mysqlsqlmap

fingerprinting the database with sqlmap


I have MySQL 5.1.58 and I executed the following command for fingerprinting the database with sqlmap

python sqlmap.py -d "mysql://root:password@localhost:3306/northwind" --fingerprint'

The output is

[12:26:35] [INFO] the back-end DBMS is MySQL
[12:26:35] [INFO] actively fingerprinting MySQL
[12:26:35] [INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0
           comment injection fingerprint: MySQL 5.1.58

First of all, what is a comment injection?

Then, I printed also the payload that includes queries like these

SELECT (CASE WHEN (9427=9427/*!50158 AND 7430=2815*/) THEN 1 ELSE 0 END)

that returns 0 for me, and

SELECT (CASE WHEN (9427=9427/*!50159 AND 7430=2815*/) THEN 1 ELSE 0 END)

that returns 1.

I understand that 50158 corresponds to my database version but why do I get 0 in the first case and 1 in the second?


Solution

  • I found an answer in https://dev.mysql.com/doc/refman/8.0/en/comments.html

    MySQL Server supports some variants of C-style comments. These enable you to write code that includes MySQL extensions, but is still portable, by using comments of the following form:

    /*! MySQL-specific code */
    

    In this case, MySQL Server parses and executes the code within the comment as it would any other SQL statement, but other SQL servers will ignore the extensions. For example, MySQL Server recognizes the STRAIGHT_JOIN keyword in the following statement, but other servers will not:

    SELECT /*! STRAIGHT_JOIN */ col1 FROM table1,table2 WHERE ...
    

    If you add a version number after the ! character, the syntax within the comment is executed only if the MySQL version is greater than or equal to the specified version number. The KEY_BLOCK_SIZE keyword in the following comment is executed only by servers from MySQL 5.1.10 or higher:

    CREATE TABLE t1(a INT, KEY (a)) /*!50110 KEY_BLOCK_SIZE=1024 */;