Shulou(Shulou.com)05/31 Report--

Editor to share with you what is the reason for floor () report error injection, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!

Brief introduction of 0x01

Floor error injection is also called group error injection, all the same, referring to them. Floor error injection I think most people, like me, know how to use it and don't understand the principle.

0x02 environment

Introduce my test environment:

MySQL version: 5.5.53

The database used: security.users, this database is sqli-labs, we are all familiar with it.

0x03 started

We will directly throw out the commonly used error statement, the use of the statement format is relatively fixed, we disassemble bit by bit, a little bit.

Select count (*) from users group by concat (database (), floor (rand (0) * 2))

Select count (*), concat (database (), floor (rand (0) * 2)) as x from users group by x

They mean the same thing. The as x in the first one is actually a synonym (alias) for concat (database (), floor (rand (0) * 2)). There is no difference in meaning between the two SQL statements.

Come on, let's see what's wrong with it:

ERROR 1062 (23000): Duplicate entry 'security1' for key' group_key'

It says' group_key' 's primary key 'security1' repeats, huh? Where did security1' come from? Which table has a duplicate primary key?

Although we don't know the principle at first, we can see that the database function in the error prompt statement has been executed.

As I said before, I am useful to sqli-labs 's database, so it's normal to be 'security'' after database () is executed.

0x04 floor (rand (0) * 2)

The 1 in security1' comes from floor (rand (0) * 2), and it says, 'security1' repeats, which means the primary key is already in the previous table. Because database () is fixed, let's move on to the floor (rand (0) * 2) that produces'1'.

Rand () is also a mathematical function that returns a random floating-point value [0Power1]

If you specify an integer parameter N, it is applied to the seed value (also known as a random factor), (rand () will be randomly generated according to this seed value) to generate repetitive sequences, that is, the value of rand (0) is fixed.

After it, * 2, is selected to obtain the range of data [0pr 2], which is actually multiplied by 2.

Floor () is also a mathematical function that returns the maximum integer value not greater than x. For example, floor (3. 3) returns 3-4.

Now let's look at the number of times the users table data is calculated, the value of floor (rand (0) * 2).

You can see that the value of rand (0) is indeed fixed. At the same time, 1 also appeared.

Concat () is a string concatenation function that concatenates multiple strings. If the string contains NULL, the result is NULL. From this point of view, the result after concat is' security0' or 'security1','security1'.

At this point, we don't have much to say in the second half. Rand () has a very important feature that we'll talk about later with group by.

0x05 group by and count (*)

Let's talk about this count (*), which is an aggregate function that returns the number of values. The difference between it and count () is that it does not exclude NULL.

Let's use the query statement select count (*) from users group by username; to understand how group by works.

When group by executes, it fetches the records from the query table in turn and creates a temporary table, and the object of group by is the primary key of the temporary table. If the primary key already exists in the temporary table, increase the value by 1, and if it does not exist, insert the primary key into the temporary table, note that it is inserted!

The empty temporary table created before the query.

Take the first record, username is Dumb, and find that there is no primary key in the temporary table, then insert Dumb into the primary key, the count (*) value counts 1, and take the second record.

Similarly, if the second record, username, is Angelina, and there is also no primary key, Angelina is inserted into the primary key, and the count (*) value counts as 1.

When the eighth admin in the original table is taken, the admin is also inserted into the temporary table as the primary key, and the count (*) is counted as 1. When you take item 15 of the data and find that there is already an admin as the primary key in the temporary table, then directly count (*) plus 1. End result:

Although the results displayed on the command line are not quite the same as ours, the idea is correct (it seems to sort the results alphabetically, or before inserting the temporary table).

At this point, according to the above logic, the error statement should be select count (*) from users group by 'security0' or' security1';?! Then when group by creates a temporary table, the first is security0, and when it is found that there is no primary key, the security0 is inserted into the location of the primary key, counting 1, and then the next record in the from table is taken.

The next entry is that the primary key of security1 does not exist in the group by 'security1', temporary table, then insert security1 into the primary key position, count 1, and then fetch the next record.

After that, there is only security0 or security1 for group by, which should be just a change in count. In the end, it should be:

So why not this result, but reported a repeated error of the primary key?

Because there is also one of the most important features, that is, when group by is used with rand (), if the primary key is not in the temporary table, rand () will be calculated again before insertion (that is, twice, but some blogs write multiple times, we don't know how many times this is, but it makes sense to understand the following experiment twice). It is this feature that causes the primary key to repeat and report an error. Let's see:

When group by fetches the first from table record, the group by is the primary key of 'security0', found that there is no' security0''in the temporary table. Note that rand (0) * 2 will calculate again. After floor (), the primary key that is first inserted into the temporary table is not security0, but security1, and count 1.

Then take the second record, and 01 in the key of the second record group by is still calculated by floor (rand (0) * 2), that is, security1. At this point, the temporary table already has the primary key of security1, so count (*) can be added directly by 1.

Continue to take the third record from the from table and calculate floor (rand (0) * 2) again. The result is 0 and spliced with database () as security0. The primary key of the temporary table does not exist. Before insertion, floor (rand (0) * 2) is calculated again, after splicing with secruity1, but it is inserted directly, even if there is already a primary key security1 in the temporary table, resulting in repeated error reports of the primary key. That is: ERROR 1062 (23000): Duplicate entry 'security1' for key' group_key'.

I wrote that the principle of reporting errors here is over. I don't know if everyone echoes with me, and do you feel my stubbornness and small universe.

0x06 optimization

Let's continue to look, we took a total of three records from the from table, because the value of floor (rand (0) * 2) is 011011. But in fact, the third calculation of 1 can not be done. If a floor (rand (x) * 2) satisfies 0101 or 1010, then two items of data in the from table can be reported wrong. After many experiments, I found that the value of floor (rand (14) * 2) is 101000. So let's try to create a table with two pieces of data.

Create a test table with only two pieces of data.

Rand (0) * 2 and rand (14) * 2 were used in the experiment.

In other words, it is better to use rand (14) * 2 during testing. If there is only one piece of data in the from table, then floor () error injection can not be used, after all, it is repeated, only insert a piece of data how to repeat the primary key, right?

0x07 summary

The reason for the floor () error injection is that when group by inserts data into the temporary table, the primary key repeats when inserting the temporary table due to multiple calculations of rand (), thus reporting an error, and because the SQL statement or function in concat () is executed before the error is reported, so the primary key thrown out of the statement is the result of the execution of the SQL statement or function.

The above is all the content of the article "what is the reason for the error injection of floor ()". Thank you for your reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.