0x01 Preface
Today, I listened to the seniors to exchange their experience in vulnerability mining, and mentioned Limit injection, so as to learn about limit injection
0x02 Knowledge Introduction
limit
LIMIT[position offset,] number of lines
Among them, the parameters in the square brackets are optional parameters, the position offset refers to which line the MySQL query analyzer should start to display, and the index value starts from 0, that is, the position offset of the first record is 0, and the second record The position offset of the record is 1, and so on..., the second parameter is "number of rows", which indicates the number of records returned.
The effect is self-understanding
benchmark
benchmark函数有两个参数,第一个是执行次数,第二个是要测试的函数或者表达式
比如 benchmark(10000000,sha1(1))
意思是执行sha1函数10000000次 使mysql运算量增大 导致延时 有点类似与多表联合查询(笛卡尔积)
As shown
About 10,000,000 executions will cause a delay of more than 3 seconds
0x03 limit injection
Example: select*from limittest limit 1,[controllable point] or select ... limit [controllable point]
The only functions that can be spliced after limit are into and procedure, and into can be used to write files, which we will not consider in this article.
After Limit, you can use the procedure analyse() subquery
And can only use the extractvalue and benchmark functions for delay
procedure analyse(updatexml(rand(),concat(0x3a,benchmark(10000000,sha1(1)))),1)
As shown
0x04 Script batch detection
My idea is to use poc to test each id of the obtained url to see if there is any delay.