MySQL Question

Strange query when execute SHOW FULL PROCESSLIST;

When I execute

SHOW FULL PROCESSLIST;


By mysql admin user
I always see this line :

select * from user where email='' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(email AS CHAR),0x20) FROM admin_new.`user` ORDER BY email LIMIT 105,1),5,1))>102,0,5)))))ylrK) AND 'ncED'='ncED'


each time is different

select * from user where email='' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(email AS CHAR),0x20) FROM admin_new.`user` ORDER BY email LIMIT 106,1),4,1))>96,0,5)))))rePG) AND 'xuFI'='xuFI'


what is that?
is it normal?
how can i found it in my script?

Answer

It means that your site is vulnerable to SQL injection and you are seeing an exploit in action.

Basically this query is investigating your database structure, to let the attacker the information about table and column names. After learning it they can try to extract the information they need.

Apparently the leak is where select * from user where email= is used.

In case you are using PHP, refer to this question to learn how to protect your code from SQL injection: How can I prevent SQL-injection in PHP?

Comments