Example analysis of SQL injection error reporting

Preface

0x01

0x02

0x03

summary

I believe many friends are playing sql There is always a question when an error is injected , Why is it wrong to write like this ？ Once I went to check , There is no satisfactory answer , After several months, I finally found out the principle , I wish to record , I also hope that my later friends can avoid detours

Let's take a look at the phenomenon first , I have a users surface , There are five pieces of data in it ：

Then use our error reporting statement to query ：

Successfully revealed the version number of the database .

Understand the cause of this error , We need to know first group by What does the statement do . We use one studetn Take a look at the watch ：

Now let's group the data in this table by age ：

A new table has been formed ？ You should be able to think of group by Statement execution process ？ The one we saw at first sage-count() The watch should be spatiotemporal , But in group by Statement execution , Scan the original table row by row sage Field , If sage stay sage-count() non-existent , Then insert him into , Juxtaposition count() Set up 1, If sage stay sage-count() It already exists in the table , Then in the original count(*) Add on the basis 1, That's it until the entire table is scanned , You'll get the watch we see .

notes ： Here is a particularly important point ,group by The following fields are the primary key of the virtual table , In other words, it cannot be repeated , This is the key to the success of error reporting later , In fact, we can already get a glimpse of the previous error reporting statements

As I said earlier , The main reason for the error is that the primary key of the virtual table is duplicated , So let's see where it is , When did it repeat . here rand() The function comes on stage .
First of all, let's understand rand() Function usage ：

1. Used to generate a 0~1 Number of numbers

2. Can also give rand The function passes an argument as rand() Seeds , then rand The function will generate randomly based on this seed .

What's the difference between them ？ Let's take a look , The execution effect of these two statements ：

You can see rand() The generated data is irregular , and rand(0) The generated data has rules to follow , yes ：
0110 0110

notes ： If you think the data is not enough , Not prove rand() The randomness of , You can insert a few more pieces of data and then query and try .

Now we know group by Statement workflow , as well as rand() And rand(0) The difference between , Then the next point is ,mysql The official said , In execution group by At the time of statement ,group by The field after the statement will be calculated twice .

** for the first time ：** We didn't say we'd take group by Can the following field values be compared in the virtual table , Be sure to know before comparing group by The value of the following field , So the first operation takes place here .

** The second time ：** Now suppose that the value of the field we scan next does not appear in the virtual table , That is to say group by The value of the following field does not exist in the virtual table yet , Then we need to insert it into the virtual table , Here, the second operation will be performed during insertion , because rand The function has some randomness , Therefore, the result of the second operation may be inconsistent with the result of the first operation , But the result of this operation may already exist in the virtual table , Then the insertion at this time will inevitably lead to errors ！

So now let's test our theory through an example , Take our first example ：

Statement ：users Table is the first table in this article , There are five pieces of data in the table

Notice that I'm using rand(0), No rand(),rand(0) Generated regular sequence ：

Let's follow the train of thought just now , The initial virtual table is empty , Just like below ：

When I scan the first item of the original table , The first calculation ,floor(rand(0)*2) yes 0, And then with the version number of the database （ The assumption is 5.7.19） Splicing , Look in the virtual table x Is there any x The value of is [email protected] Data item of , The result is obviously no , Then insert it into the above table , But remember , A second calculation is performed before insertion , At this time x The value of becomes [email protected], So the virtual table becomes like this ：

Now scan the second item of the original table , The first calculation x==’[email protected]‘, Already exist , There is no need for a second calculation , Directly inserted into the , Get the following table ：

Scan the third item of the original table , The first calculation x==‘[email protected]’, Cannot find in virtual table , Then do the second calculation , At this time x==‘[email protected]’, Then insert , But the problem happens when you insert , The virtual table already exists to [email protected] The data item for the primary key , Insert the failure , And then it's wrong ！

Above is the use of rand(0) The situation of ,rand(0) It's more stable , So you can report an error every time you execute , But if you use rand() Words , Because the sequence it generates is random , Therefore, not every execution will report an error , Here are my test results ：

Five times , Error reporting twice , So it's luck .

All in all , An error injection ,rand(0),floor(),group by Be short of one cannot

This is about sql This is the end of the article on example analysis of injection principle for injection error reporting , More about sql Please search the previous articles of the software development network or continue to browse the following related articles. I hope you will support the software development network in the future ！