Summary the “order by” clause used in MySQL Injections
What is the “order by” injection?
Contents discussed herein refer to the position of the controllable order by clause, the order parameter controllable as:
Analyzing simple injection
In the early injection abound when using the order by
clause to quickly guess the number of columns in the table, together with union select
statements echo. In the test, the tester can modify the order
parameter values, such as adjusting to a larger integer, then the situation is determined based on the number of echo particular columns included in the table.
In the case we can not know the name of the column by the column number to refer to the corresponding column. But after the test we can not do this operation, such as order=3-1
, and order=2
is not the same.
Further configured Payload
In front of the judge is not absolute, we need to construct a similar and 1=1
, and 1=2
the Payload in order to inject the data.
Further use of rand
the function can achieve a similar effect can be observed is not the same sort of results
Use the error
In some cases can not know the column name, but also less intuitive to judge the difference between the two requests, the following IF statement with an example.
Return multiple records
Use regexp
Use updatexml
Use extractvalue
Time-based blind
Note that if the direct if(1=2,1,SLEEP(2))
, sleep time will become number 2 in the current table records, as well as such execution BENCHMARK(1000000,100100)
; and other functions, will cause some denial of service attack on the server.
Data guess solution
To guess user()
i.e. root@localhost
as an example, since only a guess a solution may be utilized SUBSTR
, SUBSTRING
, MID
, and left
, and right
we can accurately divided strings for each seat. Then you can use is to compare the operation =
, like
, regexp
and so on. Here we must note like
is not case sensitive.
May be learned by the next user()
first for r
, ascii
hexadecimal code is 0x72
:
Guess the current name of the database table:
Guess specify column names in table names:
Suggested fix
The problem is that the attacker was a direct reference to the data object to pass the test, understand the application. This kind of problem can be summarized in the OWASP-2013 A4 (unsafe object directly references). Common repair method is as follows:
- Filtered through a string expression n. Only letters, numbers, underscores allowed field appears.
- Whitelist ideas, indirect object reference. The front end of the transfer reference number or string, etc., for the back-end to do the mapping array, so you can hide the database data dictionary effect, to avoid direct reference to the harm.