Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
527 views
in Technique[技术] by (71.8m points)

mysql - Site has been hacked via SQL Injection

Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.

Query:

=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--

After the query was ran it showed an integer result, something like "74545883".

Can you explain how the query works?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It looks like an overflow attack. They UNION-ed with your existing query. replacing all your %20 with (space) since its url-encoded yields:

=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-

break it down:

  1. the =-999.9 is just ending your current query
  2. 0x31303235343830303536 is NULL - they are just matching the number of columns in your existing query. If you had SELECT * FROM users and users had 4 columns, the UNION must also have 4 columns. As a result, they just used `NULL values to populate those columns.
  3. the real confusion is in the CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126
  4. -- is a mysql comment - it ignores the rest of your query after

Judging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string(), which allowed to attacked to jump out of your query and execute their own.

See owasp.org for more information.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...