Recently my site was hacked via SQL injection. The hacker used the following query to get my DB name. I cannot understand this query they wrote.
Query:
=-999.9%20UNION%20ALL%20SELECT%20concat(0x7e,0x27,Hex(cast(database()%20as%20char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--
After the query was ran it showed an integer result, something like "74545883
".
Can you explain how the query works?
It looks like an overflow attack. They UNION
-ed with your existing query. replacing all your %20
with (space) since its url-encoded yields:
=-999.9 UNION ALL SELECT CONCAT(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536-
break it down:
=-999.9
is just ending your current query0x31303235343830303536
is NULL
- they are just matching the number of columns in your existing query. If you had SELECT * FROM users
and users
had 4 columns, the UNION
must also have 4 columns. As a result, they just used `NULL values to populate those columns.CONCAT()
. They are combining 126, 39, database name as hex value, 39, and 126--
is a mysql comment - it ignores the rest of your query afterJudging from this attack, i suspect that you are not wrapping input in mysql_real_escape_string()
, which allowed to attacked to jump out of your query and execute their own.
See owasp.org for more information.