Shulou(Shulou.com)06/01 Report--

0x00: preface

With regard to sql injection, it has been going on for a long time, and today's websites generally have relatively enhanced protection against sql injection. In the 2016 * * test report, the most common are xss (cross-site scripting * *) and plaintext transmission, etc., but the use of sql injection is also relatively mature. For more information on sql injection, please refer to the previous article. Http://wt7315.blog.51cto.com/10319657/1828167

Today, we mainly share the error type in sql injection. Most online articles list sentences similar to formulas, but do not explain why such a function is used and why errors occur when using this function, resulting in sql injection.

0x01: error reporting process

Let's start with a few functions.

1. Rand () is used to generate a random number of 0 to 1.

2.floor () rounding down

3. The rand () function generates a function of 0,1, which is rounded down using the floor function, and the value is fixed "0". We will rand*2 to get a value that is not fixed, "0" or "1".

4. Let's check the current database again. I'm using the "dvwa" database.

5.concat () splices different rows of data in the same column that meet the criteria, and for easy observation later, inserting 0x3a and 0x3a here is a hexadecimal ":".

6. Integrate the previous rand () function with the floor () function.

7. The query name is too long, let's give it a different name.

8. Once again, we query how many cousins information_schema.tables has and how many columns it will display.

9.group by groups the results according to the rules we want.

10. Count () counts the number of Yuanzu (equivalent to summation).

11. Then, let's repeat it a few more times.

0x02:

Rand () and rand (0)

1. After adding the random factor, the execution will report an error each time. In order to more thoroughly explain the cause of the error, just remove the random factor and take a look again.

two。 When you look at a record first, no matter how many times a record is executed, it will not report an error.

3. Then one record is added, and if two records are added, the result becomes uncertain.

A random error is reported, and then one is inserted, and after three records, the random error is reported as well as two records. It can be seen that there is a correlation between error reporting and random factors.

0x03: uncertainty and certainty

The principle of floor (rand (0) * 2) error report is precisely because of its certainty, because floor (rand () * 2) is a random error without a random factor, but if you use floor (rand (0) * 2) in more than three records, you must report an error, so it can be guessed that floor (rand () * 2) is relatively random and does not have deterministic factors, while floor (rand (0) * 2) has some certainty.

We execute floor (rand () * 2) and floor (rand (0) * 2) multiple times in multiple record tables, respectively.

As you can see, floor (rand () * 2) is irregular, while floor (rand (0) * 2) is regular.

Then when mysql encounters the sentence select count (*) from tables group by x;, it will create a virtual table (in fact, it will create a virtual table), and the whole workflow will be shown in the following figure:

1. First create a virtual table, as shown in the following figure (where key is the primary key and cannot be repeated)

two。 Start to query the data, fetch the database data, and then check whether the virtual table exists, insert a new record if it does not exist, and add the count (*) field directly if it exists.

Thus you can see that if key exists, it will be + 1, and if it does not exist, create a new key.

In fact, mysql officials have given a hint, that is, if you use rand () when querying, the value will be calculated many times. What exactly does this "calculated multiple times" mean? that is, when using group by, floor (rand (0) * 2) will be executed once. If there is no record in the virtual table, it will be executed again when inserting the virtual table. Let's take a look at the error reporting process of floor (rand (0) * 2). From 0x04, we can see that during a multi-record query, the value of floor (rand (0) * 2) is qualitative, which is 011011. (it's important to remember this order.) the error is actually caused by multiple calculations of floor (rand (0) * 2).

Let's clean it up.

1. An empty virtual table is created by default before the query.

two。 Take the first record, execute floor (rand (0) * 2), find that the result is 0 (first calculation), query the virtual table, and find that the key value of 0 does not exist, then floor (rand (0) * 2) will be calculated again, the result is 1 (second calculation), insert the virtual table, then the first record

3. Query the second record, calculate floor (rand (0) * 2) again, and find that the result is 1 (the third calculation). Query the virtual table, and find that the key value of 1 exists, so floor (rand (0) * 2) will not be calculated for the second time, directly count (*) plus 1, and the second record query is completed.

4. Query the third record, calculate floor (rand (0) * 2) again, find that the result is 0 (4th calculation), query the virtual table, and find that the key value does not have 0, then the database attempts to insert a new piece of data. When inserting the data, floor (rand (0) * 2) is calculated again as the primary key of the virtual table, whose value is 1 (the fifth calculation). However, the primary key 1 already exists in the virtual table. The newly calculated value is also 1 (the primary key value must be unique), so it is directly misreported when inserted.

The entire query process floor (rand (0) * 2) is calculated five times and the original data table is queried three times, so this is why three pieces of data are needed in the data table and this statement is used to report an error.

0x04:loor (rand () * 2) reported an error

Since no random factor is added, floor (rand () * 2) is unmeasurable, so an error can be reported as long as the following occurs in the case of two pieces of data.

After querying the previous records, you cannot let the virtual table have a key value of 0J1. If it does, no matter how many records it is, there is no way to report an error, because floor (rand () * 2) will no longer be counted as the key value of the virtual table, which is why sometimes errors will be reported without random factors, and sometimes errors will not be reported.

0x05:updatexml reported an error

MySQL 5.1.5 adds functions to query and modify XML documents, which are ExtractValue () and UpdateXML () respectively.

What we need to learn is the modified function in mysql, that is, updatexml function.

In fact, there are also articles that will be introduced after extractvalue injection.

First, do the following:

Execute the error payload:

And updatexml (1 null, (select @ @ version), null), 1)

The reason for updatexml's burst error is simple: the second parameter of updatexml requires a string in Xpath format. What we typed obviously doesn't match. Therefore, it is wrong to report a mistake.

The maximum length of updatexml is 32 bits, so it is limited (PS: but most of it is enough. If the password length exceeds 32 bits, it will not be displayed.

0x06: other error reporting functions

Extractvalue () id = 1 and (extractvalue (1, concat (0x5c), (selectuser ())

Exp () id = 1 and EXP (~ (SELECT * from (select user ()) a))

These six functions are generally classified into one class.

GeometryCollection ()

Id = 1 AND GeometryCollection ((select * from (select * from (select user () a) b)

Polygon ()

Id = 1 AND polygon ((select * from (select * from (select user () a) b)

Multipoint ()

Id = 1 AND multipoint ((select * from (select * from (select user () a) b)

Multilinestring ()

Id = 1 AND multilinestring ((select * from (select * from (select user () a) b)

Linestring ()

Id = 1 AND LINESTRING ((select * from (select * from (select user () a) b)

Multipolygon ()

Id = 1 AND multipolygon ((select * from (select * from (select user () a) b)

Based on the question of space, the rest will not explain the principle. If there is an opportunity, it will be introduced in detail later.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.