3

I understand the conceptual idea behind error-based SQLi, but not the actual execution.

In particular, I can't make sense of this expression:

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

What's the reason for having "or 1", "floor(rand(0)*2)" and min(0)?

Kiuhnm
  • 243
  • 1
  • 2
  • 12
  • Do you know what the function "floor" does? Do you know that "or 1" is a common sqli snippet? – schroeder Jan 20 '15 at 00:51
  • @schroeder I know what floor does. I've seen "or 1=1", "or '1'='1", but never "or 1". – Kiuhnm Jan 20 '15 at 01:34
  • 1
    I'm experimenting a bit [here](http://sqlzoo.net/wiki/SELECT_.._WHERE). It seems that "or 1" is just "or true". I didn't know that. – Kiuhnm Jan 20 '15 at 13:49

1 Answers1

3

Error-based SQLi relies on a bug found in MySQL concerning the GROUP BY statement (see here and here).

To trigger the bug one must follow the following rules:

  1. Use an aggregate function.
  2. GROUP BY a column that has two identical values on different rows.
  3. The output of the rand() function must appear in the column of point 2 above.

The string

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

is injected in a WHERE clause, so or 1 (which is equivalent to or true) is used to cancel out the previous conditions and display as many rows as possible. This way, there should be at least two rows with the same value for floor(rand(0)*2)). This takes care of points 2 and 3. We use floor() so that the values returned are just 0 or 1. If we were to use rand directly, it would be almost impossible to satisfy point 2.

We need having min(0) to take care of point 1.

Also, the instance of or 1 at the end of the query is useless and can be removed.

Kiuhnm
  • 243
  • 1
  • 2
  • 12