Thread: SELECT of pseudo hex value gives unexpected result
Hi, I found this in an SQL-injection attempt today: union select 0x5e73266725,0x5e73266725[,...],0x5e73266725; Tried SELECT 0x5e73266725; and received: -[ RECORD 1 ]-- x5e73266725 | 0 That was not what I expected... is this expected/documented behaviour? Thx in advance! -- Gunnar "Nick" Bluth RHCE/SCLA Mobil +49 172 8853339 Email: gunnar.bluth@pro-open.de __________________________________________________________________________ In 1984 mainstream users were choosing VMS over UNIX. Ten years later they are choosing Windows over UNIX. What part of that message aren't you getting? - Tom Payne
Attachment
"Gunnar \"Nick\" Bluth" <gunnar.bluth@pro-open.de> writes:
> Tried
> SELECT 0x5e73266725;
> and received:
> -[ RECORD 1 ]--
> x5e73266725 | 0
> That was not what I expected... is this expected/documented behaviour?
Well, there are no hex literals in (PG's notion of) SQL, so that isn't
a valid token. But it's the concatenation of two valid tokens. So
what you wrote is the same as
SELECT 0 x5e73266725;
which is an abbreviation for
SELECT 0 AS x5e73266725;
and that's the result you got.
I think that the SQL standard considers adjacent tokens to be invalid
unless one of them is punctuation (e.g. 1+2), but our lexer is a bit
less rigid about that.
regards, tom lane
Gunnar "Nick" Bluth wrote: > Tried > SELECT 0x5e73266725; > > and received: > -[ RECORD 1 ]-- > x5e73266725 | 0 > > That was not what I expected... is this expected/documented behaviour? Looks like you don't need a space between a number literal and the column alias. I don't see any problem with that. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
Am 29.01.2019 um 17:39 schrieb Tom Lane: > "Gunnar \"Nick\" Bluth" <gunnar.bluth@pro-open.de> writes: >> Tried >> SELECT 0x5e73266725; [...] > SELECT 0 AS x5e73266725; > > and that's the result you got. Well, yeah, _that_ was pretty obvious. I just didn't expect ot to happen... > I think that the SQL standard considers adjacent tokens to be invalid > unless one of them is punctuation (e.g. 1+2), but our lexer is a bit > less rigid about that. it kind of comforts me that it's at least not defined like that in the standard ;-) Cheers anyway! -- Gunnar "Nick" Bluth RHCE/SCLA Mobil +49 172 8853339 Email: gunnar.bluth@pro-open.de __________________________________________________________________________ In 1984 mainstream users were choosing VMS over UNIX. Ten years later they are choosing Windows over UNIX. What part of that message aren't you getting? - Tom Payne