Blind injection ideas and solutions for order by statements on Zhongguancun online website (figure)

Comments: Detailed description of the order by statement on the Zhongguancun online website. Let's take a look at the blind note based on the order by content in the following article:
Detailed description:
For http://active.zol.com.cn/diy/bisai.php? Mont_h = 2009-05 & id = 12 & type = 15 & order = zj_vote + desc for security detection.
Failed to try numeric injection.
However, if you see zj_vote + desc, you may be able to use it here.
No injection was found by scanning it with a tool. Because order by cannot be included before mysql union.
But is there no way to inject the content in order?
I don't have to worry about it.
Some attempts were made to find that order by can be blind.
This method depends on the database results and must contain a column that is known to have different values.
However, since the order by field in the program, the field must have multiple values theoretically. For example, the zj_vote field in this example.
 
Proof of vulnerability:

Check the sorting. The difference between 236 and 239 is 3. I constructed an abs (zj_vote-237-(expr) asc.
(Expr) is false, (239-237-0) = 2, (236-237-0) = 1,236 row front,
When (expr) is true, (239-237-1) = 1, (236-237-1) = 2,239 rows front,
You may say that the difference between 236 and 239 is 3, of course, simple. What if the difference is 2?
For example, what should I do with 236 and 238?
Don't sell off the customs, tell you directly, he is not a difference 2, you can use abs (zj_vote-236-(expr) * 3) ah
 
Http://active.zol.com.cn/diy/bisai.php? Mont_h = 2009-05 & id = 12 & type = 15 & order = abs (zj_vote-237-(length (user ()> 20) + asc
 

 
 
Http://active.zol.com.cn/diy/bisai.php? Mont_h = 2009-05 & id = 12 & type = 15 & order = abs (zj_vote-237-(length (user () = 20) + asc
 
 
 
 
Solution:

Make an array that can be combined by the allowed sorting method, and pass the array subscript of the sorting method by the sorting method.
If you want to directly upload fields, you can also check whether the sorting method is in the array. If not, the default sorting method is used. It is safe.

Author XiaoYu