当前位置：网站首页>Infiltration learning - problems encountered during SQL injection - explanation of sort=left (version(), 1) - understanding of order by followed by string

Infiltration learning - problems encountered during SQL injection - explanation of sort=left (version(), 1) - understanding of order by followed by string

2022-06-27 22:28:00 【dfzy$_$】

Problem scenario ：

This is mainly to explain some problems encountered in my shooting range , That is to say sqllibs Of Less46 Off use sort=left（version（）,1） The reason why it can still be echoed normally , And right order by Followed by a string varchar Character types can also be interpreted normally .

Cause analysis ：

Yes left This function is in order by After the explanation ：

First , Here is the main explanation left(version(),1） Here means to take from the left version（） First digit of value , in other words version（）=5.7.26 Words , that left This will be equal to 5.

And here's the thing to note , The resulting value here , When placed in order by Then there is a string type （ namely varchar type ）, That is to say, it is equivalent to order by “5” In this form . therefore , Whether it's mid left still right All that comes out is “ String of numeric content ”, Sorting it still uses character rules , Will not get the result we want .

Yes order by Understanding of the following string ：
Suppose we take order by "5" To execute , that mysql Will literally mean “ By number 5 Sort ”, Instead of sorting by the fifth column in the table （order by 5 It means sorting by the fifth column ）.

If you are sorting by character rules , This is not going to happen MySQL（ Unless some versions are improved ） Generate the correct sort in , Except by chance . If nothing else is done （ Such as addition, deletion and modification ） Words , This will be sorted according to the sort table in the disk （ That is, the order in which data is read from the disk . This should be determined by the default read mode of the file system or disk ）.

That is, no matter what you type in the string , Sorting is basically the default .

Input "5":
Insert picture description here
Input "less38"
Input 1
Input left(version(),1)：
As can be seen from the above , No matter what string you enter , The sorting is the same , because order by Sorting by character set is invalid ,mysql At this point, the disk order table will be sorted by default .