Strange query when execute SHOW FULL PROCESSLIST;

Question

When I execute

SHOW FULL PROCESSLIST;

By mysql admin user I always see this line :

select * from user where email='' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(email AS CHAR),0x20) FROM admin_new.`user` ORDER BY email LIMIT 105,1),5,1))>102,0,5)))))ylrK) AND 'ncED'='ncED'

each time is different

select * from user where email='' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT IFNULL(CAST(email AS CHAR),0x20) FROM admin_new.`user` ORDER BY email LIMIT 106,1),4,1))>96,0,5)))))rePG) AND 'xuFI'='xuFI'

what is that? is it normal? how can i found it in my script?

score 2 · Accepted Answer · edited May 23 '17 at 11:51

2

It means that your site is vulnerable to SQL injection and you are seeing an exploit in action.

Basically this query is investigating your database structure, to let the attacker the information about table and column names. After learning it they can try to extract the information they need.

Apparently the leak is where select * from user where email= is used.

In case you are using PHP, refer to this question to learn how to protect your code from SQL injection: How can I prevent SQL injection in PHP?

edited May 23 '17 at 11:51

Community

1
1

answered Aug 24 '16 at 15:39

Your Common Sense

156,878
40
214
345

You are right , select * from user was only in one page , I forbid it , and it fixed , – محمد علی پور فتحکوهی Aug 24 '16 at 15:43
is there a way to see what attacker did? @Your Common Sense – محمد علی پور فتحکوهی Aug 24 '16 at 15:45
1

As I said above, this is investigating query, that extracts the information about your database structure. So I would tell that nothing harmful is done yet. But it could be not the first attack though. – Your Common Sense Aug 24 '16 at 15:47

Strange query when execute SHOW FULL PROCESSLIST;

1 Answers1