tags:

views:

229

answers:

3
+7  Q: 

Can you explain this SQL injection?

The website i worked was recently attempted to be hacked by the following SQL injection script

boys' and 3=8 union 
select 1, 
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9 

from `information_schema`.`tables` 

where table_schema=0x62646B3032 limit 44,1 -- And '8'='8

This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?

Anyone can explain this?

Penuel

+6  A: 

They're using a select from the Information Schema views in mysql server :

http://dev.mysql.com/doc/refman/5.0/en/information-schema.html

They use some clever hacks to rout out simple sql injection prevention techniques.

brendan  2010-08-10 04:00:54
Although you use MySQL, both databases have information_schema tables (since MySQL 5).
SteveCav  2010-08-10 04:04:07
This is MySQL. Notice the backticks. But yes, MySQL has an information_schema "database" too.
cHao  2010-08-10 04:05:02
Thanks all, but what I am looking specifically values such as 0x232425 in the query. What is that doing?
Penuel  2010-08-10 04:08:09
0x232425 is a character string of three characters #$%. Perhaps it's an attempt to use script in which the web page is running, like PHP or ASP. The closing tag is these characters again in reverse.
YRH  2010-08-10 13:58:25
+3  A: 

According to this the MySQL concat()

Returns the string that results from concatenating the arguments. May have one or more arguments. If all arguments are nonbinary strings, the result is a nonbinary string. If the arguments include any binary strings, the result is a binary string. A numeric argument is converted to its equivalent binary string form

So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.

Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.

The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.

TooFat  2010-08-10 14:20:23
Thanks and great explanation.
Penuel  2010-08-11 04:28:36
+2  A: 
This injection returned the mysql table name.

Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.

Simon  2010-08-10 16:26:25
It showed the table name on our website. We realized the seriousness and we patched that part with input filters. We are also working on some global input filters so that even if programmers fail to check the input that input would be ignored by application automatically, forcing the programmers to check the input.
Penuel  2010-08-11 04:11:26

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP