Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Injection attack by sql query in php

Tags:

mysql

sql-injection

Can anyone explain me meaning of this query?

-999.9 and(select 1 from(select count(*),
 concat((select (select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e))
 from `information_schema`.tables limit 0,1),floor(rand(0)*2))x 
 from `information_schema`.tables group by x)a)--

I found that required fields in form are filled by 1 and email id was field by this particular query.
In form, I have sequence like name, mobile nu, email id and other details. After email id whatever fields are there, were filled by blank or 'null' and before email id all fields were filled by '1'.

like image 610
Dinesh Patil Avatar asked Nov 11 '22 09:11

Dinesh Patil

1 Answers

It is a blind SQL injection. It is used when the site is not vulnerable to normal SQL injection. Your site validates the input data, probably not correctly but well enough to not let information leak through SQL injection.

Blind SQL injection does not attempt to get information directly; if a leak is found then there is no need for blind injection in the first place.

How it works: it injects strange embedded queries like the one mentioned in the question and it checks the behaviour of the page. A page that checks the result of its queries produces a different content when a query fails. It displays an error message or redirects to some page or, sometimes, it doesn't produce any output (when the "handling" of the query failures is like "or die()").

The blind SQL injection makes an assumption then produces and injects a query that either runs correctly or fails. It checks the page content to know if the injected part made the query succeed or fail. Depending on the result (success or failure), the injection script knows if its assumption was true or false then it takes a decision and tries again with a different assumption.

I cannot tell what is testing this injection fragment. It makes the query fail on the MySQL version I am using because of the group by x part. Maybe it succeeds on other versions (MySQL 4?); in this case it is used only to detect the version of the MySQL. It's not about the exact version but the major version. There are small things changed here and there on major MySQL versions and it's important for the attacker script to know what version is running. This way it knows what language features it can use. If it does not use the correct syntax then all its queries fails and its goal cannot be accomplished. :-)

One of the legacy websites I am maintaining was attacked a couple of months ago in a similar fashion. We thought all the input data was correctly checked and there is no way to inject something into it. It happened that a small hole still existed, somebody decided to attack the site (to extract email addresses probably) and the tool they used found the hole and started injecting queries through it.

The inject query was something like 2 RLIKE (SELECT ...) where ... stands for a complicated query that selects the name of the Nth object (table or column) from information_schema (using LIMIT), uses function MID(name, K, 1) to extract the Kth character from the selected name then compares that character with a specified character (using IF() or CASE) to eventually produce 2 or something that was not a valid regular expression.

Each request is checking a single character of a single table or field name against a certain character from the ASCII set. If the checked character is smaller than the one provided by the injector then the injected part evaluates to 2 RLIKE 2 and the query run normally. Otherwise it evaluates to something 2 RLIKE ( and the query fails. This way, the injector script divides in half the range of potential values for the character it is testing. The next queries shrinks it again and again until it founds the exact character. It requires up to 7 injected requests to find a single character of a single name of table of field.

Then it starts over with the character at position K+1 and so on. Using the same technique but with a different query, the script finds first how long is the name it wants to find.

The process is tedious but that's why the computers were invented in the first place: to do tedious work for humans.

like image 99
axiac Avatar answered Nov 29 '22 02:11

axiac
Sign in to Comment

Related questions

GROUP BY clause with alias?
Can two columns from one table have a foreign key to the same column in another table?
Sync 2 tables: one with engine = Memory another with engine = InnoDB
URL rewrite with .htaccess make duplicate mysql entries
The query including the joining of three table is not working?
group users by message last sent
PHP and MYSQL: Query returns null on column with values
Unable to insert image to database
Unable to connect to remote mysql server using unixodbc, libmyodbc
Too Many Connections w/ Laravel 4 and MySQL
Stop MySQL after first match
getting error when creating EVENT in MySQL
mysqld_safe mysqld restarted automatically
PHP Delete inbox not working properly
how to Retrieve data from database and display it in a jsp text fields using jdbc connection
Populate multiple select box with jquery and laravel
How to secure a MySQL connection over network?
MySQL Timestamp Difference
Error: secretOrPrivateKey must have a value
Arabic language in php/mysql appears "????" question marks in html [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!