-1

The example below comes from sqli-lab. In MySQL's doc(comment), the "-- " (double-dash followed by at least one whitespace) means a line's comment. It does work in some situation actually.

My question is how it work in the example here, why it can list all records of the 'users' table. Can you give some ideas about its mechanism? Thx!

mysql> select username, password from users where username = '' --+ '';
+----------+------------+
| username | password   |
+----------+------------+
| Dumb     | Dumb       |
| Angelina | I-kill-you |
| Dummy    | p@ssword   |
| secure   | crappy     |
| stupid   | stupidity  |
| superman | genious    |
| batman   | mob!le     |
| admin    | admin      |
| admin1   | admin1     |
| admin2   | admin2     |
| admin3   | admin3     |
| dhakkan  | dumbo      |
| admin4   | admin4     |
+----------+------------+
renzhexigua
  • 46
  • 4
  • "It does work in some situation actually." Can you clarify this? Where is this not working, when is it not working? – Blue Aug 07 '16 at 18:42
  • @FrankerZ is really clear if you try .. --+ return all rows .. (seems a strange behavior) but --+ is not a comment sequence – ScaisEdge Aug 07 '16 at 19:36
  • I have posted a possible explanation of your question – ScaisEdge Aug 07 '16 at 19:43

1 Answers1

0

Actually @scaisEdge is right, the '--+' in MySQL(interactive cmdline) is NOT a comment, this usage is usually used for URLencoding(a space in a query part may be encoded to '+' or '%20').

In this case, '--+' is just 2 types of operators: plus&minus, and one - and one + offset. So this sequence is equal to:

select username, password from users where username = '' - '';

Original:
mysql> select username, password from users where username = '' --+ '';
+----------+------------+
| username | password   |
+----------+------------+
| Dumb     | Dumb       |
| Angelina | I-kill-you |
| Dummy    | p@ssword   |
| secure   | crappy     |
...

Now:
mysql> select username, password from users where username = '' - '';
+----------+------------+
| username | password   |
+----------+------------+
| Dumb     | Dumb       |
| Angelina | I-kill-you |
| Dummy    | p@ssword   |
| secure   | crappy     |
...

You can see the results are same.

Secondly, '' equal INTEGER 0 here. In MySQL, any field without a valid integer will equate to 0. 

mysql> select '' = 0;
+--------+
| '' = 0 |
+--------+
|      1 |
+--------+

mysql> select '0s28' = 0;
+------------+
| '0s28' = 0 |
+------------+
|          1 |
+------------+

mysql> select '8s28' = 0;
+------------+
| '8s28' = 0 |
+------------+
|          0 |
+------------+

mysql> select '8s28' = 8;
+------------+
| '8s28' = 8 |
+------------+
|          1 |
+------------+

====Type Conversion====

mysql> select '12s' + 3;
+-----------+
| '12s' + 3 |
+-----------+
|        15 |
+-----------+

mysql> select 's52s6' + 3;
+-------------+
| 's52s6' + 3 |
+-------------+
|           3 |
+-------------+

mysql> select 's8' + 3;
+----------+
| 's8' + 3 |
+----------+
|        3 |
+----------+

So '' - '' means 0 - 0 is still 0.

While the column USERNAME doesn't has one name that starts with a valid numeric character(not 0), so all the name equal 0 and match the conditon 'where username = 0'

mysql> select 'Dumb' = 0;
+------------+
| 'Dumb' = 0 |
+------------+
|          1 |
+------------+

To verify this conclusion, we can insert into a record that username starts with a integer like '4love'. You will see all records are listed except the new one.

A similar question is here: mySQL returns all rows when field=0

Community
  • 1
  • 1
renzhexigua
  • 46
  • 4