BIGINT Overflow Error Based SQL Injection

In MySQL 5.5+ you can abuse a new feature with BIGINT values. This involves a problem called integer rollover and your ability to run arbitrary SQL.

The problem of integer rollover

Integer rollover happens when a number is too big or small and is made bigger/smaller.

In the case where the number is the highest possible stored value adding to it makes it larger and it becomes as small as it can. Similarly when the number is too small and it has something subtracted from it it becomes very large.

This is down to how the number is represented in binary where it tries to make the value bigger/smaller and it “rolls over”. This is typically undesired behavior but in many languages this happens silently. Previously this was something you checked for manually however newer languages are starting to check and raise errors for this.

How MySQL is affected by this

Now in MySQL versions 5.5 or later instead of silently wrapping around it will raise an error and fail. This is considered better than silently making your number radically different.

 

If the website displays the mysql error directly, it will report back the result of the query that caused the rollaround. If a site incorrectly does this and allows unsanitized input to be sent to the database this allows you to craft a query and view the results.

By creating a subquery for the request and guessing table names you can pull out any data in the database. Worse is that this works for the information schema so you are able to get the data you need by querying this. Having full access to the database can mean that you can then download sensitive information.

Fixing this exploit

Here the exploit is stopped by properly escaping user input which is something that many websites still forget to do. In addition since this requires viewing the data in the returned error turning off error reporting would stop this bug, but not stop the ability to insert data via a subquery. Even in the case that the error is not shown back, being able to insert data may allow privilege escalation.

The full exploit including example code is available online and includes example code and the full explanation. This is another example of why is it critically important to sanitize input from users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.