found that everyone is the official website of the conclusion of a hair, and then execute the SQL statement to prove a conclusion, but no one to delve into why Rand can not be used with order by, nor completely explain the three simultaneous use of the principle of error.
0x01 location problem?
Select COUNT (*), (Floor (rand (0)) × from information_schema.tables Group by X; This is the most common online statement, the current location to see the online SQL injection tutorial, floor are directly put count (*) behind, in order to eliminate interference, we directly compared the two error statements, such as
From the above picture, you can know that the error is not related to location.
0x02 Absolute error or relative error?
Is the error statement have floor (rand (0) * *) and several other conditions must be an error? In fact it is not so, we first build a table, add a record to see, such as:
Confirm that there is only one record in the table, and then execute the error statement to see if:
No errors were found on multiple executions.
Then we add a record.
And then test the error statement.
Multiple executions with no error
Okay, let's add another one.
Execute an Error statement
OK success Error
This can prove that floor (rand (0) * *) error is conditional, record must be more than 3, and in more than 3 must error, exactly why? Please keep looking down.
0X03 random factor has the right to decide (rand () and rand (0))
In order to more thoroughly explain the cause of the error, directly remove the random factor, and then look at a record first, such as:
One record, no matter how many times it's executed, no error.
Then add a record.
Two records, the result becomes uncertainty.
Random error occurred.
And then insert a
Three records, as well as 2 records random error.
This shows that the error and random factors are related, but what is the correlation, why the direct use of rand (), there are two records of the case will be error, and sometimes error, and sometimes do not error, and rand (0) when the time in two does not error, in three above the absolute error? Let's keep looking down.
0x04 Uncertainty and certainty
As I said before, floor (rand (0) * *) error is precisely because of its certainty, this is why? From the 0x03 we can roughly guess, because the floor (rand () * *) without random factors is random error, and in 3 records above with floor (rand (0) * *) must be an error, which can be guessed floor (rand) is relatively random, There is no deterministic factor, and floor (rand (0) * *) has some certainty.
In order to prove our conjecture, the floor (rand () * *) and floor (rand (0) * *) are executed several times in the Multi-record table (record selection of more than 10), in the 12 records table to execute the results such as:
3 consecutive queries, no rules, next look at select floor (rand (0) * *) from ' t-safe ';, such as:
We can see that the floor (rand (0) * *) is regular, and is fixed, this is the above mentioned because of certainty caused by the error, then why the error, we continue to look down.
0x05 count and group by virtual tables
Use SELECT COUNT (*) from ' T-safe ' group by x; we can often see similar results in this statement:
We can see that there are 5 records of test12.
In accordance with the result of Count (*), then MySQL encounters select COUNT (*) from the Tsafe group by X; What exactly did this statement do, and we made a decisive guess that MySQL would create a virtual table when it encounters the statement ( is actually creating a virtual table), the entire workflow is as follows:
- Create a virtual table first, such as (where key is a primary key and cannot be duplicated):
2. Start querying the data, fetch the database data, and then see if the virtual table exists, does not exist, inserts a new record, and the count (*) field directly adds 1, for example:
As a result, if the key exists, then + 1, if it does not exist, create a new key.
That this and error have what intrinsic connection, we go directly down, actually here, combined with the previous content we can also guess a one or two.
0X06 Floor (rand (0) * *) error
In fact, the MySQL official has given the hint, that is, when the query when using rand (), the value will be calculated multiple times, the "computed multiple" exactly what the meaning is, when using group by, the Floor (rand (0) * *) will be executed once, if the virtual table does not exist record , when inserting the virtual table will be executed again, we look at floor (rand (0) * *) error process to know, from 0x04 can be seen in a multi-record query process floor (rand (0) * *) value is qualitative, 011011 ... (Remember that this order is important), the error is actually the floor (rand (0) * *) is calculated several times, specifically, see Select COUNT (*) from Tsafe GROUP BY Floor (rand (0) *), the query process:
1. An empty virtual table is established by default before querying such as:
2. Take the first record, execute floor (rand (0) * *), find the result is 0 (first calculation), query the virtual table, found that the key value of 0 does not exist, the floor (rand (0) * *) will be recalculated again, the result is 1 (the second calculation), insert the virtual table, At this time the first record query is complete, such as:
3. Query the second record, again calculate floor (rand (0) * *), found that the result is 1 (third calculation), query the virtual table, found that 1 key value exists, so floor (rand (0) * *) will not be calculated the second time, the direct count (*) plus 1, the second record query is complete, The results are as follows:
4. Query the third record, again calculate floor (rand (0) * *), found that the result is 0 (4th time calculation), query the virtual table, found that the key value is not 0, the database tries to insert a new data, when inserting the data floor (rand (0) * *) is recalculated, as the primary key of the virtual table, The value is 1 (5th), however, 1 this primary key already exists in the virtual table, and the newly computed value is also 1 (the primary key key value must be unique), so when inserting a direct error.
5. The entire query process floor (rand (0) * *) was calculated 5 times, querying the original data table 3 times, so this is why the data table requires 3 data, the use of the statement will be the cause of the error.
0X07 Floor (rand ()) error
By 0x05 we can also infer the case of not adding random factors, because no random factor is added, so Floor (rand () * *) is not measurable, so in two data, as long as the following conditions, can be an error, such as:
The most important is that the previous few records query can not let the virtual table exists 0,1 key value, if there is, no matter how many records, there is no way to error, because floor (rand () * *) will not be counted as the key value of the virtual table, which is why no random factor will sometimes error, Sometimes there is no reason for error.
The current face record makes the virtual table grow like this, because no matter how many records are queried, the value of floor (rand () * *) can be found in the virtual table, so it will not be recalculated, but simply increase the number of count (*) field, so no error, such as Floor (rand (1) * *),
After the first two records of the query, the virtual table already exists 0 and 12 key values, so how to get back again will not error.
In short, the error requires count (*), Rand (), group by, three indispensable.
Transferred from: http://www.cnblogs.com/xdans/p/5412468.html
MySQL Error injection principle analysis (count (), Rand (), GROUP by)