Summary the “order by” clause used in MySQL Injections
What is the “order by” injection?
Contents discussed herein refer to the position of the controllable order by clause, the order parameter controllable as:
Analyzing simple injection
In the early injection abound when using the
order by clause to quickly guess the number of columns in the table, together with
union select statements echo. In the test, the tester can modify the
order parameter values, such as adjusting to a larger integer, then the situation is determined based on the number of echo particular columns included in the table.
In the case we can not know the name of the column by the column number to refer to the corresponding column. But after the test we can not do this operation, such as
order=2 is not the same.
Further configured Payload
In front of the judge is not absolute, we need to construct a similar
and 1=2 the Payload in order to inject the data.
Further use of
randthe function can achieve a similar effect can be observed is not the same sort of results
Use the error
In some cases can not know the column name, but also less intuitive to judge the difference between the two requests, the following IF statement with an example.
Return multiple records
Note that if the direct
if(1=2,1,SLEEP(2)), sleep time will become number 2 in the current table records, as well as such execution
BENCHMARK(1000000,100100); and other functions, will cause some denial of service attack on the server.
Data guess solution
root@localhost as an example, since only a guess a solution may be utilized
right we can accurately divided strings for each seat. Then you can use is to compare the operation
regexp and so on. Here we must note
like is not case sensitive.
May be learned by the next
user() first for
ascii hexadecimal code is
Guess the current name of the database table:
Guess specify column names in table names:
The problem is that the attacker was a direct reference to the data object to pass the test, understand the application. This kind of problem can be summarized in the OWASP-2013 A4 (unsafe object directly references). Common repair method is as follows:
- Filtered through a string expression n. Only letters, numbers, underscores allowed field appears.
- Whitelist ideas, indirect object reference. The front end of the transfer reference number or string, etc., for the back-end to do the mapping array, so you can hide the database data dictionary effect, to avoid direct reference to the harm.