What is this SQL injection doing?

Question

Long story short, through an old asp site I run someone found an unfiltered URL parameter and was able to run this query. I'm trying to figure out what it DOES though...

The query should read:

select * from reserve where id = 345

the one that was ran was:

select * from reserve where id = 345 and ascii(substring((select concat(user,0x3a,password,0x3a,host) from mysql.user limit 0,1),17,1))=53

I'm really not sure what this obtains. Any Input?

Answer 1

It might be probing whether or not the web application is accessing the database as root. Removing the ascii(substring()) portions returns the following when run as root:

mysql> select concat(user,0x3a,password,0x3a,host) from mysql.user limit 0,1;
+--------------------------------------+
| concat(user,0x3a,password,0x3a,host) |
+--------------------------------------+
| root:<rootpw-hash>:localhost         |
+--------------------------------------+

Following a successful probe, they may then attempt to retrieve the contents of mysql.user from which they can start cracking passwords against rainbow tables.

Answer 2

The second part of where condition is really strange: it looks for a mysql credentials and process them as follows:

• concat(user,0x3a,password,0x3a,host) will be something like 'someUser:hisPass:localhost'
• the above string will be splitted in a smaller one
• the above string is converted to ascii code (you might know it from legacy languages as ord())
• the result of the conversion is compared to 53 integer

I suppose that the first part of WHERE statement (id = 345) will always return true while the second one is too specific, so the entire query will probably return an empty result all the time.