(sql injection)sqli-lab 15:ununderstandable behavior in where clause
Question
I am learning sql injection,and I set up the sqli-lab environment(windows+php+mysql 5.5.53) in my computer.
I encountered two problems when I was solving the sqli-lab 15. the source code in this question is below:
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
- when I submitted the post data
uname=1' or sleep(3)%23&password=2to the urlhttp://127.0.0.1/sqli-labs/Less-15/,the response was delayed about 13.18 secs which 3 secs was expected.Why did this happen? - In my previous knowledge,when the condition before
andis true, the statement afterandis executed.After posted the datauname=1' and sleep(3)%23&password=2,the result was returned immediately as expected.But when I use sqlmap to test this url,I found the sqlmap payload was like this:uname=1' and (SELECT * FROM (SELECT(SLEEP(2)))IkiC)%23&passwd=2,and the sleep function was executed exactly.So why did this happen?(this is no unname 1 in the table users.)
1 answers
solution1
0 2020-12-30 07:51:35
I found the answer to the question 2:
SQL executes innermost sub query first, and then the next level. The results of the sub query are the query conditions of the primary query. So in this case, the query sequence is sub query-> primary query
The answer comes from: In which sequence are queries and sub-queries executed by the SQL Engine
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.