Can you explain this SQL injection?

Question

The website i worked was recently attempted to be hacked by the following SQL injection script

boys' and 3=8 union 
select 1, 
concat(0x232425,ifnull(`table_name`,0x30),char(9),ifnull(`table_rows`,0x30), char(9),0x252423),
3,4,5,6,7,8,9 

from `information_schema`.`tables` 

where table_schema=0x62646B3032 limit 44,1 -- And '8'='8

This injection returned the mysql table name. This was reported by the error reporting system on that website and we managed to fix that part however I am not able to understand what does the above injection mean?

Anyone can explain this?

Penuel

Answer 1

This injection returned the mysql table name.

Do you mean that your website displayed the table name when you gave it this input, or that the query returns that when run from the mysql client? If it showed on your website, then the attacker has the ability to inject much more harmful queries. Check your data.

Answer 2

According to this the MySQL concat()

Returns the string that results from concatenating the arguments. May have one or more arguments. If all arguments are nonbinary strings, the result is a nonbinary string. If the arguments include any binary strings, the result is a binary string. A numeric argument is converted to its equivalent binary string form

So 0x232425 is converted to #$% which is simply added to the begining and end of the table_name field. Maybe just to make it easier for them to pull out the Table names later using Regex.

Later on the char(9) is equivalent to a tab as you can see here and is just there to format the output nicer.

The 3,4,5,6,7,8,9 is just there so that the columns match the boys table that they are performing the Union on.

Answer 3

They're using a select from the Information Schema views in mysql server :

http://dev.mysql.com/doc/refman/5.0/en/information-schema.html

They use some clever hacks to rout out simple sql injection prevention techniques.