1

Like the guy in this thread : Error-based SQL injection I understand the idea behing SQL Error-Based Injection but not how it works on the MySQL server.

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

  • Because we are on a WHERE clause, the or 1 is here to cancel the previous condition and display many rows.

  • concat_ws() is a function that take the first argument as separator and other arguments are the ones concatenate using the separator.

  • 0x3a is the hexadecimal for : - So colon is the separator

  • version() kinda obvious, display the MySQL version

  • floor(rand(0)*2) Round the result of rand(0)*2 downward to its nearest integer

Now the big question is why this query display :

Duplicate entry '~'5.x.xx'~1' for key 1

And what is that having min(0) for ?

When I tried this using my computer : select concat_ws(0x3a,version(),floor(rand(0)*2)) Result is just

5.6.24-0ubuntu2:0

So how the MySQL server interpret this query and how the duplicate things works ?

Thanks in advance.

Amat Erasu
  • 69
  • 1
  • 3
  • Would be really nice if someone took time to hunt down the answer (Why `having min(0)` is resulting in a `Duplicate entry` error?) in the actual [source code](https://github.com/mysql/mysql-server). Do anyone know where to start looking in the source code? I [started to look around](https://github.com/mysql/mysql-server/search?utf8=%E2%9C%93&q=Duplicate+entry+language%3Ac%2B%2B&type=Code) in the code but it is so massive so I have hard too find anything. – Sawny Jul 12 '15 at 17:14

0 Answers0